Arcot for VPN Update Avoids Hardware Hassles

By Andrew Garcia  |  Posted 2001-06-25 Print this article Print

Authentication is the weakest link in VPN security, forcing administrators to weigh the importance of cost, ease of deployment and strength of security.

Authentication is the weakest link in VPN security, forcing administrators to weigh the importance of cost, ease of deployment and strength of security. Public-key infrastructure provides a robust and scalable authentication option, but the security of the remote users private key becomes paramount. Password protection for private keys, although inexpensive and easy to deploy, is also an easily corrupted security measure. Meanwhile, hardware such as tokens or smart cards are expensive and difficult to deploy.

Arcot Systems Inc. lets administrators wave goodbye to these problems with Arcot for VPN 1.2, an update of its authentication software that requires remote users to provide a PIN and a software container called the Arcot ID to authenticate their identity to a virtual private network and Arcots RADIUS (Remote Authentication Dial-In User Service)-based server. With its low cost and minimal deployment overhead, Arcot for VPN is a sound investment for VPN deployments of any scope.

The Arcot ID is protected by a bait-and-switch technology called Cryptographic Camouflage—sort of a VPN honey pot, if you will. Cryptographic Camouflage protects the private key within the Arcot ID from offline brute-force or password list attacks by generating numerous false-positive PIN results. Whereas an attack against a password-protected system reveals one plausible result (the correct PIN), an attack on the Arcot container yields thousands of plausible PINs, enticing intruders to interactively log in with incorrect information, thus instigating a user lockout.

Arcot for VPN 1.2, which was released last month, works with four major VPN product lines, adding support for Cisco Systems Inc.s VPN 3000 concentrators, Intel Corp.s NetStructure gateways and Nortel Networks Corp.s Contivity switches to the support it already has for Check Point Software Technolgies Ltd.s VPN-1 4.1. Although eWeek Labs believes that this is still a disappointingly small number of products, it covers a large segment of the market.

The price for Arcots software depends on the number of licenses purchased. Licenses for 1,000 users cost about $15 per user. The server software component is included free with the client licenses. Round-the-clock support can be purchased for 15 percent of the licensing cost.

In tests, we integrated Arcot for VPN with Check Points VPN-1 using Check Points proprietary FWZ key management scheme, although Arcot recommends using Internet Key Exchange authentication. We installed Arcot for VPN on a server running Windows NT 4.0 inside an encrypted domain (Windows 2000 is not yet supported).

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel