Authentication is the weakest link in VPN security, forcing administrators to weigh the importance of cost, ease of deployment and strength of security. Public-key infrastructure provides a robust and scalable authentication option, but the security of the remote users private key becomes paramount. Password protection for private keys, although inexpensive and easy to deploy, is also an easily corrupted security measure. Meanwhile, hardware such as tokens or smart cards are expensive and difficult to deploy.
Arcot Systems Inc. lets administrators wave goodbye to these problems with Arcot for VPN 1.2, an update of its authentication software that requires remote users to provide a PIN and a software container called the Arcot ID to authenticate their identity to a virtual private network and Arcots RADIUS (Remote Authentication Dial-In User Service)-based server. With its low cost and minimal deployment overhead, Arcot for VPN is a sound investment for VPN deployments of any scope.
The Arcot ID is protected by a bait-and-switch technology called Cryptographic Camouflage—sort of a VPN honey pot, if you will. Cryptographic Camouflage protects the private key within the Arcot ID from offline brute-force or password list attacks by generating numerous false-positive PIN results. Whereas an attack against a password-protected system reveals one plausible result (the correct PIN), an attack on the Arcot container yields thousands of plausible PINs, enticing intruders to interactively log in with incorrect information, thus instigating a user lockout.
Arcot for VPN 1.2, which was released last month, works with four major VPN product lines, adding support for Cisco Systems Inc.s VPN 3000 concentrators, Intel Corp.s NetStructure gateways and Nortel Networks Corp.s Contivity switches to the support it already has for Check Point Software Technolgies Ltd.s VPN-1 4.1. Although eWeek Labs believes that this is still a disappointingly small number of products, it covers a large segment of the market.
The price for Arcots software depends on the number of licenses purchased. Licenses for 1,000 users cost about $15 per user. The server software component is included free with the client licenses. Round-the-clock support can be purchased for 15 percent of the licensing cost.
In tests, we integrated Arcot for VPN with Check Points VPN-1 using Check Points proprietary FWZ key management scheme, although Arcot recommends using Internet Key Exchange authentication. We installed Arcot for VPN on a server running Windows NT 4.0 inside an encrypted domain (Windows 2000 is not yet supported).