We do! Nextel Communications marries remote user access with high level data security.
In the greater Chicago market--encompassing the third largest metropolitan area in North America and serving Nextel subscribers in three states--that meant allowing our engineering and operations staff, field operations groups, and selected vendors and partners to dial in to our LAN and intranet. The goal? To obtain real-time information and troubleshoot equipment from remote locations quickly and easily, improving response time and productivity.
In early 1997, our network computing team began to search for the tools that would allow us to automate remote access while ensuring a high level of security. Since we needed to allow 24 x 7 access to the "nerve center" of our cellular operations in the Midwest, we knew we had to go beyond the existing conventional--but insecure--user ID/static password systems. In addition, we knew our vendors and partners would want the best combination of ease of use and airtight information security to protect their own systems.
Our team developed the key criteria for our secure remote access solution. New Logic, Inc., a Chicago-based systems integration and business technology consulting firm with expertise in data security, was also instrumental in pointing out different options. Beyond helping to determine the best security solutions for our needs, the company provided experienced systems integration and implementation services that got us up and running smoothly and in short order.
Nextel's combination of remote users in different locations and from different sources required:
* Centralized access control management with accounting and audit trail capabilities.
* Two-factor (or "strong") challenge/response authentication of users.
* Compatibility with the 3Com Total Control Network Access Server.
* Ease of administration.
With all these requirements in mind, our network computing team was equally concerned about sacrificing responsive customer service for security. The solution had to be convenient and easy to use so that both our local engineering and operations personnel and vendors/partners could troubleshoot problems quickly and efficiently. Lastly, the access control mechanism had to be capable of handling the continuing rapid growth of our company.
After researching the available options, we settled on an integrated authentication server, smart card, and authentication token solution from Vasco Data Security in Oakbrook Terrace, Ill. The first step was installing the Vasco Access Control Manager software, known as VACMa, on a standalone Windows NT server. This client/server software enables authentication and provides authorization and accounting of resources and time spent on a system by a remote user.
The configuration is simple. No matter how he or she dials in, a user's authentication request is routed to the authentication server, which supports both RADIUS and TACACS remote access protocols. The software authenticates the user, sets authorization levels and any limiting parameters, and then grants or denies access. The software captures accounting information based on each user' s activity, which can be analyzed later by a system manager.
The authentication part of the security equation on the remote user end involved physical devices for two-factor authentication. That is, beyond a user ID and static password, the remote user would also have to have a physical device to access the network. For our field engineers and engineering and operations staff, we settled on VACMan/ CryptaPak smart cards for a number of reasons. Since all these users have their own laptops, we didn't require the mobility of a hard token. And beyond supporting X.509 digital certificates, the private/public key pair is generated on the card itself rather than on the PC for added security in case a laptop is stolen.
Ease of use was also a factor. By combining the smart card with a Smarty serial reader from Fischer International Systems Corp., Naples, Fla., Vasco Data Security helped us avoid a bulky serial smart card reader attachment that users would have to carry with them. The reader is the same form factor as a 3.5-inch PC disk, but with a slot and circuitry to support a smart card and to interface with the smart-card client software on the laptop. Users simply insert the smart card into the Smarty and then place the reader into their floppy drive on their laptops to begin the authentication session.
In addition, we found the VACMan/ CryptaPak smart cards to be durable enough to be carried in a wallet without any harm, unlike some other authentication options we researched. We also liked the fact that the smart card solution required Jess interaction than a hard token. When-you think about the safety of remote users who may be accessing their laptops in their cars, that' s a significant feature.
Although most remote users accessing the Nextel network use smart cards, we use Vasco' s Digipass authentication tokens for those select few users that don't always dial in to our network from the same computer. The Digipass uses a onetime password feature and has digital signature capabilities to provide strong authentication while maintaining flexibility and ease of use.
For vendor access, we take a different approach, using a Digipass token that physically resides in our control room. Previously, vendors had direct dial-in through a modem connection for each piece of hardware. Now, vendors are required to call into the control room to receive a login and password. After entering the login and password, they receive an authentication challenge from the VACMan server and read the challenge back to the control room.
The control room enters the challenge into a token residing there and gives the vendor the response to type in to authenticate the session. We simply run a serial cable to a terminal server and set up a RADIUS parameter in the authentication server to set up a telnet session directly to the telnet server serial port--character-based versus protocol-based. The result is the same ease of use in access, along with higher security and the freeing up of dedicated phone lines.
It has been a little over a year since the implementation of this secure remote access system, and the results have been excellent. Secure entry to our network by both Nextel field operations and vendors/ partners has enabled us to move from a slow paper-based troubleshooting process to a speedy electronic remote access system. In most cases, this one change has reduced problem-to-resolution cycles from days to hours.
For example, Nextel has an electronic trouble-ticket system in a central database. Our field engineers can dial into this database and retrieve their customer trouble tickets, research them in the field, and instantly get the results back to the customer care system out in Denver for instant follow-up. Before they would have had to come into the office, print out their tickets, take them back out in the field, take notes, figure out what the problem was, write down the answers on paper, and come back and type it in. And typically, they could not re-create the problem in that timeframe.
Best of all, from a system administrator' s point of view, the security data software works in the background and is unobtrusive on the Nextel network, controlling access, confirming authentication, and managing authorization levels with a minimum of maintenance. Thus far, most changes to the software have involved adding or deleting authorized remote users, which requires simple data entry. And if we need to remove or modify access to the network, it's a simple process that takes just a minute--and we don't even need the smart card or token back. In addition, the server offers remote administration capabilities that have made managing security even easier.
Akers is senior systems engineer at Nextel Communications, Atlanta, Ga.
Circle 251 for more information from Vasco Data Security
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Company Operations|
|Author:||Akers, Stephen J.|
|Date:||Sep 1, 1998|
|Previous Article:||House rules; Bay Networks CEO David House on the ideal network where network managers rule.|
|Next Article:||Network performance cabling test results.|