WebFort cuts cost of security

Whether your agency operates a World Wide Web site, extranet or intranet,

chances are you post, or want to post, potentially sensitive data.

Unfortunately, traditional methods of controlling access are no longer

sufficient. For example, user names and passwords (single-factor authentication)

are easily shared, cracked or stolen. Most two-factor authentication systems

reduce break-in risk by employing a hardware token (such as a smart card)

and something only the user should know (like a personal identification

number). But this approach is expensive — about $50 per user — and somewhat

inconvenient, since authorized people must carry and safeguard their cards.

Arcot Systems Inc.'s WebFort 2.0 software offers the security of a storage

smart card while overcoming the disadvantages of competing digital certificate

methods. As a result, WebFort reduces the cost and complexity of protecting

sites exposed to a large number of users while maintaining strong authentication.

WebFort, which employs public-key in-frastructure (PKI), includes a

number of server components and a browser plug-in. The server software runs

on Microsoft Corp.'s Windows NT and Sun Microsystem Inc.'s Solaris — and

interfaces with both Netscape Communications Corp.'s and Micro-soft's Web

servers. Supported clients include Windows 9x, Windows NT 4.0, Solaris,

Mac OS8 and Linux. Little time and effort should be required to secure your

existing client/server and legacy applications.

In concept, WebFort generates an electronic token — the ArcotCard — which stores a user's private key, and an X.509 Version 3 digital certificate;

the second part of the system's two-factor authentication is a personal

identification number (PIN).

WebFort can be integrated with certificate authority products such as

Microsoft's Certificate Server 1.x and VeriSign Inc.'s OnSite 4.0, as well

as any of the databases on the market that are compliant with the open database

connectivity standard.

Yet WebFort differs from standard public-key encryption techniques by

employing what the company calls Cryptographic Camouflage. It works like

this: If a hacker manages to crack the key container, instead of finding

the user's private key he or she will find multiple plausible private keys.

The hacker won't know which private key is the correct one without actually

trying them on the authentication server. Unless the hacker gets very lucky

and chooses the correct key on the first try, the authentication server

will notice multiple authentication failures and will suspend access.

Experienced system administrators should have little trouble setting

up WebFort in less than a day. For smaller installations, the Authentication

Server application runs on your main server hardware — and protects Web

content in two basic ways. First, it allows you to secure specific URLs

and directories through a simple computer graphics interface to the Web

server. Alternately, you might replace the log-in to a Web application with

a new page that interfaces with WebFort. The company says that this can

usually be accomplished in one or two days.

Other components include the WebFort Personalization Station, which

runs on any workstation and allows security administrators to create ArcotCards,

and the WebFort Card Server module, which permits users to register their

ArcotCards and lets mobile users retrieve their ArcotCards at different

locations.

The same concepts work for large-scale deployments by adding one additional

piece — the WebFort Proxy Server. It lets you distribute multiple authentication

and card servers at different points in your network for load balancing.

This is a fairly simple step because the extra servers don't have to be

configured with user names or credentials. What's more, this scenario helps

ensure around-the-clock operation; if you have a hardware problem with any

system running Authentication Server, WebFort automatically switches over

to an alternate server.

In practice, WebFort performed flawlessly. I used the Personalization

Station's browser interface to quickly issue, revoke and replace ArcotCards.

To access a protected site, users first download and install the browser

plug-in, which takes about one minute over a 56 kilobits/sec modem connection.

(The plug-in works on Windows, Macintosh, Linux and Solaris platforms.)

Next, the person picks up an electronic access card, using an identifier

created by the administrator, and selects a PIN. If someone wants to use

their card at a different PC, they can create four personal questions and

associated answers.

With the one-time card setup done, gaining access to a WebFort-protected

site is much like typical user name and password procedures for a PC or

using an automatic teller machine. In fact, WebFort's end user interface

simulates the action of inserting a card in an ATM, which then asks for

a PIN.

When I wanted to access a site from a laptop that didn't have my ArcotCard,

the Card Server first challenged me with two of the four questions I'd created

earlier. After answering correctly, the system let me download my credentials

to the roaming system. However, I still needed my PIN to actually gain access

to the secure Web. As such, it should be very hard for someone to masquerade

as a legitimate user.

In short, WebFort provides a strong authentication solution to protect

Web content and applications that must be accessed by a large number of

users. The system does a fine job of balancing your security requirements

with user demands for simplicity.

—Heck (mike_heck@infoworld.com) is an Infoworld contributing editor and manager

of electronic promotions at Unisys Corp. in Blue Bell, Pa.