Authentication Methods for VPNs

by | Nov 16, 2015 | Authentication, Biometrics, CHAP, Cyberattack, Hacking, Kerberos, Pen Testing, RADIUS, VPN | 0 comments

Some of the largest data breaches of the last two years, including those affecting Target, Home Depot and the U.S. Postal Service, have been the result of hackers gaining access through Virtual Private Networks (VPNs).

Between vendors, contractors, employees working remotely, and workers taking advantage of Bring Your Own Device policies, the average company has a multitude of users and devices accessing VPNs. This makes them a prime target for data thieves and a major vulnerability for your organization.

For most firms, allowing access by using a just a user name and password is no longer an adequate method of authenticating users, since that information can be easily obtained and used by hackers. Over the years more robust authentication methods have emerged, including:

Two-Factor Authentication.
This method provides an extra layer of security while still allowing for convenient access by authorized users. The most common form of two-factor authentication is having a user receive a text message or SMS on their phone with a code number. This code is automatically sent to the user after he or she inputs their standard user name and password. Payment Card Industry Data Security Standard (PCI DSS) requires two-factor authentication for remote access to a network by employees, administrators, and third parties.

Risk-based authentication (RBA).
This method applies varying levels of authentication based on the risk of a system being compromised. The greater the risk to a system, the higher the level of authentication required. For example, people who attempt to access bank accounts from another country may be asked additional security questions to authenticate their identity. Additional authentication protocols may also be applied based on a user’s IP address or because of a lack of antivirus software.

Challenge Handshake Authentication Protocol (CHAP).
CHAP uses an MD5 hashing scheme to encrypt authentication. With CHAP, the actual password isn’t sent over the wire. Instead, it uses a challenge-response mechanism with one-way MD5 hashing. CHAP protects against replay attacks through the use of an incrementally changing identifier and a variable challenge value. Microsoft has a proprietary version of CHAP called MS-CHAP.

Remote Authentication Dial-In User Service (RADIUS).
This method enables remote access servers to communicate with a central server to authenticate users. A central database stores user profiles that all remove servers can share. RADIUS allows a company to set up a policy that can be applied at a single administered network point.

Smart cards.
Smart cards are physical keys with chips that can store log-on information. Users insert smart cards into a reader attached to a network, then use a personal identification number (PIN) to gain access, much like how an ATM card works. Smart cards can be combined with an employee’s ID badge so that they can have a single card to access the building and network.

Developed at Massachussets Institute of Technology (MIT), this is a ticket-based authentication process that stores passwords on a centralized server and grant tickets for access. This is done through varying levels of encryption. Both the user and the server verify each other’s authorized identities, which can take place over an unsecured network. Once identified, communications between user and server can be encrypted to assure privacy and data integrity.

One of the more robust methods of authentication using personal, physical attributes of the user, such as fingerprint, retina scan or voice recognition.

You wouldn’t leave the door to your headquarters or worse, your server room, unlocked and accessible. It’s time to take the same approach to your virtual network and make it more difficult for unauthorized intruders to enter.