Helping your business to do more business
Wednesday, 03 September 2008
For those who don't know, VPN stands for Virtual Private Network, the technology is used to provide remote users with a secure tunnel between wherever they are (in an internet cafe for instance) and the company local area network (LAN), allowing them to access files and data stored on the network. This technology is a great enabler not just for mobile users who are on the road often, but also for those who'd like to work from home as VPN technology also enables teleworking.
But as with LAN access the biggest weakness can be the method used to authenticate users and allow them access to the VPN. Commonly this is done using a username/password combination which is a methodology that users are familiar with, but the problem with it is the strength of the password. How easy would it be for a malicious user (a hacker maybe) to crack the password and gain access to the secured resources beyond. Many users choose passwords that are easy for them to remember, this is fine but they are normally easy to guess. This is why some networks implement strong password policies, forcing the user to include numbers, punctuation and/or capitalisation in the password but this has the down side of making passwords harder to remember.
There is an alternative. Recently I came across a system whereby the user enters a different password every time. This is done by providing the user with a small gadget which provides a known sequence of numbers, the gadget is registered with some server software and linked to a user. The authentication system then communicates with this server software to authenticate the users access to the VPN. So the user provides a username allocated to him/her as before, but for the password the user enters a number provided by the gadget, the system then checks that the number is the next in the expected sequence and if it is the user is granted access. It seems to me that this system makes it almost impossible for anyone unauthorised to gain access to the VPN.
This is a great idea, not just for securing a VPN but also for web sites if the access to the site needs to be strictly controlled. I know of at least one bank that provides a similar system for access to their online banking, but it seems to me that it would be a good idea if this technology was adopted and used more widely. From an online banking point of view it would certainly make phishing attacks much harder to perpetrate.