Secure Check Point Access:

Using SafeWord® for Check Point to
provide easy, cost-effective strong
authentication for remote users

Download the solutions brief - 406 KB, 7 pages

Table of Contents

Overview
About Check Point VPN products
The password risk
Do stronger password policies really help?
The answer is strong authentication
How SafeWord for Check Point provides strong authentication
What's different about SafeWord for Check Point?
Conclusion
For more information

Overview

SafeWord® for Check Point is an OPSEC-certified strong authentication system designed specifically for Check Point VPN environments, and designed specifically for Check Point administrators to manage. This paper discusses the risks of passwords, how SafeWord for Check Point protects against those risks, and the unique features and benefits of SafeWord for Check Point that make it easy and cost-effective for VPN administrators to manage.

About Check Point VPN products

Check Point remote access solutions enable teleworkers to securely connect to corporate resources. Check Point provides client options to meet the needs of any organization. Their products support a broad range of VPN clients, which means teleworkers and traveling employees can securely access corporate resources.

Check Point VPN products include VPN-1, virtual private network software (in several different varieties); Express, a suite of products for mobile connectivity; and Safe@ appliances, which combine products in an appliance form factor.

The password risk

VPNs, both IPSec and SSL-based, create a secure tunnel over the Internet. This secure tunnel protects against snooping, sniffing, and other "man-in-the-middle" attacks. However, most organizations still rely on simple usernames and passwords to access the entrances to these secure tunnels.

Passwords are a very weak way to guard the entrance to your trusted systems, applications, and networks. In a variety of security studies, many users choose passwords that are very easy to guess, attack, or break.

In one study, 12 percent of users had chosen extremely weak passwords -- the password was the word "password." (Gosh, how clever; it's like hiding in plain sight!)

Many users choose the "vanity passwords" of "stud" or "goddess" -- and many more choose other easily guessable vanity passwords like "cutiepie," "hunk," and similar words. This is an open door into networks for hackers.

A much larger percentage of people -- 35 percent or more, depending on the study -- choose passwords based on personal information that can be found in their work area. The name of a child or spouse, a favorite rock band, classical composer, vacation spot, or car model can often be found on an employee's desk or hanging on the wall of a cubicle or office. Additionally, personal information such as this can be easily gleaned by a smart attacker in a two-minute "friendly conversation" in the elevator.

Do stronger password policies really help?

Some security pundits recommend implementing the following policies to protect passwords against these attacks: mandating passwords of at least six characters; forcing users to change their passwords every 30 days; not allowing users to "replay" a previously used password; no dictionary, slang, or industry words; requiring at least one uppercase letter, one lowercase letter, one numeric, and one symbol; no birthdays or social security numbers; no proper names -- the list goes on and on. Some experts even recommend that users develop complex schemes, including learning a mnemonic alphabet or secret codes. This leads to passwords like G1w$#Ih5W.

There are two problems with implementing such password policies. The first is that the more of these password policies you implement, the harder it becomes for users to remember their passwords. Forgotten passwords are the number one type of help-desk call-and the average help-desk call costs $50-$150 in resources and lost productivity.

The second problem is that the organization's security risk can actually increase. Users in organizations with complex policies may spend their time trying to circumvent their company's password policies. The easiest way to circumvent a complex password policy is to simply write the password down and tape it underneath the keyboard or to the workstation's monitor.

Even stronger password policies cannot defend against the weakest link: the end user.

Of 150 office workers surveyed in 2002, the majority of them said they would give their password to a coworker or colleague, and two-thirds of them gave their network password to the survey taker! A British survey found that over 90% of people would reveal their network password for a free pen. (And that's a cheap ballpoint, not an expensive fountain pen.)

Organizations lose hundreds of millions of dollars every year because of password breaches. An identity theft ring was uncovered in early 2003 after a help-desk employee was found to be stealing credit companies' passwords. The victims numbered in the dozens, and lost more than $30 million combined. No password policy is strong enough to defend against this kind of attack.

Clearly, organizations with valuable information must choose something stronger than passwords to protect their resources.

The answer is strong authentication

Strong authentication refers to systems that require multiple factors for authentication and use advanced technology, such as secret keys and encryption, to verify a user's identity. The simplest example of strong authentication is your ATM card. This requires something you have (your card), and something you know (your PIN). Most people wouldn't want their bank to allow access to their checking account with just one factor. Yet many organizations allow entrance to their valuable Check Point resources (often much more valuable than a single personal checking account) with only one factor -- a weak password!

How SafeWord for Check Point provides strong authentication

SafeWord for Check Point delivers security through one-time passcode-generating hardware tokens, combined with a user's PIN.

Figure 1: SafeWord for Check Point hardware token

When a Check Point VPN user pushes the button on the SafeWord token, it immediately generates and displays a single-use passcode (via a unique secret key and an advanced encryption algorithm that is contained inside). The user enters the passcode, followed by the user's unique PIN, to gain access. The SafeWord server, with each user's token and PIN on file, can confirm the authenticity of each passcode presented by each user. After one use, the passcode is thrown away by the system. If someone attempts to re-use a passcode, access is denied by the authentication server.

Each Check Point VPN user must have the SafeWord token in their possession (much like the ATM card) and know the PIN. This is true two-factor authentication, and it eliminates the risks of stolen or compromised passwords.

What's different about SafeWord for Check Point?

As mentioned earlier, SafeWord for Check Point is OPSEC-certified, and designed to be easily and cost-effectively managed by Check Point administrators. The following are the main differences between traditional strong authentication systems and SafeWord for Check Point:

1. Installation is lightning-fast. Competing solutions can take hours or days to install and configure properly. Often, systems engineers must be scheduled from the vendor to install the software correctly. Security policies must be mapped out. Ports must be opened, or closed, or both. But it's easy with SafeWord for Check Point: Pop in the CD. The wizard-driven installation leads you through the process in less than 10 minutes.

   Figure 2: Installing SafeWord for Check Point is quick and easy.

2. No separate machine needed. Competing solutions require the software to be loaded on a separate server. A server with the minimum requirements costs about $3,800. But SafeWord for Check Point installs directly on either: 1) your Check Point User Management box, or 2) your Active Directory box. This can save thousands of dollars (and the hassle of a purchase requisition).

3. Manage everything from your existing user management system. Other solutions use a proprietary user database which must be managed separately. SafeWord for Check Point plugs in to the user console you already use.

   Figure 3: The SafeWord plug-in to Check Point's User Management System.

   Choose from either the Check Point User Management system or the Microsoft Management Console in Active Directory. Plug-ins tie the SafeWord tokens directly to your users, so there's just one place to manage users and tokens. SafeWord for Check Point is also OPSEC-certified, so you can have confidence that everything will run smoothly.

4. Deliver tokens to end users in a quarter of the time, with a quarter of the expense. With traditional token deployment, administrators must create user accounts, import user records, test tokens and assign to each user, label and process each token for delivery, find each user, and deliver the correct token. This takes about 30 minutes per user, which can add up very quickly. But SafeWord for Check Point includes a user self-enrollment capability (offered in all Secure Computing SafeWord products). With user self-enrollment, administrators don't have to match each user to their correct token or assign tokens-users can enroll themselves. One-time setup takes an administrator about a half hour, and the per-user time drops from 30 minutes to less than 5. Even if you just have 25 users, you'll save over a day of work using SafeWord for Check Point's user self-enrollment.

   Figure 4: Users can enroll themselves with the SafeWord User Center.

5. Never buy another replacement token. Some competing solutions require you to repurchase tokens every 2, 3, or 4 years -- their tokens are programmed to expire at the end of that time period. But with SafeWord for Check Point, simply return any nonfunctioning token to us and we'll replace it for free, no questions asked. Our tokens are not programmed to expire, and if one fails for any reason (you dropped it into a running garbage disposal, your dog chewed it up, you ran over it with a steamroller, or if it simply has a dead battery in 10 years), we'll replace it free of charge. All that's required is that your organization has a valid, up-to-date support contract with us.

6. All of this at half the price. Competing solutions for 100 users list for $200 or more per user. SafeWord for Check Point is less than half the cost.