Streamlined Secure Access to Privileged Information, Services, and Applications
Ensuring secure remote access to enterprise information is essential as companies continue to move their business processes online and extend the enterprise boundary beyond the corporate firewalls. Unfortunately, many organisations today still rely on static, reusable passwords, thereby exposing enterprise information to access by unauthorised users. The ActivIdentity Secure Remote Access Solution provides everything you need to identify users with certainty and confirm network privileges, enabling you to:

• Increase productivity by allowing your remote employees to access information from anywhere, anytime
• Save time and money by securely moving business processes to the web, eliminating time-consuming and costly manual intervention
• Improve efficiency by allowing partners, customers, and suppliers to securely access the critical information that they need to do business
• Increase security with WLAN protection by requiring two-factor authentication for remote access to critical corporate resources

AAA Services
ActivIdentity provides strong Authentication, Authorisation and Accounting services to secure:

• Dial-up
  In many organisations dial-up access is still the norm for traveling employees because broadband connections are expensive and not yet ubiquitous. ActivIdentity provides a simple interface—fully integrated with Microsoft Dialer.
  
  
• VPN
  VPN connections are quickly becoming the most popular form of remote access service for employees in the field or at home. ActivIdentity seamlessly integrates with CheckPoint and supports all market leading VPN vendors.
  
  
• Web Access
  Many organisations are improving efficiencies by moving applications to the web. Online access to confidential information can securely be granted to employees, partners, customers and vendors. ActivIdentity provides strong, one-time password authentication for any web site running on IIS, SunOne, or Apache web servers or Microsoft Outlook Web Access.
  
  
• Wireless LAN
  The fastest growing remote network access service is wireless LAN access based on the 802.11 standard. Because of the many documented deficiencies in 802.11-based security, ActivIdentity helps secure wireless LAN access by offering integrated 802.1X authentication required by Wireless Protected Access (WPA) and upcoming 802.11i standards. Supporting Microsoft and Cisco® clients.
  
  
• Secure Virtual Desktop
  Take advantage of the growing server-based computing trend and secure login to Citrix® Metaframe (Independent Computing Architecture or NFuse) or Microsoft Terminal Services with two-factor authentication.

Secure Remote Access Business Challenges
Businesses have adopted many methods for providing network and web access to their employees, suppliers, and customers – dial up, VPN, and Web. At the same time they are investigating other access technologies like wireless LAN. With the plethora of remote access methods, it is increasingly difficult for IT managers to maintain their security, manage their user passwords, while offering ease of access. ActivIdentity provides solutions to create a trusted online environment.

Creating a high level of trust hinges on authenticating identity with methods that go beyond static passwords. Reusable passwords are easily compromised and are the holes in the remote access fabric. Two-factor authentication is the accepted and proven approach to creating a secure a digital corporate environment.

Further, the multiple systems and networks remote users have to traverse in order to access enterprise applications and services are onerous, pointing to the value of consolidating remote access identity credentials on one simple secure platform with delegated authentication and central administration.

That's why a Secure Remote Access solution is the crucial first step for companies that are serious about securing the foundation of their network and internet-based services and applications.

• Tokens
  Tokens are a well established and simple to deploy solution for secure remote access since no client software is required. ActivIdentity AAA Server software and ActivIdentity software or hardware tokens are all you need for the most basic solution.

• USB Keys
  USB Keys are a cost-effective way of getting the benefits of a multi-function smart card without the cost of purchasing and deploying smart card readers. ActivIdentity USB Key is actually a smart card in a USB key package. Simply plug it into your PC and you're ready to go. ActivPack AAA Server software, ActivClient software, and an ActivIdentity USB key is what is takes for this economical smart card solution.

• Smart Cards
  Smart Cards can get you the most functionality for your investment. Do you already carry an employee ID card? Do you have a physical access badge? And maybe a remote access token? Combine all these pieces into a single smart card solution in the form of an Enterprise Access Card. An Enterprise Access Card solution requires ActivIdentity AAA Server Software, ActivClient software, your choice of serial, USB, or PCMCIA smart card reader, and an ActivIdentity Smart Card. Deploying this solution not only saves you money by consolidating your physical and logical security budget, it also allows you to secure the local and remote desktop. In addition, it prepares your company to take advantage of more sophisticated secure identity management solutions by upgrading to ActivIdentity’s Card Management System.

Secure Remote Access Benefits

Compelling ROI
For companies currently using two-factor authentication, the ActivIdentity Secure Remote Access Solution can be deployed without increasing your existing security budget. The result is a compelling total cost of ownership and return-on-investment advantage that is achieved by:

• Lifetime replacement of tokens.
  ActivIdentity tokens do not expire and come with a lifetime replacement policy - avoiding the cost of replacing token hardware and extending the time between re-deployment of new tokens.

• Eliminating dual administration.
  The ActivIdentity Secure Remote Access Solution leverages your existing corporate directory and does not require its own user database. Saving time for a system administrator.

• Substantially reducing help desk costs.
  Deploying an ActivIdentity smart card or USB key solution enables you to eliminate all re-synchronisation calls by deploying challenge/response and allowing the smart card to handle the complexity. In addition, you can reduce password re-set calls by securely storing static passwords on your smart card, so users only have to remember their self-managed PIN.

• Consolidating credentials.
  ActivIdentity smart card solutions enable the secure storage and management of all your static passwords, one-time password (OTP) credentials as well as PKI private keys and associated certificates. The ActivIdentity device becomes what amounts to a key ring for all your corporate digital identity credentials - with the benefit of convenience for the user and cost-effective management consolidation for the organisation.

Familiar and Easy to Use
By consolidating multiple authentication credentials on a single smart card device, the ActivIdentity Secure Remote Access Solution enables a user experience that is as simple and familiar as using an ATM card. This ATM-like experience applies to VPN access as well. Users simply enter their PIN on their keyboard to access the credentials on their card. The ActivIdentity software then authenticates the user, configures the VPN session and makes a connection-all transparent to the user saving time and reducing complexity.

Smooth Bridge and Migration
The ActivIdentity Secure Remote Access Solution allows you to migrate smoothly from legacy single factor token devices to more advanced smart card and PKI-based technologies without having to replace your existing infrastructure.

The PIN is one of the secret factors in two-factor authentication and needs to be protected. Unlike some competing products, the ActivIdentity solution never sends a user's PIN across the network. With ActivIdentity, the PIN only exists on the device and in the mind of the user.

Enhanced Security
WLAN attackers can access your network from the parking lot, making WLAN simply another form of remote access to the network. The ActivIdentity Secure Remote Access Solution has integrated 802.1X authentication required by the WiFi Alliance as well as the upcoming 802.11i standard.

For customers who want to guarantee personal control of their secret keys, the ActivIdentity Secure Remote Access Solution allows local initialisation of devices and PIN management by the user. When deploying smart card devices, all private keys are generated and stored on the smart card providing FIPS-140-2 level strong storage and protection from hackers.

In addition, the ActivIdentity solution does not require a separate user store. ActivIdentity integrates with your corporate directory. This prevents an increasingly common security risk that occurs when employees are removing an employee from the corporate directory and mistakenly leave their record open in a separate remote access database.

Easy Implementation and Administration
The ActivIdentity Secure Remote Access Solution is designed from the ground up to be standards-based and to work with your existing network infrastructure:

• Management with your existing infrastructure.
  ActivIdentity AAA Server supports LDAP directories and SQL compatible databases. This enables users and their access rights to be managed centrally without the need to modify the existing corporate directory infrastructure. It natively supports both RADIUS and TACACS+ and does not require deployment of proprietary agents.
  
  
• Centralised administration and distributed authentication. ActivIdentity AAA Server allows for central administration of users, roles, and policies while authentication occurs in the field--where you need it. The solution eliminates the need to deploy one-off, disparate authentication solutions for the various entry points into your network.
  
  
• Deployability.
  The ActivIdentity client software, ActivClient, is fully MSI compatible, supports custom setups, blind installs, and works with all market leading software push technologies.

Secure Wireless LAN Authentication

The Wireless Enterprise
Wireless LANs provide exciting flexibility and productivity enhancements for enterprises, but to date they have not been widely depolyed due to security concerns. The industry has now addressede these security concerns through interoperable standards-based solutions.

Unlike wired networks, where eavesdropping on network traffic is protected by the four walls of the building, WLAN data streams can be passively observed from the parking lot using ordinary WLAN cards without being detected, effectively allowing remote access to the network.

Unprotected internal WLANs serve as a soft underbelly, vulnerable to attacks despite the careful deployment of security solutions at the network perimeter. WLANs are simply another form of remote access to the network, and industry best practices require strong 2-factor authentication to protect against stealth remote intruders.

Security Problems and Solutions for Wireless LANs
Almost every potential security disaster begins with failures of authentication and authorisation. To protect an enterprise's valuable data, WLANs must control authentication and authorisation to the network.

The essence of an authentication system is discovering and confirming the identity of a person, an organisation, a device, or more generally, of any software process on the network.

Authentication provides a greater degree of assurance that users are who they say they are, but in itself it doesn't control access to network resources. Access control is the job of authorisation systems. Authorisation grants privileges to users, allowing them access to different systems and applications.

Since 1999 standards organisations have put a considerable amount of effort toward improving authentication for WLANs. One important development was the IEEE's approval of the 801.1X standard in June 2001. This standard extends authentication and authorisation systems that already exist within the enterprise to the WLAN. Wi-Fi Protected Access (WPA) is the Wi-Fi Alliance's response to the shortcomings of earlier encryption, integrity, and authentication mechanisms. WPA requires 802.1X authentication, and it is a subset of the forthcoming 802.11i wireless security standard.

Enterprises must depend on multiple standards-based security protocols to authenticate and authorise users and network elements. 802.1X, WEP, EAP, PEAP, LEAP, TLS, TTLS, VPNs, WPA, and other protocols protect the WLAN from different types of attacks.

Selecting a security solution should be based on the level of security a company needs and specific network configuration. Many corporate environments have diverse user populations that require a mix-and-match security solution to meet a wide range of requirements.

ActivCard offers enterprises searching for a security solution:

• Support for a mix-and-match authentication infrastructure with centralised administration covering VPN, 802.1X, password, PKI, and one-time-passwords

• A much lower TCO by integrating with existing directories and lifetime replacement of tokens

• A migration path that supports all current and future authentication and digital identity needs

Secure VPN Authentication

Strong Authentication Beyond Tokens
Businesses continue to extend the reach of their enterprise network perimeters through the use of remote access VPNs which help streamline business operations, improve employee productivity, reduce the cost of networking administration, and eliminate the high cost of leased lines and modem banks. However, many VPNs are susceptible to intrusion, putting valuable or sensitive corporate resources in harm’s way. ActivIdentity Secure Remote VPN solutions provide strong authentication that dramatically decreases the chances that an attacker or untrusted user will be able to exploit a VPN gate, IPSEC or SSL, in your network perimeter.

Reusable Passwords: The Remote VPN Weak Link
Remote VPN accessibility is both a plus and a minus. While VPNs offer many productivity and cost advantages, to permit VPN traffic, organisations must open an access point through their firewall, thus creating potentially destructive weak points in the enterprise’s perimeter security. The problem is that most remote VPNs verify user identity with only a reusable static password, an approach that offers minimal security as passwords can be easily compromised.

Consequently, user identity is not positively authenticated before access is granted. The result is jeopardised privacy, leaving corporate information at risk of exposure, theft, and misuse. Strong user authentication—through one-time passwords or digital certificates—is the only proven method for making remote access VPN access secure.

ActivCard Secure Remote Access
With the Secure Remote Access solution from ActivIdentity, organisations are able to authenticate the identity of remote users with absolute confidence – positively verifying the identity of remote users coming through the corporate firewall.

ActivIdentity Secure Remote Access validates user identity prior to establishing a secure tunnel between the VPN gateway and VPN clients.

The ActivIdentity Secure Remote Access solution enables users to secure their remote access VPNs with strong, multi-factor authentication using:

• ActivIdentity AAA Server combined with the ability to generate one-time passwords on smart cards, USB keys, hardware or software tokens.
• PKI certificates which are generated and securely stored on a smart card or USB keys using all industry leading Certificate Server Solutions.

Strong Credentials: The Key to Enhanced VPN Security
Using one-time passwords or PKI certificates, ActivIdentity Secure Remote Access eliminates the weak link to secure VPN connections: reusable passwords. When users choose their own static passwords, VPN security is reduced to the weakest link, the static password. As a result, careless or uneducated users may divulge passwords or make choices that are easily hacked, borrowed, guessed or stolen, leading to system compromise.

One-time passwords—also known as dynamic passwords—are different for each user authentication event, making systems virtually immune to sniffing or replay attacks. ActivIdentity one-time passwords are generated using crypto techniques employing a combination of a clock, event counter, and secret key.

Digital certificates or PKI certificates are comprised of a public/private key pair that must be matched and validated to guarantee a valid authentication. Unlike static passwords, a user’s private key is not subject to compromise with a simple dictionary attack.

Multi-Factor Authentication: Positive Identification for Trusted VPN Connections
Multi-factor authentication requires the user to both possess a token or smart card that generates a strong credential and know the corresponding PIN. This two-factor approach provides trusted protection since attackers are unlikely to possess both factors.

With the ActivIdentity Secure Remote Access solution, user identities can be positively confirmed via the use of PIN-protected authentication devices that generate dynamic passwords, via synchronous, or challenge/response authentication.

ActivIdentity Secure Remote Access also supports digital certificates from major certificate authorities such as VeriSign, Entrust, Microsoft, and Baltimore.

ActivIdentity offers the flexibility to meet the needs of diverse user populations by supporting a wide range of authentication device choices. These include hardware tokens, USB keys, software tokens, and smart cards. ActivIdentity multi-application smart cards offer a future proof solution for your enterprise. This allows you to deploy them today for your current needs, as well as easily leverage your existing applications to migrate to digital certificate-based applications in the future.

Lower Administrative Burden and Total Cost of Ownership
ActivIdentity Secure Remote Access improves the administrative efficiency and manageability of user groups and their respective profiles, access rights, devices, and credentials. ActivIdentity Secure Remote Access, enables centralised administration of your security policy through, LDAP group profiles. In addition, authentication, authorisation, and accounting (AAA) profiles are easily created to meet the unique needs of diverse user populations.

By integrating directly with your existing corporate directory, ActivIdentity Secure Remote Access eliminates costly dual user administration, thus lowering total cost of ownership. All user information is stored in any LDAP-compliant directory, leveraging the existing corporate data infrastructure. This saves administrators time and effort by avoiding the need to manage separate user data repositories and recreate thousands of duplicate entries across multiple remote access servers.