USB tokens tighten up secure-WAN links

Start-ups KoolSpan and Sweetspot combine two-factor authentication and encryption.

The latest additions to corporate secure-WAN toolkits are USB tokens that authenticate and encrypt traffic, tighten security and make it simpler for users to make connections vs. using standard VPN technology.

Two start-ups, KoolSpan and Sweet Spot, incorporate two-factor authentication via their tokens, increasing the security of user authentication as well as encrypting traffic. In KoolSpan's case, once a connection is made, the devices change their encryption keys for every packet sent, further boosting the secrecy of the data sent.

Alternatives would call for a VPN plus separate two-factor authentication such as RSA Secure ID tokens.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The latest additions to corporate secure-WAN toolkits are USB tokens that authenticate and encrypt traffic, tighten security and make it simpler for users to make connections vs. using standard VPN technology.

Two start-ups, KoolSpan and Sweet Spot, incorporate two-factor authentication via their tokens, increasing the security of user authentication as well as encrypting traffic. In KoolSpan's case, once a connection is made, the devices change their encryption keys for every packet sent, further boosting the secrecy of the data sent.

Alternatives would call for a VPN plus separate two-factor authentication such as RSA Secure ID tokens.

KoolSpan's SecureEdge gear consists of keys, its name for the tokens, and locks, which are appliances located on corporate networks and protected from the Internet by firewalls. The keys and the locks have embedded smart cards that contribute to two-way, two-factor authentication; the devices authenticate to each other rather than just the remote device authenticating one-way to a central server.

Once authenticated to each other, the devices go through a process to connect the remote machine via a Layer 2 Ethernet bridge link. Traffic across this bridge is encrypted using 256-bit Advanced Encryption Standard (AES), and the encryption key is changed for every packet sent. AES traffic over a standard IPsec VPN uses the same encryption key for an entire session.

Packet-by-packet key changes ensure that even if traffic is intercepted and a key is somehow compromised - which would take powerful computing resources and time - the attacker would get only one packet's worth of data and then have to try to guess the key for the next packet by trying multiple possibilities, according to Nick Selby, enterprise security analyst for The 451 Group. "This is very strong encryption," he says.

Sandy Spring Bank of Olney, Md., purchased KoolSpan devices because they are simpler to use and more secure than the alternative it had used - a combination of an RSA smart card token and a Cisco VPN, says Curt Purdy, information security officer for the bank.

Unlike RSA tokens, the KoolSpan keys require no manual copying of passwords from the device to a computer screen. "There's no fumbling with a fob, looking at the code on it and typing it in and having it change halfway through," he says. "You just stick the USB key into the laptop and type in the password."

Plus RSA tokens require a separate server that demands administrative time for upgrades as well as resultant upgrades to the bank's RADIUS server, he says. KoolSpan's gear is self-contained, and he estimates it requires 2% of administrative time. And once connections are established, encryption is more secure, by virtue of the per-packet keying, he says.

The bank is rolling out keys to 300 employees for routine use and also as a precaution against emergencies that require employees to work from home, Purdy says. Sandy Spring is buying enough locks to create secure site-to-site Internet connections among 34 locations, letting it decommission its traditional frame relay WAN and save more than half its WAN costs, he says.