fips191_16
FIPS PUB 191
considering connecting their LANs to outside networks, particularly the Internet, should examine
[BJUL93] before doing so.
If, after considering all authentication options, LAN policy
determines that password-only systems are acceptable, the proper management of password
creation, storage, expiration and destruction become all the more important. [FIPS 112] provides
guidance on password management. [NCSC85] provides additional guidance that may be
considered appropriate.
Because of the vulnerabilities that still exist with the use of password-only mechanisms, more
robust mechanisms can be used. [BNOV91] discusses advances that have been made in the areas
of token-based authentication and the use of biometrics.
A smartcard based or token based
mechanism requires that a user be in possession of the token and additionally may require the
user to know a PIN or password.
These devices then perform a challenge/response
authentication scheme using realtime parameters. Using realtime parameters helps prevent an
intruder from gaining unauthorized access through a login session playback. These devices may
also encrypt the authentication session, preventing the compromise of the authentication
information through monitoring and capturing.
Locking mechanisms for LAN devices, workstations, or PCs that require user authentication to
unlock can be useful to users who must leave their work areas frequently. These locks allow
users to remain logged into the LAN and leave their work areas (for an acceptable short period
of time ) without exposing an entry point into the LAN.
Modems that provide users with LAN access may require additional protection. An intruder that
can access the modem may gain access by successfully guessing a user password. The
availability of modem use to legitimate users may also become an issue if an intruder is allowed
continual access to the modem.
Mechanisms that provide a user with his or her account usage information may alert the user that
the account was used in an abnormal manner (e.g. multiple login failures). These mechanisms
include notifications such as date, time, and location of last successful login, and number of
previous login failures. The type of security mechanisms that could be implemented to provide
the identification and authentication service are listed below.
Mechanisms
password based mechanism,
smartcards/smart tokens based mechanism,
biometrics based mechanism,
password generator,
password locking,
keyboard locking,
PC or workstation locking,
18