Tear Down This (Fire)wall!

My company sells software that allows users to login to non-Windows computers by using their Windows (Active Directory) credentials. We enable users to have a single username and password that works across all Windows, UNIX, Linux and Mac OS X systems.

While there are several “vertical” markets in our space (retail, financial, government) one particularly interesting one is the educational market. Schools, universities in particular, frequently run many different operating systems and frequently need to provision (add) and deprovision (remove) user accounts as students enroll and graduate (or fail to graduate!).

Microsoft Active Directory performs authentication by using the Kerberos protocol. This security protocol was developed by MIT and features various clever cryptographic techniques that make it valuable for user authentication. For various reasons, however, Kerberos is used exclusively within corporate networks; it is not used to authenticate users on the public Internet. Users will login to their desktop or laptop computers and will be authenticated by an Active Directory (AD) server within the corporate network. When users access resources within the corporate network their AD credentials are re-used (what is termed, single sign-on) and they are not prompted for any new credentials. When those users try to access resources (for example, secure web pages) in the public internet, however, other security protocols are used (for example, basic authentication over SSL) and the users typically have to type in new credentials.

This concept of authentication inside and outside the firewall, I believe, may soon be a thing of the past and some educational customers demonstrate why.

Although many universities still employ firewall-based architecture others have resigned themselves to a porous network and treat all computers as, essentially, being on the public Internet. From the IP addressing perspective, their computers typically are within a protected network. Few large organizations have enough publicly assigned IPv4 address space that they can put all machines directly on the Internet; they use private networks, NAT (network address translation) and routers/firewalls to allow external access. From the practical perspective, however, some universities are assuming that their internal networks might be completely compromised.

Our product is of limited use to these schools. They still have private networks for things like accounting and student record keeping but these private networks are further isolated from their general university-wide networks. They might be in subnetworks within the general networks or they may be completely disconnected from any network that their students can access. They might choose to use our product within those private subnetworks but not to perform authentication throughout their general university-wide networks.

I think we will see similar moves in corporate networks. At some point, organizations will concede that it is impossible to protect their entire internal networks. Rather than putting up a wall around their entire organizations, some companies will choose to protect critical applications (payroll, human resources, etc.) but will assume that all users in their general corporate networks are potentially hostile. This will actually make it easier to implement wide area networks as there won’t be much need for VPNs. A user in the corporate network will not be considered to be any more trustworthy than a user in the public Internet. Users in remote offices might as well come in directly through the public network instead of setting up a virtual private network. Either way, some more secure mechanism will have to be used when a user tries to access a protected resource.

I’m still not sure what this mechanism will be. It might be some type of identity federation (based on Active Directory or not) but I’m concerned about slow adoption rates and the complexity of setting up federation between organizations. Perhaps Network Access Control and/or dual-factor authentication will play important roles, too.

One thing I am sure of is that, like funeral parlors and waste management, the security business will never go away.