Posted on September 13, 2010 by Website Administrator
With the release of the U.S. federal government’s HSPD-12 directive a few years ago, many CIO’s and IT managers found themselves with a key issue to address: how to authenticate both local and remote IT personnel as they access government servers and networks. HSPD-12 mandates secure, authenticated access to all federal information systems and buildings. While smart cards were already in use in several industries worldwide, their use really exploded when the U.S. Department of Defense responded to HSPD-12 by utilizing smart card technology as the basis for implementing its Common Access Card program (CAC). More recently, the DoD introduced a new type of smart card known as a Personal Identity Verification card (PIV), which must conform to the FIPS-201 standard.
Using a smart card to access a PC or server that’s within arm’s reach is easy. However, a major challenge is to support this directive in the data center or any application in which users must access multiple servers or PCs that are often located in a separate room, let alone several feet away. It’s inefficient to connect a smart card reader to each device and insert the card each time access is needed. In fact, it’s usually not possible to do so. In many cases, users need to access servers in inaccessible rooms – and with different security levels.
To meet this need, several smart card-enabled KVM solutions have been introduced by the industry’s primary vendors. Of course, no two are exactly alike, so what do you need to look for? It’s important to choose not only a solution that fulfills the basic requirement of supporting smart card authentication to multiple servers from a single location, but also one that makes the necessary feature adjustments that meet and exceed the highly secure operation requirements inherent of a smart card environment.
Here are some key factors to consider:
• The integration with the smart card reader should be plug & play. Smart card readers, their middleware, and the authentication server that manages user credentials each strictly follow industry specifications. The goal of a smart card-enabled KVM switching solution is to extend card access to the user, no matter their location. Implementation should be easy and straightforward.
• The solution must not store or cache smart card data. A KVM system could be a major security risk if it performs data caching of any kind. It’s critical that the KVM system does not store or cache the card data. It should only transmit data to a single server at a time upon request, and only from a card that is physically present in the reader. By implication, the following behavior should occur:
• Automatic Log Out: The card reader (and thus the KVM system) should support the automatic loss of authentication to the server upon removal of the card. Also, switching away from a server should essentially be considered the same behavior as removing the smart card. And because the card data is not being stored or cached, users will automatically be required to re-authenticate when switching between servers. As a result, the card can conveniently remain in the reader during the user’s session.
• The solution should automatically enter “private mode.” A common feature of most KVM platforms is to allow multiple users to simultaneously access a particular server. When smart cards are in use, the solution should automatically enter in to “private mode,” allowing only one user at a time to access servers connected to the KVM switch.
• The solution should adapt its core features for a favorable user experience. Some standard KVM features will need to be modified or disabled to avoid interference with the functionality of the card reader. For example, many KVM systems provide a scan feature, which automatically searches for the next available channel. Use of automatic scan with a card reader is inconvenient and the system should deactivate this feature whenever a smart card is in use.
Implementing an efficient KVM system with smart card features should not compromise security in any way. An ideal solution supports the use of smart cards and integrates their functionality exactly as if directly connected to the target servers.