Sections 
, , and describe incidents
on the Internet that have occurred in part due to the weaknesses associated
with traditional passwords.
For years, users have been advised to choose passwords that would be
difficult to guess and to not reveal their passwords.
However, even if users follow this advice (and many do not), the fact
that intruders can and do monitor the Internet for passwords that are
transmitted in the clear has rendered traditional passwords obsolete.
Advanced authentication measures such as smartcards, authentication tokens, biometrics, and software-based mechanisms are designed to counter the weaknesses of traditional passwords. While the authentication techniques vary, they are similar in that the passwords generated by advanced authentication devices cannot be reused by an attacker who has monitored a connection. Given the inherent problems with passwords on the Internet, an Internet-accessible firewall that does not use or does not contain the hooks to use advanced authentication makes little sense.
Some of the more popular advanced authentication devices in use today are called one-time password systems. A smartcard or authentication token, for example, generates a response that the host system can use in place of a traditional password. Because the token or card works in conjunction with software or hardware on the host, the generated response is unique for every login. The result is a one-time password that, if monitored, cannot be reused by an intruder to gain access to an account. [NIST94a] and [NIST91a] contain more detail on advanced authentication devices and measures.
Figure: Use of Advanced Authentication on a Firewall to Preauthenticate TELNET, FTP Traffic.
Since firewalls can centralize and control site access, the
firewall is the logical place for the advanced authentication software
or hardware to be located.
Although advanced authentication measures could be used at each host,
it is more practical and manageable to centralize the measures at
the firewall.
Figure illustrates that a site without a firewall using
advanced authentication permits unauthenticated application traffic such
as TELNET or FTP directly to site systems.
If the hosts do not use advanced authentication, then intruders could
attempt to crack passwords or could monitor the network for login sessions
that would include the passwords.
Figure also shows a site with a firewall using advanced
authentication, such that TELNET or FTP sessions originating from the Internet
to site systems must pass the advanced authentication before being permitted
to the site systems.
The site systems may still require static passwords before permitting access,
however these passwords would be immune from exploitation, even if the
passwords are monitored, as long as the advanced authentication measures
and other firewall components prevent intruders from penetrating or
bypassing the firewall.
Sections and contain more information on
using advanced authentication measures with firewalls.
See [NIST94b] for more information on using advanced authentication
measures with hosts.