Cisco Cisco Identity Services Engine 1.3 백서
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 6 of 27
Secure Authentication for Medical Devices
When deciding how to identify critical-care devices on the network, you must first determine their capabilities. For
example, does the device support 802.1X or another means like web portal or MAC authentication to identify itself
to the network?
example, does the device support 802.1X or another means like web portal or MAC authentication to identify itself
to the network?
802.1X Authentication
In general, 802.1X is the preferred means of providing secure authentication to the network. If the device is 802.1X
capable, the supported methods and protocols need to be determined. The key questions to be addressed include:
capable, the supported methods and protocols need to be determined. The key questions to be addressed include:
●
Does the device support machine authentication, user authentication, or both?
●
Which Extensible Authentication Protocol (EAP) types are supported? Common protocols include EAP TLS,
EAP-TTLS, EAP-FAST, and PEAP, using the inner method EAP-MSCHAPv2, EAP TLS, or EAP-GTC.
(These refer to, respectively, EAP Transport Layer Security, EAP-Tunneled TLS, EAP-Flexible
Authentication via Secure Tunneling, Protected EAP, EAP-Microsoft’s Challenge Handshake Authentication
Protocol, EAP TLS, and the EAP-Generic Token Card.)
EAP-TTLS, EAP-FAST, and PEAP, using the inner method EAP-MSCHAPv2, EAP TLS, or EAP-GTC.
(These refer to, respectively, EAP Transport Layer Security, EAP-Tunneled TLS, EAP-Flexible
Authentication via Secure Tunneling, Protected EAP, EAP-Microsoft’s Challenge Handshake Authentication
Protocol, EAP TLS, and the EAP-Generic Token Card.)
●
What is the identity store (or certificate authority in the case of certificate-based identity) used for
authentication and authorization?
authentication and authorization?
●
If multiple methods and protocols are supported…
◦
Which options will best serve your organization’s security requirements?
◦
Which options will best serve your organization’s operational model for deployment and maintenance?
Relatively few clinical devices support 802.1X for wired LAN connections. As more clinical devices take advantage
of the mobility afforded by wireless LANs, it is expected that these devices will offer embedded EAP support.
However, legacy systems often use less secure protocols like preshared key (PSK). While PSK is simple to
configure, it is extremely vulnerable to password dictionary attacks. Furthermore, when a key has been
compromised (through, for example, employee termination, accidental disclosure, or brute force attack), all devices
that share that key are vulnerable and will need to be manually “rekeyed.” We recommend that mobile medical
devices still using PSK be updated to use more secure EAP methods if available.
of the mobility afforded by wireless LANs, it is expected that these devices will offer embedded EAP support.
However, legacy systems often use less secure protocols like preshared key (PSK). While PSK is simple to
configure, it is extremely vulnerable to password dictionary attacks. Furthermore, when a key has been
compromised (through, for example, employee termination, accidental disclosure, or brute force attack), all devices
that share that key are vulnerable and will need to be manually “rekeyed.” We recommend that mobile medical
devices still using PSK be updated to use more secure EAP methods if available.
Web Portal Authentication
Less common for medical devices is the use of some interactive portal that allow a user to enter credentials in a
captive portal page. This method is less secure than 802.1X but more secure than simple MAC-based
authentication. One advantage of web authentication is that it can force an interactive identification process rather
than relying on a cached credential. However, this interactive requirement may be deemed a disadvantage as
automatic, hands-off connectivity is typically a requirement for most clinical devices. Again, this method is not
typically implemented for clinical or other healthcare devices, but is cited here for completeness on possible
methods.
captive portal page. This method is less secure than 802.1X but more secure than simple MAC-based
authentication. One advantage of web authentication is that it can force an interactive identification process rather
than relying on a cached credential. However, this interactive requirement may be deemed a disadvantage as
automatic, hands-off connectivity is typically a requirement for most clinical devices. Again, this method is not
typically implemented for clinical or other healthcare devices, but is cited here for completeness on possible
methods.
Note: Physicians, nursing staff, and other clinicians must often input their user or group-specific credentials to
gain access to a terminal or medical application, but this is usually an application-based authentication, not a
network-based authentication. Terminals and workstations that require user authentication to access clinical and
patient care applications should also have a network-based authentication component, whether it is 802.1X, web,
or MAC based.
gain access to a terminal or medical application, but this is usually an application-based authentication, not a
network-based authentication. Terminals and workstations that require user authentication to access clinical and
patient care applications should also have a network-based authentication component, whether it is 802.1X, web,
or MAC based.