Advanced Authentication

Transcription

1 Architecture Overview Authasas Advanced Authentication Strong Authenticating to Novell edirectory using Domain Services for Windows November, 2011 Authasas Advanced Authentication Asterweg 19D HL Amsterdam The Netherlands 2011 Authasas t: +31 (0) f: +31 (0)

2 Introduction Implementing strong authentication technologies has become an increasingly common requirement for organizations of all sizes. The dissatisfaction with passwords, based on usability issues, security issues, or both, has led to the adoption of many popular strong authentication methods, including smart card authentication, biometric authentication, contactless (physical access badge) authentication, and others. Authasas Advanced Authentication was designed to meet strong authentication project requirements leveraging multiple authentication methods and by supporting virtually all major hardware authentication devices. However, as Authasas Advanced Authentication is based on a Microsoft Active Directory environment, customers running edirectory were previously incompatible with the solution. Further, a significant portion of the Novell install base is migrating their Netware or Windows-based edirectory systems over to SUSE Linux OS and OES2 (Open Enterprise Server v2). This open platform provides security and performance enhancements, but limits the capabilities of AD-integrated authentication solutions...at least until now. Authasas recently introduced integration with Novell Domain Services for Windows (DSfW), leveraging the strength of strong, multi-factor authentication provided by Advanced Authentication, while utilizing edir on SUSE as the authoritative directory and data repository.

3 Solution Overview For the purpose of this document, the reader is assumed to possess a fundamental understanding of the Novell edirectory, DSfW, OES2, and SUSE software. This solution overview and architectural descriptions will focus on the implementation of strong authentication methods using Authasas Advanced Authentication in Novell edirectory and mixed environments. Novell OES2 and DSfW Novell Open Enterprise Server (OES) is the successor product to Novell, Inc. s NetWare operating system, based on SUSE Linux Enterprise Server (SLES). Originally released in March 2005, the current (2011) release is OES 2 SP3. Novell Open Enterprise Server (OES) is best thought of as a platform for delivery of shared network services (file, print, directory, clustering, backup, storage management, PKI, web applications, etc.) and common management tools. Domain Services for Windows streamlines user and group management and simplifies infrastructure complexity in mixed environments. This innovative technology allows Microsoft Windows users to access OES services using native Windows and Active Directory protocols. By allowing edirectory servers running on Open Enterprise Server to behave as if they were Active Directory servers, this technology enables companies with both directory services deployments to achieve better coexistence between the two platforms. Users can work in a pure Windows desktop environment and still take advantage of some Open Enterprise Server back-end services and technology, without the need for a Novell Client on the desktop.

4 Authasas Advanced Authentication Authasas Advanced Authentication Enterprise Edition is a multi-factor authentication solution for Microsoft networks. The authentication framework provides the secure matching of authenticators and the storage and retrieval of user credentials within Active Directory, AD Lightweight Directory Services, and edirectory. User credentials, or authenticators, may consist of one or more types such as biometric fingerprint, contactless smartcard, contact smartcard, USB Flash driver, or Security Questions (Q&A). Authenticators are more secure than passwords, because they do not complicate logon procedure, but remove the password burden on users and enhance secure access to their information. Authasas Advanced Authentication is comprised of a server component, a directory component and a client component. The Authenticore Server component serves as an authentication server and policy management server. Optionally, the Authenticore Server may also serve as a log server to centrally collect client and server event logs. The directory component serves as a repository for user credentials and policies. Supported directories include MS Active Directory, AD LDS, and Novell edirectory. The client component is the primary user interface for user authentication and consists of a GINA or Credential Provider depending on the operating system deployed to. This client component does not rely on NMAS or any other Novell client software. Authasas Advanced Authentication may be deployed to dedicated or existing hardware infrastructure. Authasas Advanced Authentication is simple to deploy and manage, and offers a low total cost of ownership, requiring less than one full time employee to administer.

5 Solution Architecture Authasas Advanced Authentication leverages a three-tier architecture composing of a client, a server, and a datastore. Client computers, including desktops, laptops, and virtual machines provide the platform where the Advanced Authentication Client and supported hardware, hardware device drivers, and device middeleware (when required) are deployed. As mentioned, there is no requirement for NMAS or other Novell client software, as Authasas provides the replacement GINA or Credential Provider to support the strong authentication methods deployed to each system. If the Novell GINA is required or desired for certain functionality (i.e. ZenWorks) then GINA chaining is fully supported on the client. The user interacts with the client to authenticate to their Windows using a card, fingerprint, or other method. Additional strong authentication integration is provided with Novell SecureLogin in environments where single sign-on is deployed. The Authenticore Server validates the users Authasas credentials and provides authentication to the DSfW domain. The Authenticore Servers deployed to Windows Server 2003 or 2008 are joined to the DSfW domain as member servers providing authentication, policy enforcement, and central logging of authentication and credential management events. The DSfW server supports the domain and directory requirements for the Authasas infrastructure by allowing computer policy enforcement via GPO, and providing a platform to support Active Directory emulation of edir user objects, and allowing for the use of Authasas administrative tools that are built on the Microsoft Management Console platform. The edirectory server remains the only LDAP repository required for user objects, and is further leveraged by Authasas as the primary repository for all strong authentication data (such as biometric templates, card identifiers, etc.) and user-based policies. The edirectory schema may be extended to support storage of this data within new attributes, or existing (unused) attributes may be leveraged without requiring extension of the edir schema.

6 Architecture Diagram

7 Case Study Overview Authasas Advanced Authentication has been successfully deployed in the Novell edirectory infrastructure described within this document as a part of a CJIS (Criminal Justice Information Services) compliance project within a US law enforcement agency. Law enforcement agencies pose unique IT requirements, as resources are divided between internal systems and external systems that must be secured at every endpoint. These endpoints are further distributed among mobile-based users in remote command centers, as well as in law enforcement vehicles. Authasas Advanced Authentication provides the endpoint security and fulfils the strong authentication requirements outlined by CJIS. CJIS compliance projects are increasing with a strong focus on multi-factor authentication to network resources within all US law enforcement agencies requiring access to FBI data resources. State and local government agencies, including law enforcement continue to represent a significant portion of the Novell install base; and with heterogeneous networks and federal mandates to secure those networks, Novell and Authasas have formed a strategic alliance to deliver a CJIS compliant authentication solution. Conclusions Authasas Advanced Authentication has delivered a strong authentication solution to heterogeneous Novell edirectory environments by leveraging Directory Services for Windows and OES2. Organizations are able to provide their users with simple, strong authentication methods that replace the standard Windows password. All user and credential data is maintained in Novell edirectory, without the need to migrate to Active Directory or other proprietary LDAP or database. Authasas Advanced Authentication provides a secure GINA or Credential Provider without the requirement for NMAS or Novell Client. This unique solution enables compliance with CJIS, HIPAA Hitech and other security initiatives while enhancing end user experience and eliminating the cost and inconvenience of managing passwords.

8 Trademarks Microsoft, Active Directory, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Authasas, Authasas Advanced Authentication are either registered trademarks or trademarks of Authasas in the United States, The Netherlands, and/or other countries. Novell, Novell Open Enterprise Server, NetWare, Domain Services for Windows, NMAS, and SUSE are registered trademarks or trademarks of Novell, Inc. in the United States and/or other countries Authasas. All rights Reserved