Secure Login Issues & Solutions



Similar documents
Using Entrust certificates with VPN

Red Hat Enterprise IPA Identity & Access Management for Linux and Unix Environments. Dragos Manac

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

VPN Solutions FAQ North America International Germany Benelux France Spain Israel Asia Pacific Japan

MySQL Security: Best Practices

ADDING STRONGER AUTHENTICATION for VPN Access Control

Moving to Multi-factor Authentication. Kevin Unthank

ViSolve Open Source Solutions

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Extending Identity and Access Management

Two Factor Authentication for VPN Access

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

Apache Milagro (incubating) An Introduction ApacheCon North America

DirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet

Secure Web Access Solution

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

DirX Identity V8.4. Secure and flexible Password Management. Technical Data Sheet

FileCloud Security FAQ

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

STRONGER AUTHENTICATION for CA SiteMinder

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

RSA SecurID Two-factor Authentication

Lots of workers, many applications, multiple locations......and you need one smart way to handle access for all of them.

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

identity management in Linux and UNIX environments

TIBCO Spotfire Platform IT Brief

PASSWORD MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

CA SiteMinder SSO Agents for ERP Systems

Secure Access Control for Control System Operations. Andrew Wright, CTO

Single Sign-on (SSO) technologies for the Domino Web Server

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

Identity Management: The authentic & authoritative guide for the modern enterprise

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd

Facebook s Security Philosophy, and how Duo helps.

New Security Features

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

SYSTEM MODEL KERBEROS OBJECTIVES PHYSICAL SECURITY TRUST: CONSOLIDATED KERBEROS MODEL TRUST: BILATERAL RHOSTS MODEL

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Remote Access Securing Your Employees Out of the Office

Authentication Solutions Buyer's Guide

Network Security Fundamentals

Security Considerations for DirectAccess Deployments. Whitepaper

CAC AND KERBEROS FROM VISION TO REALITY

SAP Single Sign-On 2.0 Overview Presentation

Whitepaper: Centeris Likewise Identity 3.0 Security Benefits

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

VMware Horizon Workspace Security Features WHITE PAPER

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Why it s Time to Make the Change Analysis of Current Technologies for Multi-Factor Authentication in Active Directory

Identity Access Management: Beyond Convenience

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc

Entrust Managed Services PKI Administrator Guide

A brief on Two-Factor Authentication

Common Credential A Sevan White Paper

Attestation and Authentication Protocols Using the TPM

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

Extranet Access Management Web Access Control for New Business Services

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

WHITE PAPER. Active Directory and the Cloud

Securing Administrator Access to Internal Windows Servers

Copyright Telerad Tech RADSpa. HIPAA Compliance

CompTIA Security+ Certification SY0-301

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

Swivel Multi-factor Authentication

D50323GC20 Oracle Database 11g: Security Release 2

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

etoken Single Sign-On 3.0

Security Challenges. in Moving to Externalized Datacenters. (Focusing on SaaS) Eran Birk, Spring Business. Intelligence

Security Characteristics of Cryptographic Mobility Solutions

Guide to Evaluating Multi-Factor Authentication Solutions

Enterprise Single Sign-On City Hospital Cures Password Pain. Stephen Furstenau Operations and Support Director Imprivata, Inc.

Regulatory Compliance Using Identity Management

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

Red Hat Identity Management

Penetration Testing: Lessons from the Field

Information Security Basic Concepts

YubiRADIUS Deployment Guide for corporate remote access. How to Guide

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

BYOD Policy. Handout

Data Protection: From PKI to Virtualization & Cloud

Oracle WebCenter Content

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Using PIV Smart Cards on Linux for Authentication to Windows Active Directory

Transcription:

Secure Login Issues & Solutions Steve Parkinson Principal Engineer, Red Hat Certificate System

Agenda Login problems and corporate security Solutions LDAP solutions with Red Hat Directory Server PKI solutions with Red Hat Certificate System Smartcard management innovations Demo: Red Hat Certificate System and Axalto Cyberflex egate Smart Card

How to tackle authentication What are you trying to get from your authentication mechanism? high-assurance: tie a user with a browser to some real-world person low-assurance: establish base level of trust via user tracking What are you protecting? user's confidential data your content Relationship to the user customer, employee, contractor, partner, supplier What are the consequences if something goes wrong? lose your job stock price hit go to jail

Authentication vs Authorization Authentication = who are you Authorization = which systems can you access

Regulatory issues Regulatory compliance Increasing complexity Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA Accountability Need to reduce liability Non-repudiation (employees can't deny actions after the fact) Higher assurance for authentication and access Privacy Increasing need to restrict access to confidential information (e.g. VISA CISP) Banking (GLB), patient records (HIPAA), personal data (California Financial Information Privacy Act)

Problem: Too many passwords Applications like to maintain their own user repository. Solution Consolidate password database Choose applications which: Benefits Use PAM (most preferred) Support LDAP natively Use XYZ->LDAP gateways Synchronization tools (least preferred) Less maintenance overhead Users less likely to write password down Caveat: Consolidation exposes you to bigger risk

Problem: Dictionary attacks Weak passwords can be discovered Solution: Don't allow weak passwords use password policy to enforce string passwords Rate limiting (One-time-pin token) Caveats: Stronger passwords are more difficult to remember. The user is more likely to reuse them on other (external) systems. Rate limiting requires password checking to be coordinated among replicas.

Problem: Forgotten passwords Need to maintain helpdesk, policy and process for resetting passwords Significant cost Avenue for social engineering attacks Solution:???

Problem: Password Replay It is difficult for a user to figure out who to trust 85% of San Franciscans would give up their password for a free cup of coffee http://www.redherring.com/article.aspx?a=12025&hed=your+password+for+a+latte%3f Once given out, the secret can be replayed to another system Solution: Use a credential which is not susceptible to reuse Caveat: One-time-password tokens Kerberos PKI OTP tokens are still vulnerable to man-in-the-middle attacks

Problems: Kerberos Extranet/internet deployments difficult: require legal cooperation between the parties exposes one party to breaches in another Requires extra code: Must implement crypto algorithms securely Protocols must be adapted to support ticket passing Most cases still rely on passwords to get the initial ticket

Problems: PKI client-auth Educating the user is difficult Which parts of the cert/key are private? What on earth is going on? How do I login from another machine? Solution Improve the UI (e.g. the padlock) Remove references to 'certificate', 'key' Use smartcard/atm analogy

Problems: PKI application support All major webservers and browsers support SSL client-authentication IMAP, LDAP protocols support SSL client-authentication Other apps have poor support Solution: Red Hat will provide PKI support in more applications as time goes by Login VPN Browser Use PKInit to use PKI with kerberos-enabled applications A simple library for using LDAP, Kerberos, or PKI authentication

Demo: Certificate System and Axalto Cyberflex egate Smart Cards Certificate System 7.1 running on RHEL 3 Enterprise Security Client running on RHEL 4 ESC detects uninitialized token, displays custom enrollment UI from back end Cert System back end Updates applet Triggers key generation on token Constructs certificates, injects into token Firefox browser Recognizes token insertion and removal for client authentication Thunderbird email client Recognizes token insertion and removal for decryption

Questions What kind of applications do you have authentication problems with? What kind of identity management solution would meet your needs? What are you most urgent security issues?.... [ others ]

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information