Vidder PrecisionAccess

Similar documents
BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Introduction to SAML

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Perceptive Experience Single Sign-On Solutions

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Copyright: WhosOnLocation Limited

NCSU SSO. Case Study

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Flexible Identity Federation

SAML-Based SSO Solution

Authentication Integration

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

CTS2134 Introduction to Networking. Module Network Security

Enhancing Web Application Security

Configuring Global Protect SSL VPN with a user-defined port

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

API-Security Gateway Dirk Krafzig

Getting Started with AD/LDAP SSO

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Setting Up Scan to SMB on TaskALFA series MFP s.

TFS ApplicationControl White Paper

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Secure Substation Automation for Operations & Maintenance

WebLogic Server 7.0 Single Sign-On: An Overview

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

Agenda. How to configure

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Evaluation of different Open Source Identity management Systems

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

WatchGuard SSL 2.0 New Features

A Guide to New Features in Propalms OneGate 4.0

WebNow Single Sign-On Solutions

SDP Hackathon #4 Analysis & Report

Software Defined Perimeter: Securing the Cloud to the Internet of Things

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Chapter 17. Transport-Level Security

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Leveraging SAML for Federated Single Sign-on:

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

OneLogin Integration User Guide

BlackRidge Technology Transport Access Control: Overview

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Web Applications Access Control Single Sign On

ΕΠΛ 674: Εργαστήριο 5 Firewalls

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

PARTNER INTEGRATION GUIDE. Edition 1.0

Public Key Infrastructure (PKI)

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Connectivity to Polycom RealPresence Platform Source Data

Security Considerations for DirectAccess Deployments. Whitepaper

Entrust IdentityGuard Comprehensive

Ensuring the Security of Your Company s Data & Identities. a best practices guide

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

OVERVIEW. DIGIPASS Authentication for Office 365

WHITE PAPER. Active Directory and the Cloud

nexus Hybrid Access Gateway

Multi-factor authentication

CA Performance Center

Network Security Fundamentals

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Getting Started with Clearlogin A Guide for Administrators V1.01

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Software Defined Perimeter Working Group. SDP Hackathon Whitepaper

Configuration Guide. BES12 Cloud

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Network Defense Tools

Multi-Factor Authentication of Online Transactions

Extranet Access Management Web Access Control for New Business Services

Overview Windows NT 4.0 Security Cryptography SSL CryptoAPI SSPI, Certificate Server, Authenticode Firewall & Proxy Server IIS Security IE Security

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

The increasing popularity of mobile devices is rapidly changing how and where we

Single Sign-on (SSO) technologies for the Domino Web Server

7.1. Remote Access Connection

Setup Guide Access Manager 3.2 SP3

Introduction to Endpoint Security

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

CA Nimsoft Service Desk

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

USING FEDERATED AUTHENTICATION WITH M-FILES

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Deploying F5 with Microsoft Active Directory Federation Services

Transcription:

Vidder PrecisionAccess Security Architecture February 2016 910 E HAMILTON AVENUE. SUITE 410 CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM

Table of Contents I. Overview... 3 II. Components... 3 PrecisionAccess Client... 3 PrecisionAccess Gateway... 3 PrecisionAccess Controller... 4 III. Protocol... 4 Device Authentication... 4 User Authentication... 5 Service Provisioning... 5 Architecture Diagram... 6 IV. Conclusion... 6 PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY 2016 2

Overview Modern day organizations are very complex ecosystems that span across multiple trust domains and security zones in order to enable their supply chain, remote workers, and general convenience of users. This type of business enablement is great for productivity and continuity but also introduces many security challenges surrounding remote access, cloud-migration, and ecosystem collaboration. This paper will discuss Vidder s new security architecture based on software-defined perimeter (SDP) that enables business while increasing the security posture of corporate applications. Vidder PrecisionAccess Vidder PrecisionAccess (PrecisionAccess) is Vidder s implementation of the software-defined perimeter. PrecisionAccess is designed to build trust before connectivity and initiates connection by implementing a secure one-time passwordbased device authentication, user authentication, and then provisions connections to protected applications. This concept of a zero-trust and pre-authenticated network has been used by government agencies for many years. However, it has never been implemented in a way that is consumable for the enterprise. Vidder has taken the concepts created in the SDP standard and implemented them in a way that achieves the versatility, security, and agility required in modern day enterprise networks. Components PrecisionAccess Client The PrecisionAccess Client (Client) is a very lightweight, cross-platform piece of software that enables the client to talk to the SDP. This piece of software intercepts application data and encapsulates it for transport into the SDP. It also provides the capability to enumerate and enforce policies. Upon execution, the client will start to intercept specific applications that need to access SDP-protected resources. This startup process is completely transparent to the user and enables a seamless user experience. PrecisionAccess Gateway The PrecisionAccess Gateway (Gateway) is a lightweight daemon that runs on a virtual machine located near the protected application. The Gateway acts as a TCP- PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY 2016 3

gateway for access to the protected service this way clients never need to make a direct connection to a protected service. In order to protect the end service, the Gateway firewall drops packets with a deny any any rule. Rules to allow authorized clients are dynamically created on a per-device basis after the user has proven to be authenticated and authorized. This means that an unauthorized user cannot scan, connect, or attack the protected service because it is completely hidden from network communications. After a user has authenticated to a Controller and makes a connection to a Gateway, a dynamically created mutual TLS tunnel is created. These TLS connections are created with ECDHE_RSA_WITH_AES_256_GCM_SHA384, which provides a tunnel that is indistinguishable in a chosen plaintext attack or chosen ciphertext attack. PrecisionAccess Controller The PrecisionAccess Controller (Controller) is a vital component in the SDP architecture. It provides a secure location to manage, authenticate, authorize, resist denial of service, and automate secure connection provisioning. The Controller, similarly to the Gateway, is also hidden from normal network communications by utilizing single packet authorization (SPA). Single packet authorization, a form of port knocking, achieves this by sending a packet to the Controller, which will contain cryptographic proof that the packet is legitimate. This SPA token is sent in a TLS ClientHello packet, embedded inside the header. This allows the Controller to check the validity of the application that is creating the TLS connection, mitigating attacks against SSL and denial of service. Finally, the mutual TLS connection will be established to continue the authentication process. After the secure connection is established to the Controller, the user is presented with a login page to enter in their credentials. This is typically done through a redirection to a SAML identity provider that integrates with the enterprise directory system. This can consist of one or many different authentication mechanisms including username and password, multi-factor authentication, Geolocation, and device fingerprinting. After logging in, the Controller will check the user s authorization for each protected service based on the groups returned by the SAML assertion. Protocol Device Authentication The first step in the process is to authenticate the software and device. This can take on a variety of forms depending on the level of trust required for the deployment, but generally it will include SPA, mutually authenticated TLS, device fingerprinting, and context-based device authorization policies. First, it generates PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY 2016 4

and sends a one-time token embedded within a TLS ClientHello packet this is referred to as SPA. Now the Client is able to establish a secure connection to the Controller, accomplished using a mutually authenticated TLS connection. Mututally means that a valid client certificate is required. Following the connection to the Controller, the current fingerprint of the device is sent to the Controller to ensure it matches with the initial fingerprint taken at on-boarding time. The fingerprinting process can be done either with a Trusted Platform Module (TPM) chip or by creating a signature based on hardware IDs and randomized, hidden data on the system. This process results in the connection requiring something you have, your device, as an authentication factor. This implementation is referred to as Transparent Multi- Factor Authentication ( tmfa ) because it has no impact on the user experience. An additional, but optional, step in the device authentication process is Contextbased Authorization. This is a set of per-service policies that can be configured in the Controller to set additional requirements for access. Some common examples of this is managed vs unmanaged device, source IP address, and geolocation. User Authentication After the device and software has been proven to be trusted, the user will be presented with a login page in their browser. Note that if the customer has implemented single sign-on ( SSO ) then the user will be automatically authenticated. This user authentication is verified by connecting to the enterprise directory system via SAML or a Directory Connector. After entering valid credentials, the user can be prompted for a multi-factor authentication token if it is enabled by the customer. Note that this would be considered a third factor of authentication as the tmfa already provides a second factor of authentication. Now that the user has proven their identity, the Controller will check which groups the user is a member of. These groups, taken from the customer s directory system, will be mapped to services in order to determine the level of access. Service Provisioning The final step in the protocol is connecting to the protected services by provisioning dynamic firewall rules and mutual TLS connections. The Controller will tell the Gateways to expect a user to connect, opening a pinhole in the firewall for the authenticated user. Once TCP port 443 is opened for the user, the same device authentication process outlined earlier will occur to the Gateway. This includes SPA and another mutual TLS connection, which will ultimately provide secure access to the protected services. PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY 2016 5

Architecture Diagram Conclusion The concepts within SDP have proven to be an effective architecture for the Department of Defense for many years. This solution provides a significantly higher security posture for applications and communication paths by requiring strong multi-factor authentication before any connections can be established. PrecisionAccess has taken these concepts and created a technology that allows enterprises to enable business, increase agility, and revolutionize their security architecture. Contact Us Email: PrecisionAccess@vidder.com Phone: 408.418.0440 www.vidder.com PRECISIONACCESS SECURITY ARCHITECTURE FEBRUARY 2016 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information