Prezentace aplikace PowerPoint

advertisement
SOFT-TRONIK, a.s.
Není bezpečnosti
bez autentizace …
Robin Bay
Security System Engineer
Robin.Bay@Soft-Tronik.cz
Identifikace a autentizace
Identifikace
Kdo jsi?
Autentizace
Dokaž to!
“Jsem Robin Bay.”
Autentizace - základní kámen
bezpečnosti
Audit
Signature/
Encryption
Authorization
Authentication
Policies and Procedures
Problémy statických hesel
• Bezpečnost
–
–
–
–
Jména, rodná čísla, ...
Key logger, http, …
slovníkové útoky
...
• Pohodlí uživatele vs. politiky
• Možnost sdílení vs. audit
• Náklady na administraci
Problémy statických hesel
Problémy statických hesel
Problémy statických hesel
Problémy statických hesel
Faktory autentizace
•
Něco co víte
–
–
–
heslo
PIN
jméno matky za svobodna
•
Něco máte
•
Něco co jste
–
–
–
–
–
–
“bflmpsvz”
fyzický klíč
magnetická karta
Chipová karta
otisk prstu
oční duhovka
hlas
Použijte alespoň dva!!!
Dvoufaktorová autentizace
RSA SecurID
Kombinace něčeho co znáte a
něčeho co máte
PIN:
“abc123”
+
Autentizace uživatele
Login:
bay
Passcode: 2468 234836
PASSCODE
= PIN
PIN
+
TOKENCODE
Ultra-stable
quartz clock
Token code:
Changes every 60
seconds
Unique seed
RSA SecurID
Autentizační zařízení
SID 700
SID800 - smart card + SecurID token
– Windows password nebo certifikát
– Spolupráce s HDD encryption (např.
CheckPoint FullDisk Encryption)
– Certifikáty pro e-mail, podepisování,
šifrování souborů
SID 520
SID 200
SID 900
On-demand Authenticator
• Novinka verze 7.1
– Lepší připoutání k tělu; proč důležité:
• Uživatelé nezapomenou vzít na dovolenou / služební cestu
• Čip. karty – inactivity timer
• Tokeny bez pinpadu – např. heslo zadané do políčka
username, keylogger apod.
– Cena při občasném použití
RSA SecurID
Autentizační zařízení
• Desktop Software
Token
– Seed lze na smartcartu
• Mobile Software Tokens
–
–
–
–
–
RIM Blackberry
Microsoft PocketPC
Palm OS
Java Phone
Windows Mobile
Bezpečnost řešení
• Jednorázová použitelnost kódu
• Časově omezená platnost
• Automatické postupy proti útokům
– next tokencode
– disable
Automatické bezpečnostní
mechanismy
• 3 x nesprávný passcode = next tokencode
mode
(configurovatelné)
• 10 x nesprávný passcode = disablování
tokenu
(configurovatelné)
• 3 x nesprávný PIN + platný tokencode =
disablování tokenu
RSA SecurID
Architektura
RSA
Authentication
Manager
RSA
Authentication
Agent
RSA SecurID
Token
PIN + TOKEN
RSA Authentication Agent
Web Access
RSA SecurID
Web Server
Network Resources
RSA
Auth.Manager
UNIX
Remote User
Internet
RSA Auth.Agent
Microsoft
RSA SecurID
Remote Access
Intranet
VPN
Linux
VPN or Firewall
RSA Auth.Agent
Remote User
other
RSA Auth.Agents
RSA SecurID
Windows,
UNIX
RSA SecurID
Remote Access Server
Dial-up
Remote User
Local User
RSA Auth.Agent
Network Access
February 2002
RSA Authentication Agent
• Nativní agenti - RSA
(zdarma)
– Microsoft IIS
– Apache Web Servers
– Sun ONE Web Server
– MS Windows (local, RRAS,
domain, EAP)
– Unix - PAM
– Novell
• Ostatní případy
– Radius
– Tacacs+
– Java / C SDK
• Vestavění agenti (API)
–
–
–
–
CheckPoint FW-1/VPN-1
Sun Java Access Manager
Citrix WI
...
• Produkty třetích stran
– SAP
– Lotus Notes
– ...
http://www.rsasecured.com
RADIUS Protocol Service
– Handles All RADIUS protocol
– Embedded Juniper (formerly Funk SBR) RADIUS Server
– Integrated RADIUS administration
• No separate installation or user-interface
• Integrated data creation and management. (e.g., RADIUS
Agent is also an AM Agent)
– Backward compatible RADIUS extensions
• Profile provided by AM via authentication protocol
• RADIUS Attribute support
RSA SecurID
Časově synchronní mechanismus
RSA
Auth.Agent
RSA
Auth. Manager
RAS,
VPN,
Web Server,
etc.
234836
Algorithm
Algorithm
Time
Seed
Time
Shodný “seed”
Shodný čas
Seed
RSA Auth. Manager
Primary/Replica Model
RSA Auth.
Agent
Primary
RSA
Auth. Manager
Replica
RSA
Auth. Manager
RAS,
VPN,
Web Server,
etc.
• Synchronizace dat mezi primary and replica serverem
• Advanced licence umožňuje nasazení 15 replica serverů
Silná místa
jednorázových hesel
• silná místa:
–
–
–
–
–
nulové požadavky na klientskou stranu
jednoduchá & rychlá implementace
široká podpora
nízké HW nároky
uživatelský komfort
Typická nasazení
• typická nasazení:
– VPN (IPSec, SSL)
– WEB aplikace
– Citrix
• vnitropodnikové nasazení:
– 802.1x
– WiFi sítě
– Windows Domain
Hodnotící kritéria
•
Total Cost of Ownership
– Pořizovací cena
– Náklady na nasazení
– Provozní náklady
•
Strategický pohled
- uživatelé
– Pohodlí a jednoduchost
– Mobilita
– Víceučelovost
•
Strategický pohled
- systémy
– Úroveň bezpečnosti
– Interoperabilita a
integrovatelnost
– Robustnost a
škálovatelnost
– Flexibilita k budoucím
požadavkům
Srovnání
Legenda
Strategické
hodnocení
- Vynikající
- Velmi dobrý
- Dobrý
- Přijatelný
- Nízký
TCO
- Velmi vysoký
- Vysoký
- Střední
- Nízký
- Velmi nízký
Tradiční RSA SecurID RSA SecurID RSA Mobile
hesla
hardwarové softwarové
(virtuální
tokeny
tokeny
tokeny)
Strategické hodnocení
- podnikové systémy
Bezpečnost
Interoperabilita a
integrovatelnost
Robustnost a
škálovatelnost
Flexibilita
Digitální
certifikáty
Chipové
karty +
certifikáty
Biometrie




























Strategické hodnocení
- uživatelé
Pohodlí a jednoduchost
Přenositelnost
Víceúčelovost





















Total Cost of Ownership
(TCO)
Pořizovací cena
Náklady na nasazení
Náklady na provoz





















Číselné vyjádření
Digitální Chipové karty + Biometrie
certifikáty
certifikáty
Kategorie
Hodnotící kritéria
Váha
Tradiční
hesla
Hardwarové
tokeny
Softwarové
tokeny
Virtuální
tokeny
TCO
Pořizovací Náklady
Náklady na nasazení
Náklady na provoz
Pohodlí a jednoduchost
10,0%
10,0%
10,0%
20,0%
9
8
3
3
6
7
8
8
7
6
7
7
8
8
7
7
8
8
7
7
6
6
6
7
5
5
6
8
Přenositelnost
Víceúčelovost
Bezpečnost
10,0%
5,0%
20,0%
9
2
3
9
3
8
8
4
8
6
4
8
4
6
5
6
8
8
6
5
7
5,0%
Interoperabilita a
integrovatelnost
Robustnost a škálovatelnost 5,0%
5,0%
Flexibilita
Skóre: 100,0%
6
7
6
5
5
5
2
4
2
4,80
7
5
7,30
7
5
6,90
7
5
6,95
8
8
6,45
8
8
6,85
3
3
5,85
Hodnocení
- uživatelé
Hodnocení
- systém
https://www.rsasecurity.com/products/authentication/whitepapers/ASC_WP_0403.pdf
RSA SecurID Appliance 130/250
Releases and Versions
• 7.1 is the shipping version for online software downloads
– However, not available on all software platforms
• 6.1 will still be available for those platforms for which 7.1
is not available
• We will be announcing the EOL for 5.2 and 6.0 at the time
of 7.1’s release
Windo
ws
Server
Red
Hat
Linux
Sun
Solaris
Authentication
Manager 7.1



Authentication
Manager 7.0

Authentication
Manager 6.1

AIX
SUSE
HP-UX
VM
Ware
SecurI
D
Applian
ce




Limited Release





System Requirements - Windows
Operating System
• Microsoft Windows Server 2003
Enterprise R2 (32-bit)
• Microsoft Windows Server 2003
Enterprise SP2 (32-bit)
• Microsoft Windows Server 2003
Enterprise R2 (64-bit)
• Microsoft Windows Server 2003
Enterprise SP2 (64-bit)
• Note: RADIUS is not supported
on 64-bit Windows and Linux
systems.
Hardware
• Intel Xeon 2.8 GHz or
equivalent (32-bit)
• Intel Xeon 2.8 GHz or
equivalent (64-bit)
Disk Space
• RSA Authentication Manager:
– 60 GB free space recommended
– 20 GB free space minimum
– Disk space usage depends on the scale
of your deployment.
– With high numbers in excess of
1,000,000 token users,
– logging and archiving may take up
greater amounts of space.
• RSA RADIUS:
– Approximately 125 MB of free space
Memory Requirements
• RSA Authentication Manager: 2 GB
• RSA RADIUS: 256 MB (512 MB for servers
with more than 10,000 users)
Page File
• 2 GB
System Requirements - Linux
Operating System
• Red Hat Enterprise Linux
4.0-1 ES (32-bit)
• Red Hat Enterprise Linux
4.0-1 ES (64-bit)
• Red Hat Enterprise Linux
4.0-1 AS (32-bit)
• Red Hat Enterprise Linux
4.0-1 AS (64-bit)
• Note: RADIUS is not
supported on 64-bit
Windows and Linux
systems.
Hardware
• Intel Xeon 2.8 GHz or
equivalent (32-bit)
• Intel EM64T 2.8 GHz or AMD
Operon 1.8 GHz, or
equivalent (64-bit)
Disk Space
• RSA Authentication Manager:
–
–
–
–
•
60 GB free space recommended
20 GB free space minimum
Disk space usage depends on the scale of
your deployment.
With high numbers in excess of 1,000,000
token users, logging and archiving may
take up greater amounts of space.
RSA RADIUS:
–
Approximately 235-470 MB of free space
Memory Requirements
• RSA Authentication Manager: 2 GB
• RSA RADIUS: 256 MB (512 MB for
servers with more than
• 10,000 users)
• Swap Space 2 GB
• Kernel Version 2.6.9-22.EL and later
• Kernel Parameters Maximum shared
memory must be at least 256 MB
System Requirements - Solaris
Operating System
• Solaris 10 (64-bit)
Hardware
• UltraSPARC 1.5 GHz, or
equivalent
Disk Space
• RSA Authentication Manager:
– 60 GB free space recommended
– 20 GB free space minimum
•
RSA RADIUS:
– Approximately 325-650 MB of free
space
Memory Requirements
• RSA Authentication Manager: 4 GB
• RSA RADIUS: 256, 512 MB for
servers with more than 10,000
users
Swap Space
• 4 GB
Packages
• SUNWarc
• SUNWbtool
• SUNWhea
• SUNWlibm
• SUNWlibms
• SUNWsprot
• SUNWtoo
• SUNWi1of
• SUNWi1cs
• SUNWi15cs
• SUNWxwfnt
Edition Comparison
Base Edition
Enterprise Edition
R
• 1 Primary, 1 Replica
P
R
P
• Only 1 Realm
• 1 Primary, up to 15
Replicas
• RSA Credential Manager Self
Service included
• Up to 6 cross realms
• Clustering
• High Availability support
• RSA Credential Manager Self
Service and Workflow
Provisioning included
Oracle Database Replacing Progress
• Authentication Manager 7.1 utilizes Oracle 10g for its
data store
• Replaces Progress Software database
• Goal was to move to a more industry-standard
database that could handle the increased complexity
of the solution
• Bottom Line: Like Progress, Oracle is invisible to the enduser customer
6.1
7.1
Progress
Oracle
Server Instance Overview
Remote Trusted
Deployment
Web Server
RM
Administrative
Interface
Servlets/JSP
lie
nt
Offline DL (SSL)
CT-KIP (SSL)
SMS
On-Demand
Provider
Gateway
RADIUS
SSL)
SMS (
JDBC
Authentication
Agents
I
n
Authentication
s
Adjudicator
Broker
t
r
Agent Configuration
u
Protocol Server
m
Offline Auth
e
Data Service
Data Access and Manipulation
n
t
Command Patterns
CT-KIP
a
t
RADIUS
i
o
SMS-HTTP
Data Abstraction Layer (Hibernate & IMS Core) n
Agent Protocol
Server
Replica
Instance
Replication
Data Base
Local or
Remote
LDAP v3 (SSL)
Auto Reg (SSL)
)
LEGACY UDP
th
Au
Web Services
S
TP
HT
Identity
Source
AD
Sun One
Self-Service
User Interface
HTTP
S
R MI
)
C
SL
I (S
J2EE Application Server (Cluster)
P
R
O
X
Y
Administration
User Interface
TCP
(
• The Big Picture…
Monioring/
System Control
JMX
SNMP (v2)
A Three Instance Deployment
Failover
Adjudication
Protocol
Agents
Agents
Instance
PRIMARY Instance
Server
Node
Database
Server
Server
Node
Server
Node
Server
Node
Database
Server
Data
Base
Data
Base
Replication
Adjudication
Protocol
Instance
Replication
Server
Node
Database
Server
Server
Node
Adjudication
Protocol
Data
Base
Agents
A Two Trusted 7.1 Deployments
Cluster
Cluster
Replay
Server
User Discovery and
Remote
Authentication
Protocol
Server
Server
Server
Server
DS
Server
DS
DS
Replay
Replay
Cluster
Cluster
Cluster
Replay
Server
Server
Server
Server
Server
Server
DS
Server
Server
Server
DS
DS
Replay
User Discovery and
Remote
Authentication
Protocol
Replay
Cluster
Server
Server
Server
A Cross-Realm with AM 6.1
AM 6.1
Replica
AM 6.1
Replica
AM 6.1
Primary
User Discovery and
Remote
Authentication
Protocol
Cluster
Cluster
Replay
AM 6.1
Replica
Server
Server
Server
Server
Server
DS
User Discovery and
Remote
Authentication
Protocol
Server
DS
DS
Replay
Replay
Cluster
Server
Server
Server
A Complete AM 7.1 Deployment
Replica
Replica
Replica
Replica
DB
DS
DB
DS
DB
DS
DB
DS
Replica
Replica
DB
DS
DB
DS
Replica
Replica
PRIMARY
DB
DS
DB
DS
DB
DS
Replica
Replica
DB
DS
DB
DS
Replica
DB
DS
Replica
Replica
Replica
DB
DS
Replica
DB
DS
DB
DS
DB
DS
A Really Complete AM 7.1
Deployment
Replica
Replica
Replica
Replica
Replica
Replica
Replica
Replica
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
Replica
Replica
Replica
Replica
DB
DS
DB
DS
DB
DS
DB
DS
Replica
Replica
Replica
Replica
PRIMARY
PRIMARY
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
Replica
DB
DS
Replica
Replica
DB
DS
DB
DS
Replica
DB
DS
DB
DS
Replica
Replica
Replica
Replica
DB
DS
DB
DS
Replica
DB
DS
DB
DS
Replica
DB
DS
Replica
DB
DS
Replica
Replica
Replica
Replica
Replica
DB
DS
Replica
Replica
DB
DS
Replica
DB
DS
Replica
DB
DS
DB
DS
DB
DS
Replica
Replica
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
Replica
Replica
Replica
Replica
DB
DS
DB
DS
DB
DS
DB
DS
Replica
Replica
PRIMARY
Replica
Replica
PRIMARY
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
Replica
DB
DS
Replica
Replica
Replica
DB
DS
DB
DS
DB
DS
DB
DS
Replica
Replica
Replica
DB
DS
Replica
Replica
Replica
DB
DS
Replica
DB
DS
Replica
Replica
DB
DS
DB
DS
DB
DS
Replica
DB
DS
Replica
Replica
Replica
DB
DS
Replica
Replica
DB
DS
DB
DS
Replica
Replica
Replica
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
Replica
Replica
Replica
DB
DS
DB
DS
Replica
DB
DS
DB
DS
Replica
Replica
Replica
Replica
PRIMARY
PRIMARY
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
Replica
DB
DS
Replica
Replica
DB
DS
DB
DS
Replica
DB
DS
DB
DS
Replica
Replica
DB
DS
Replica
Replica
DB
DS
Replica
Replica
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
DB
DS
Replica
DB
DS
Replica
Replica
Replica
DB
DS
384 Servers ready
to authenticate
Instalation
Instalation
Instalation
Instalation
AM 6.x versus AM 7.1
• Not present in AM 7.1:
– Directly enabled users. Access is always provided via
Groups.
– Ad-Hoc (SQL) Reports
• LDAP Synchronization Jobs are replaced with
Identity Sources
– Real-time LDAP verification
– LDAP Content Database Verification Process
• Cleans AM data if users are modified directly in the IS.
– AM 7.1 console can alter LDAP content if desired.
AM 6.x versus AM 7.1
(cont’)
• AM 7.1 supports multiple policies
– No single “System Parameter”
– New policies can be created and associated with users,
tokens, and agents via Security Domains
• Authentication Lockout is handled by IMS and
IMS policies at the user-level
– Support for configurable, temporary lockout
– Authentication failures lockout the user not just a specific
token.
• PIN and Password Histories, Dictionaries, and
Policies
– Administrators will be able to eliminate the “1111” PIN!
Security Domain
• All RSA managed objects are “stored” in security domains.
• Security Domains are used in conjunction with roles to limit
what is visible to an administrator and the operations they
can perform on the visible objects.
• Security domains “own” all RSA managed objects that they
contain:
• In turn, all objects are owned by a Security Domain.
Security Domain
(cont’)
• Security Domains can provide very powerful (and
potentially very confusing) partitioning of administrative
data visibility.
– For example, all agents could be created in one Security
Domain, all tokens in another, and all users in a third Security
Domain.
Agent
Manager
Agent Domain
Agent
Agent
Agent
Agent
Manager
Role
Token
Manager
Token Domain
Assignment
Coordinator
Token
Token
Token
Token
Manager
Role
User
Manager
User Domain
User
User
User
Manager
Role
Administrative Role
• Administrative Roles define where and what an
administrator can manage in the Security Console.
• The where is defined by the role Security Domain and
Identity Source Scope
• The what is defined by the role Permissions
AM 7.1 Performance
• Runtime-critical data is replicated by special, highperformance replication mechanism.
• Adjudicator design eliminates Lock Manager
performance issues.
• System scales positively both adding Nodes to an Instance or
adding Replica Instances (up to 15 instances).
• 1,300 authentications/second. Almost 6x faster than
AM 6.1
– 5 Replicas (at 80% CPU) using low-end Dell 1950 Servers
– Primary and Primary Standalone Database (no load)
– 10 minute test run. Pre-run for adjudicator “homing”.
– 4000 concurrent virtual agents
Download