Prezentace aplikace PowerPoint
advertisement
SOFT-TRONIK, a.s. Není bezpečnosti bez autentizace … Robin Bay Security System Engineer Robin.Bay@Soft-Tronik.cz Identifikace a autentizace Identifikace Kdo jsi? Autentizace Dokaž to! “Jsem Robin Bay.” Autentizace - základní kámen bezpečnosti Audit Signature/ Encryption Authorization Authentication Policies and Procedures Problémy statických hesel • Bezpečnost – – – – Jména, rodná čísla, ... Key logger, http, … slovníkové útoky ... • Pohodlí uživatele vs. politiky • Možnost sdílení vs. audit • Náklady na administraci Problémy statických hesel Problémy statických hesel Problémy statických hesel Problémy statických hesel Faktory autentizace • Něco co víte – – – heslo PIN jméno matky za svobodna • Něco máte • Něco co jste – – – – – – “bflmpsvz” fyzický klíč magnetická karta Chipová karta otisk prstu oční duhovka hlas Použijte alespoň dva!!! Dvoufaktorová autentizace RSA SecurID Kombinace něčeho co znáte a něčeho co máte PIN: “abc123” + Autentizace uživatele Login: bay Passcode: 2468 234836 PASSCODE = PIN PIN + TOKENCODE Ultra-stable quartz clock Token code: Changes every 60 seconds Unique seed RSA SecurID Autentizační zařízení SID 700 SID800 - smart card + SecurID token – Windows password nebo certifikát – Spolupráce s HDD encryption (např. CheckPoint FullDisk Encryption) – Certifikáty pro e-mail, podepisování, šifrování souborů SID 520 SID 200 SID 900 On-demand Authenticator • Novinka verze 7.1 – Lepší připoutání k tělu; proč důležité: • Uživatelé nezapomenou vzít na dovolenou / služební cestu • Čip. karty – inactivity timer • Tokeny bez pinpadu – např. heslo zadané do políčka username, keylogger apod. – Cena při občasném použití RSA SecurID Autentizační zařízení • Desktop Software Token – Seed lze na smartcartu • Mobile Software Tokens – – – – – RIM Blackberry Microsoft PocketPC Palm OS Java Phone Windows Mobile Bezpečnost řešení • Jednorázová použitelnost kódu • Časově omezená platnost • Automatické postupy proti útokům – next tokencode – disable Automatické bezpečnostní mechanismy • 3 x nesprávný passcode = next tokencode mode (configurovatelné) • 10 x nesprávný passcode = disablování tokenu (configurovatelné) • 3 x nesprávný PIN + platný tokencode = disablování tokenu RSA SecurID Architektura RSA Authentication Manager RSA Authentication Agent RSA SecurID Token PIN + TOKEN RSA Authentication Agent Web Access RSA SecurID Web Server Network Resources RSA Auth.Manager UNIX Remote User Internet RSA Auth.Agent Microsoft RSA SecurID Remote Access Intranet VPN Linux VPN or Firewall RSA Auth.Agent Remote User other RSA Auth.Agents RSA SecurID Windows, UNIX RSA SecurID Remote Access Server Dial-up Remote User Local User RSA Auth.Agent Network Access February 2002 RSA Authentication Agent • Nativní agenti - RSA (zdarma) – Microsoft IIS – Apache Web Servers – Sun ONE Web Server – MS Windows (local, RRAS, domain, EAP) – Unix - PAM – Novell • Ostatní případy – Radius – Tacacs+ – Java / C SDK • Vestavění agenti (API) – – – – CheckPoint FW-1/VPN-1 Sun Java Access Manager Citrix WI ... • Produkty třetích stran – SAP – Lotus Notes – ... http://www.rsasecured.com RADIUS Protocol Service – Handles All RADIUS protocol – Embedded Juniper (formerly Funk SBR) RADIUS Server – Integrated RADIUS administration • No separate installation or user-interface • Integrated data creation and management. (e.g., RADIUS Agent is also an AM Agent) – Backward compatible RADIUS extensions • Profile provided by AM via authentication protocol • RADIUS Attribute support RSA SecurID Časově synchronní mechanismus RSA Auth.Agent RSA Auth. Manager RAS, VPN, Web Server, etc. 234836 Algorithm Algorithm Time Seed Time Shodný “seed” Shodný čas Seed RSA Auth. Manager Primary/Replica Model RSA Auth. Agent Primary RSA Auth. Manager Replica RSA Auth. Manager RAS, VPN, Web Server, etc. • Synchronizace dat mezi primary and replica serverem • Advanced licence umožňuje nasazení 15 replica serverů Silná místa jednorázových hesel • silná místa: – – – – – nulové požadavky na klientskou stranu jednoduchá & rychlá implementace široká podpora nízké HW nároky uživatelský komfort Typická nasazení • typická nasazení: – VPN (IPSec, SSL) – WEB aplikace – Citrix • vnitropodnikové nasazení: – 802.1x – WiFi sítě – Windows Domain Hodnotící kritéria • Total Cost of Ownership – Pořizovací cena – Náklady na nasazení – Provozní náklady • Strategický pohled - uživatelé – Pohodlí a jednoduchost – Mobilita – Víceučelovost • Strategický pohled - systémy – Úroveň bezpečnosti – Interoperabilita a integrovatelnost – Robustnost a škálovatelnost – Flexibilita k budoucím požadavkům Srovnání Legenda Strategické hodnocení - Vynikající - Velmi dobrý - Dobrý - Přijatelný - Nízký TCO - Velmi vysoký - Vysoký - Střední - Nízký - Velmi nízký Tradiční RSA SecurID RSA SecurID RSA Mobile hesla hardwarové softwarové (virtuální tokeny tokeny tokeny) Strategické hodnocení - podnikové systémy Bezpečnost Interoperabilita a integrovatelnost Robustnost a škálovatelnost Flexibilita Digitální certifikáty Chipové karty + certifikáty Biometrie Strategické hodnocení - uživatelé Pohodlí a jednoduchost Přenositelnost Víceúčelovost Total Cost of Ownership (TCO) Pořizovací cena Náklady na nasazení Náklady na provoz Číselné vyjádření Digitální Chipové karty + Biometrie certifikáty certifikáty Kategorie Hodnotící kritéria Váha Tradiční hesla Hardwarové tokeny Softwarové tokeny Virtuální tokeny TCO Pořizovací Náklady Náklady na nasazení Náklady na provoz Pohodlí a jednoduchost 10,0% 10,0% 10,0% 20,0% 9 8 3 3 6 7 8 8 7 6 7 7 8 8 7 7 8 8 7 7 6 6 6 7 5 5 6 8 Přenositelnost Víceúčelovost Bezpečnost 10,0% 5,0% 20,0% 9 2 3 9 3 8 8 4 8 6 4 8 4 6 5 6 8 8 6 5 7 5,0% Interoperabilita a integrovatelnost Robustnost a škálovatelnost 5,0% 5,0% Flexibilita Skóre: 100,0% 6 7 6 5 5 5 2 4 2 4,80 7 5 7,30 7 5 6,90 7 5 6,95 8 8 6,45 8 8 6,85 3 3 5,85 Hodnocení - uživatelé Hodnocení - systém https://www.rsasecurity.com/products/authentication/whitepapers/ASC_WP_0403.pdf RSA SecurID Appliance 130/250 Releases and Versions • 7.1 is the shipping version for online software downloads – However, not available on all software platforms • 6.1 will still be available for those platforms for which 7.1 is not available • We will be announcing the EOL for 5.2 and 6.0 at the time of 7.1’s release Windo ws Server Red Hat Linux Sun Solaris Authentication Manager 7.1 Authentication Manager 7.0 Authentication Manager 6.1 AIX SUSE HP-UX VM Ware SecurI D Applian ce Limited Release System Requirements - Windows Operating System • Microsoft Windows Server 2003 Enterprise R2 (32-bit) • Microsoft Windows Server 2003 Enterprise SP2 (32-bit) • Microsoft Windows Server 2003 Enterprise R2 (64-bit) • Microsoft Windows Server 2003 Enterprise SP2 (64-bit) • Note: RADIUS is not supported on 64-bit Windows and Linux systems. Hardware • Intel Xeon 2.8 GHz or equivalent (32-bit) • Intel Xeon 2.8 GHz or equivalent (64-bit) Disk Space • RSA Authentication Manager: – 60 GB free space recommended – 20 GB free space minimum – Disk space usage depends on the scale of your deployment. – With high numbers in excess of 1,000,000 token users, – logging and archiving may take up greater amounts of space. • RSA RADIUS: – Approximately 125 MB of free space Memory Requirements • RSA Authentication Manager: 2 GB • RSA RADIUS: 256 MB (512 MB for servers with more than 10,000 users) Page File • 2 GB System Requirements - Linux Operating System • Red Hat Enterprise Linux 4.0-1 ES (32-bit) • Red Hat Enterprise Linux 4.0-1 ES (64-bit) • Red Hat Enterprise Linux 4.0-1 AS (32-bit) • Red Hat Enterprise Linux 4.0-1 AS (64-bit) • Note: RADIUS is not supported on 64-bit Windows and Linux systems. Hardware • Intel Xeon 2.8 GHz or equivalent (32-bit) • Intel EM64T 2.8 GHz or AMD Operon 1.8 GHz, or equivalent (64-bit) Disk Space • RSA Authentication Manager: – – – – • 60 GB free space recommended 20 GB free space minimum Disk space usage depends on the scale of your deployment. With high numbers in excess of 1,000,000 token users, logging and archiving may take up greater amounts of space. RSA RADIUS: – Approximately 235-470 MB of free space Memory Requirements • RSA Authentication Manager: 2 GB • RSA RADIUS: 256 MB (512 MB for servers with more than • 10,000 users) • Swap Space 2 GB • Kernel Version 2.6.9-22.EL and later • Kernel Parameters Maximum shared memory must be at least 256 MB System Requirements - Solaris Operating System • Solaris 10 (64-bit) Hardware • UltraSPARC 1.5 GHz, or equivalent Disk Space • RSA Authentication Manager: – 60 GB free space recommended – 20 GB free space minimum • RSA RADIUS: – Approximately 325-650 MB of free space Memory Requirements • RSA Authentication Manager: 4 GB • RSA RADIUS: 256, 512 MB for servers with more than 10,000 users Swap Space • 4 GB Packages • SUNWarc • SUNWbtool • SUNWhea • SUNWlibm • SUNWlibms • SUNWsprot • SUNWtoo • SUNWi1of • SUNWi1cs • SUNWi15cs • SUNWxwfnt Edition Comparison Base Edition Enterprise Edition R • 1 Primary, 1 Replica P R P • Only 1 Realm • 1 Primary, up to 15 Replicas • RSA Credential Manager Self Service included • Up to 6 cross realms • Clustering • High Availability support • RSA Credential Manager Self Service and Workflow Provisioning included Oracle Database Replacing Progress • Authentication Manager 7.1 utilizes Oracle 10g for its data store • Replaces Progress Software database • Goal was to move to a more industry-standard database that could handle the increased complexity of the solution • Bottom Line: Like Progress, Oracle is invisible to the enduser customer 6.1 7.1 Progress Oracle Server Instance Overview Remote Trusted Deployment Web Server RM Administrative Interface Servlets/JSP lie nt Offline DL (SSL) CT-KIP (SSL) SMS On-Demand Provider Gateway RADIUS SSL) SMS ( JDBC Authentication Agents I n Authentication s Adjudicator Broker t r Agent Configuration u Protocol Server m Offline Auth e Data Service Data Access and Manipulation n t Command Patterns CT-KIP a t RADIUS i o SMS-HTTP Data Abstraction Layer (Hibernate & IMS Core) n Agent Protocol Server Replica Instance Replication Data Base Local or Remote LDAP v3 (SSL) Auto Reg (SSL) ) LEGACY UDP th Au Web Services S TP HT Identity Source AD Sun One Self-Service User Interface HTTP S R MI ) C SL I (S J2EE Application Server (Cluster) P R O X Y Administration User Interface TCP ( • The Big Picture… Monioring/ System Control JMX SNMP (v2) A Three Instance Deployment Failover Adjudication Protocol Agents Agents Instance PRIMARY Instance Server Node Database Server Server Node Server Node Server Node Database Server Data Base Data Base Replication Adjudication Protocol Instance Replication Server Node Database Server Server Node Adjudication Protocol Data Base Agents A Two Trusted 7.1 Deployments Cluster Cluster Replay Server User Discovery and Remote Authentication Protocol Server Server Server Server DS Server DS DS Replay Replay Cluster Cluster Cluster Replay Server Server Server Server Server Server DS Server Server Server DS DS Replay User Discovery and Remote Authentication Protocol Replay Cluster Server Server Server A Cross-Realm with AM 6.1 AM 6.1 Replica AM 6.1 Replica AM 6.1 Primary User Discovery and Remote Authentication Protocol Cluster Cluster Replay AM 6.1 Replica Server Server Server Server Server DS User Discovery and Remote Authentication Protocol Server DS DS Replay Replay Cluster Server Server Server A Complete AM 7.1 Deployment Replica Replica Replica Replica DB DS DB DS DB DS DB DS Replica Replica DB DS DB DS Replica Replica PRIMARY DB DS DB DS DB DS Replica Replica DB DS DB DS Replica DB DS Replica Replica Replica DB DS Replica DB DS DB DS DB DS A Really Complete AM 7.1 Deployment Replica Replica Replica Replica Replica Replica Replica Replica DB DS DB DS DB DS DB DS DB DS DB DS DB DS DB DS Replica Replica Replica Replica DB DS DB DS DB DS DB DS Replica Replica Replica Replica PRIMARY PRIMARY DB DS DB DS DB DS DB DS DB DS Replica DB DS Replica Replica DB DS DB DS Replica DB DS DB DS Replica Replica Replica Replica DB DS DB DS Replica DB DS DB DS Replica DB DS Replica DB DS Replica Replica Replica Replica Replica DB DS Replica Replica DB DS Replica DB DS Replica DB DS DB DS DB DS Replica Replica DB DS DB DS DB DS DB DS DB DS DB DS Replica Replica Replica Replica DB DS DB DS DB DS DB DS Replica Replica PRIMARY Replica Replica PRIMARY DB DS DB DS DB DS DB DS DB DS Replica DB DS Replica Replica Replica DB DS DB DS DB DS DB DS Replica Replica Replica DB DS Replica Replica Replica DB DS Replica DB DS Replica Replica DB DS DB DS DB DS Replica DB DS Replica Replica Replica DB DS Replica Replica DB DS DB DS Replica Replica Replica DB DS DB DS DB DS DB DS DB DS DB DS DB DS DB DS Replica Replica Replica DB DS DB DS Replica DB DS DB DS Replica Replica Replica Replica PRIMARY PRIMARY DB DS DB DS DB DS DB DS DB DS Replica DB DS Replica Replica DB DS DB DS Replica DB DS DB DS Replica Replica DB DS Replica Replica DB DS Replica Replica DB DS DB DS DB DS DB DS DB DS DB DS Replica DB DS Replica Replica Replica DB DS 384 Servers ready to authenticate Instalation Instalation Instalation Instalation AM 6.x versus AM 7.1 • Not present in AM 7.1: – Directly enabled users. Access is always provided via Groups. – Ad-Hoc (SQL) Reports • LDAP Synchronization Jobs are replaced with Identity Sources – Real-time LDAP verification – LDAP Content Database Verification Process • Cleans AM data if users are modified directly in the IS. – AM 7.1 console can alter LDAP content if desired. AM 6.x versus AM 7.1 (cont’) • AM 7.1 supports multiple policies – No single “System Parameter” – New policies can be created and associated with users, tokens, and agents via Security Domains • Authentication Lockout is handled by IMS and IMS policies at the user-level – Support for configurable, temporary lockout – Authentication failures lockout the user not just a specific token. • PIN and Password Histories, Dictionaries, and Policies – Administrators will be able to eliminate the “1111” PIN! Security Domain • All RSA managed objects are “stored” in security domains. • Security Domains are used in conjunction with roles to limit what is visible to an administrator and the operations they can perform on the visible objects. • Security domains “own” all RSA managed objects that they contain: • In turn, all objects are owned by a Security Domain. Security Domain (cont’) • Security Domains can provide very powerful (and potentially very confusing) partitioning of administrative data visibility. – For example, all agents could be created in one Security Domain, all tokens in another, and all users in a third Security Domain. Agent Manager Agent Domain Agent Agent Agent Agent Manager Role Token Manager Token Domain Assignment Coordinator Token Token Token Token Manager Role User Manager User Domain User User User Manager Role Administrative Role • Administrative Roles define where and what an administrator can manage in the Security Console. • The where is defined by the role Security Domain and Identity Source Scope • The what is defined by the role Permissions AM 7.1 Performance • Runtime-critical data is replicated by special, highperformance replication mechanism. • Adjudicator design eliminates Lock Manager performance issues. • System scales positively both adding Nodes to an Instance or adding Replica Instances (up to 15 instances). • 1,300 authentications/second. Almost 6x faster than AM 6.1 – 5 Replicas (at 80% CPU) using low-end Dell 1950 Servers – Primary and Primary Standalone Database (no load) – 10 minute test run. Pre-run for adjudicator “homing”. – 4000 concurrent virtual agents
