RSA Authentication Manager Express Technical Session

advertisement
RSA Authentication
Manager Express
Technical Session
Michel Tepper
Consultant
Westcon Security
RSA Authentication
Manager Express
Technical Session
Understanding Risk Based
Authentication
Integrating RBA and ODA
Deploying AMX
AMX Authentication Methods
AMX Authentication can be deployed as:
• Risk Based Authentication (RBA) with On-Demand Authentication (ODA)
for the Identity Challenge
• RBA with Security questions for the Identity Challenge
• ODA only
Risk –Based Authentication method
Risk-Based Authentication assesses the Risk by evaluating:
• Information about the client device
• User behaviour
If the risk is High, the user is challenged using:
• On-Demand Authentication
• Security questions
AMX Risk Engine
• Evaluates the risk associated with each
authentication attempt
• Challenges users if their assurance level does not
meet the policy defined threshold
– On-Demand (SMS/email)
– Security Questions
• Risk model continuously adapts to changes in each
customer environment
– Common device characteristics are de-prioritized in
the risk score
– Suspicious behavior is based on norms for the overall
user population
• Same Risk Engine protecting more than 350 million
online identities (RSA Adaptive Authentication)
Risk-Based Authentication
Multi-Factor Authentication without replacing Passwords
Factor #1:
Something
You KNOW
Factor #2:
Something
You HAVE
Factor #3:
Something
You DO
Step Up:
Something
You KNOW
or HAVE
AMX Risk Engine Scores
Factors used to determine a risk score include:
• Device matching
– Devices bound to the user account are low risk
– Positive ID = high assurance + low risk
• Behavioural anomalies
– Will lower overall assurance
– Raise risk level
Overall assurance = device match + user behaviour
Device Matching
• Device information is a collection of facts about a user’s machine. These
collected facts are evaluated by the risk engine to help identify fraudulent
authentication attempts.
• If the device can be identified as a registered device for that user, the
authentication attempt is considered low risk; otherwise, the user is
considered a higher risk and will be challenged.
Device Matching
Device Fingerprint
• Analyzes the detailed hardware and software
characteristics of each computer
– User agent string: The version, platform, and the acceptancelanguage header (the user’s language preference)
– System Display: Width, height, and color depth of the user’s
screen
– Software Fingerprint: Browser components and plug-ins
installed on the device
– Browser language: The language of the actual browser
– Time zone: The user’s current time zone in GMT
– Language: The user’s browser language and the system
language
– Cookies: Whether or not the user has cookies enabled on their
device
– Java-enabled: Whether or not the user has java enabled on
their device.
Device Matching
Device Token
• Device tokens are created and placed on the user’s machine for future
identification using a combination of cookies and Flash Shared Objects
(FSO’s)
• Device Token Recovery can automatically restore user-deleted tokens
based on device forensics
• Device Token Theft Protection prevents impersonation of a device using a
stolen token (e.g., via malware) through a combination of techniques
– Encryption of the device ID in the token prevents reuse on another computer
– Tokens generation counter prevents replay of an older token
Device Matching
Determining assurance based on the strength of device match
Match with existing
attributes in profile?
Collective statistics
What’s the probability of a
random match ?
User Profile
User
IP address
cookie
%
Attribute
Value
cookie
...
0%
IP class B
124.55
3%
recently used user-agents
match
ü
user-agent
MSIE 5.5
recently used SW fingerprints
match
ü
IP class B +
user-agent
combination
recently used cookies
ü
match
SW fingerprint recently used IP class B
user-agent
no match
The lower the probability of a random match, the
greater the trust in the device’s identity
...
1.5%
0.1%
Behavioral analysis
• Evaluates behavioral trends for each user/device and corporately across all
users in the organization
Anomalous behavior increases the risk associated with an authentication attempt
Common behavior lowers the relevance of this factor in the overall risk score
• Three categories of behavior are evaluated
Profile anomalies: recent password or account changes
Velocity anomalies: abnormal rate of IP-to-user/user-to-IP authentication attempts
IP anomalies: associates risk with new or infrequently used IP address
Examples of Risky Behavior
• Low Risk: Common activities that nonetheless could be associated with
fraud
– New accounts, recently modified accounts, or authentications from previously
unknown locations
• Medium Risk: Multiple activities combined in a suspicious way
– Authenticating from an unknown location soon after a failed Identity
Confirmation challenge)
• High Risk: Clearly identified fraudulent activity
– Authenticating from a machine with an invalid or modified cookie
The older a risk event, the less impact it has on your risk
score
Identifying the Key Risk Score Contributors
Overall Assurance Level
– Assurance based on device identification and
behavioral predictors
– Five levels from Very Low to High
– Assurance < the defined policy threshold will result
in an Identity Challenge
Device Identification Score (Arg 3 - 5)
(raises
the overall assurance level)
– Highest contributing token element
– Highest contributing networking element
– Highest contributing device fingerprint element
Behavioral Analysis Score (Arg 3 - 5)
(lowers
the overall assurance level)
– Highest contributing profile anomaly
– Highest contributing IP velocity anomaly
– Highest contributing user velocity anomaly
How It Works: Risk-based Authentication
How It Works: Risk-based Authentication
AMX supports 4 minimum assurance levels:
• High
• Medium-high
• Medium
• Low
Assurance Level
• Assurance Level – Confidence associated with a user authentication
attempt
– A strong device match increases the assurance level
– Suspicious behavior decreases the assurance level
• Minimum Assurance Level:
– Assurance threshold required to authenticate without an Identity Challenge
– Defined by policy (multiple policies can be created)
– Four pre-defined assurance threshold – HIGH, MED-HIGH, MEDIUM, LOW
Guidelines for selecting an appropriate Minimum
Assurance Level
• High Assurance: BEST for protecting sensitive assets when higher challenge rates are acceptable
• Authentication from easily-identifiable, corporate-owned assets (e.g., an employee laptop)
• Users that regularly authenticate from the same location (e.g., branch office, partner location, or an
employee’s home)
• Medium-High Assurance (Recommended): VERY GOOD for protecting sensitive assets when
higher challenge rates are not acceptable
• Authentication from corporate and individual-owned assets when policy can be dictated (e.g., cookies
must be enabled).
• Laptop users that frequently authenticate while traveling
• Medium Assurance: GOOD when a balance between protection and end user convenience is
required
• Authentication from uncontrolled, Individual-owned assets (e.g., a personal laptop or home PC)
• When corporate policy cannot be enforced or when tracking objects (e.g., cookies or flash shared
objects) cannot be reliably used
• Low Assurance: Provides the lowest level of protection and should only be used with the least
sensitive assets and when end user convenience is the overriding priority.
• Provides only minimum device assurance while challenging users primarily based on suspicious
behavior
RSA Authentication
Manager Express
Technical Session
Understanding Risk Based
Authentication
Integrating RBA and ODA
Deploying AMX
Deploying On-Demand and Risk-Based Authentication
• On-Demand Authentication
1. Configure authentication agent (identical to SecurID / ODA in AM 7.1)
•
•
RSA Authentication Agent for Web (IIS/Apache)
Any RSA Secured Partner Solution that is web-based
2. Configure ODA delivery method
•
•
Email (SMTP gateway)
SMS (Aggregator or modem)
• Risk-Based Authentication
1. Configure authentication agent (same as ODA)
2. Deploy RBA integration script
RBA Integration Script
• Modifies the logon page of the protected resource (e.g., SSL-VPN or web
application) to securely and transparently redirect users to the RBA logon
service hosted by AMX
• Simple RBA templates (XML-based) used to automatically generate
deployment-specific integration script
• RBA templates come from several different sources
– Built into the AMX appliance (Checkpoint, Cisco, Citrix, Juniper)
– Download certified solutions from RSA Secured (www.rsasecured.com)
– Create new RBA templates using the Integration Guide and reference examples
• Note: RBA templates can be created for any web-based product that
already include a SecurID agent. RADIUS support will be available in a
future release
SMS Integration
•
•
•
•
Includes AM 7.1 SP4 enhancements
Supports SMS aggregator and SMS
modem options
New SMS plug-in is compatible with
most HTTP-based SMS gateways
More RSA Secured Partner Solutions
–
–
–
–
–
–
–
–
–
–
Clickatell
KPN SMS Gateway
Logix Mobile
Multitech MultiModem iSMS Server
Sybase 365
Talariax sendQuick Alert Plus
AT&T (coming soon)
mBlox (coming soon)
StrikeIron (coming soon)
Syniverse (coming soon)
Visit www.rsasecured.com for a current list of supported products or
to request integration with a specific SMS aggregator or modem
RSA Authentication
Manager Express
Technical Session
Understanding Risk Based
Authentication
Integrating RBA and ODA
Deploying AMX
AMX User Interfaces
Authentication Manager Express provides the following interfaces:
• Security Console (admin)
• Operations Console (admin)
• Self-Service Console (user)
• RBA Service Console, login user interface shared by:
– Security Console
– Operations Console
– Self-Service Console
AMX Security Console
AMX Operations Console
RBA Service Console
AMX Components
•
•
•
•
•
•
•
•
An Authentication Manager Express has the following components:
Primary Instance
Replica Instance (optional)
Web tier (optional)
Identity Sources
Self-Service console
Authentication agents (optional)
RBA integration
Deployment Decision Tree
Deployment Decision Tree
Deployment Decision Tree
AMX component – Primary Instance
Primary instance handles:
• All administration (including self-service)
• Authentication requests
AMX component – Replica Instance
Replica provides:
• System – level redundancy
• Real-time backup of all system data
• Fault-tolerant authentication
• Authentication load balancing
AMX component – Web tier
Benefits of a web tier include:
• Protect internal network
• Allows customization of the RBA service and SSLVPN user interface
• Improves system performance
• Requires Replica
AMX component – Identity Sources
You can store data in:
• The Internal Database
• Active Directory
Supported Identity Sources
AMX supports:
• Up to 5 Domain Controllers + one Global Catalogue
• One Identity Source filter per physical directory
• Connections from AMX to external Identity Sources are Read-Only
AMX:
• Does not modify your existing LDAP schema
• Creates a map to your data
Note: Active Directory Application Mode is not supported !
Self-Service Console
Can be customized:
- Branding
- Header &
Footer
- Styles
Authentication Agents
An Authentication Agent:
• Is the component on the protected resource that communicates with AMX
authentication requests
• Is required by any resources that uses ODA or RBA
• AMX only works with web-based authentication agents
Different types of authentication agents protect different types of resources:
https://gallery.emc.com/community/marketplace/rsa?view=overview
RSA Authentication
Manager Express
Technical Session
Summary
Summary of main differences between AM and AMX
AMX supports the following authentication methods:
• RBA
• ODA
• ODA as sole authentication method
• No SecurID (hw / sw)
AMX supports a single replica only
AMX supports the following external Identity Sources:
• Up to 5 DC + 1 Global catalog
• Read-Only connections
• Single Identity Source filter per physical Directory
AMX supports Security Domains but not Realms
Thank you very much.
Download