Two Factor Authentication

advertisement
UNDERSTANDING 2 FACTOR AUTHENTICATION
TAGITM 2012
Houston Thomas
Public Safety Solution Architect
800.800.4239 | CDW.com/peoplewhogetit
CONFUSED YET?
» Step 1 Encrypted VPN.
» VPN Market.
» 2 Factor Authentication – Single Purpose versus Identity
Management.
» Biometrics.
» Tokens.
» Smart Cards – Contact and Proximity.
» Your Future Network.
» Windows Certificates.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
2
2
A LITTLE HOUSEKEEPING….
I am not a cryptographer. If the math has letters with it then I am OUT.
There are currently (57) separate State interpretations of what the CJIS
Mandate is.
A CJIS Mandate rumor is a premature fact.
My presentations are typically entertaining and humorous. However,
with respect to CJIS, entertainment and humor are unachievable.
Not addressing Phones in this presentation.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
3
3
CJIS COMPLIANCE…REMEMBER
» You must guard against
eavesdropping and man in the
middle attacks through a public
accessible network.
» The patrol car environment is a
conveyance and not considered a
secure environment.
» You guard against unlawful
access of Federal CJIS databases
via 2 factor authentication.
» 2 factor authentication is also in
place to ensure officer
accountability.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
4
4
STEP 1 = ENCRYPTED VIRTUAL PRIVATE NETWORK
» Required to thwart eavesdropping and man in the middle attacks
through public accessible wireless data networks and Wi-Fi.
» Modern VPN solutions generally integrate well with 2 factor
authentication platforms.
» Only some solutions include session persistence features. Most offer
roaming capabilities.
» Apple IOS and Android support is evolving.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
5
5
VPN MARKET
» Radio IP
- LE Centric
- supports RDLAP
» Wireless carriers in some States have an approved offering.
» Net Motion
- LE Centric
- Strong application session persistence
- Android support coming
- No plans to support IOS at this time.
- Strong integration to 2 factor platforms.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
6
6
VPN MARKET
» Cisco AnyConnect
- Android and IOS support
- Not there with session persistence yet
- Integration to 2 factor platforms
» Columbia Tech
- Up and Coming
- Quasi LE Centric
- Session Persistence Capabilities
- Android and IOS support
- Integration to 2 factor platforms.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
7
7
TYPICAL VPN NETWORK DIAGRAM
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
8
8
3 FACTORS OF SECURITY
What you know.
Typically your standard username and password challenge/response. Requirements for length,
strength and expirations. Pick this as one of your factors.
What you have.
Includes Contact and Proximity Smart Cards and USB Tokens.
Who you are.
Biometrics namely finger print readers. Other forms include facial recognition,
palm vein and retina scanning. Behavioral Biometrics?
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
9
9
2 FACTOR AUTHENTICATION = 2 BASIC OPTIONS
» Identity Management Solution.
» Single Purpose Solutions.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
10
10
IDENTITY MANAGEMENT SYSTEMS
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
11
11
IDENTITY MANAGEMENT SOLUTION PROS/CONS
More difficult to integrate into your environment.
Most costly option.
Manages most types of 2nd factor methods.
Allows for a mixed environment. i.e. fingerprint in the car and
hardware tokens at the desk. Replacing one method for another
is not rip and replace.
You are going to have to devote some training time and resources
in order to fully comprehend, implement and manage the solution.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
12
12
IDENTITY MANAGEMENT SOLUTION PROS/CONS
Over time and throughout an Enterprise this method will reduce
Costs.
More robust integration with Active Directory.
Provide for comprehensive and consolidated reporting.
Single Sign On features available.
Can manage user based password resets.
Imprivata, Symantec and Digital Persona seem to be the most
Interested in the Public Safety Market.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
13
13
SINGLE PURPOSE SOLUTIONS
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
14
14
SINGLE PURPOSE SOLUTIONS PROS/CONS
Quickest path to getting started.
Least Costly.
Mixed environments are separately managed.
Might be able to implement it “Out of the Box”.
Making the wrong decision is rip and replace.
There is not generally a migration path to Identity Management.
Complying with reporting requirements becomes difficult.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
15
15
BIOMETRICS
Lets face it…Fingerprint readers are the only real
solution here.
• Nothing to carry or lose.
• May already have technology. Embedded laptop
readers.
• Most secure method of authentication. Can’t easily be
stolen.
• Cannot read through gloves.
• Skin condition a factor.
• External factors contribute to read positives. i.e. light.
• Often must clean between shifts/uses.
• “Welcome to Registration Day”.
• Too many decisions to make.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
16
16
FINGER PRINT SCANNER OPTIONS
• Device Types.
• Embedded
• External
• Reader Types.
• Static
• Swipe
• Sensor Types.
• Capacitive
• Optical
• Thermal
• Pressure
• RF
• Ultrasonic
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
17
17
TOKENS
•
•
•
•
•
•
•
•
•
•
Works with gloves.
Skin condition is not a factor.
Mitigates environmental conditions.
Often least costly to introduce.
Easily lost, forgotten or stolen.
Considered complex and difficult to use.
Often ty wrapped to the Dock or MDT.
Typically requires less support.
We have already seen a major breech.
No external connection required.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
18
18
CARDS / PROXIMITY
Our most recommended method. Currently least
used.
• Works with gloves.
• Skin condition is not a factor.
• Environmental conditions not a factor.
• Easily lost, forgotten or stolen.
• Officers are already accustomed to use.
• Easiest method to utilize.
• We have little to No historical perspective as to
how the readers hold up in a mobile environment.
• Readers themselves can be expensive. $150 to
$400.
• Externally connected…USB.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
19
19
CARDS / CONTACT
•
•
•
•
•
•
•
•
Works with gloves.
Skin condition is not a factor.
Environmental conditions not a factor.
Easily lost, forgotten or stolen.
Officers are already accustomed to use.
2nd easiest method to utilize.
Contact wear and tear an issue.
Externally connected…USB.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
20
20
THE NEW NETWORK DILEMMA
» Supporting wireless offload of In
Car Video.
» Supporting ALPR update and
offload.
» Supporting mobile updates from
CAD RMS.
» Access to video streaming now that
4G is here.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
21
21
COMPLEX VPN NETWORK DIAGRAM
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
22
22
YOUR FUTURE NETWORK
» Prepare yourself for a secure and
non-secure network.
» Do not use your VPN Server as a
choke point, firewall or a
intermediate defense in depth
strategy.
» Prepare yourself to relax the VPN
Client lockdown policy.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
23
23
DON’T SHOOT THE MESSENGER
Net Motion, Windows Certificates, Radius Server, Public
Key Infrastructure and IPsec.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
24
24
WINDOWS CERTIFICATES
New (2013)
5. For agencies using public key infrastructure technology, the agency shall
develop and implement a certificate policy and certification practice statement for the issuance of
public key certificates used in the information system. Registration to receive a public key certificate
shall:
a) Include authorization by a supervisor or a responsible official.
b) Be accomplished by a secure process that verifies the identity of the certificate holder.
c) Ensure the certificate is issued to the intended party.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
25
25
WHAT DOES A WINDOWS CERTIFICATE LOOK LIKE
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<assembly
xmlns="urn:schemas-microsoft-com:asm.v3"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
authors="charfa"
buildFilter=""
company="Microsoft"
copyright=""
creationTimeStamp="2005-01-01T00:35:52.6386021-08:00"
description="$(resourceString.description1)"
displayName="$(resourceString.displayName0)"
lastUpdateTimeStamp="2005-03-01T23:47:26.4788237-08:00"
manifestVersion="1.0"
owners="charfa"
supportInformation=""
testers=""
>
<assemblyIdentity
buildFilter=""
buildType="release"
language="*"
name="Microsoft-Windows-CertificateServices-MSCEP-DL"
processorArchitecture="*"
publicKeyToken=""
type=""
version="0.0.0.0"
versionScope="nonSxS"
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
26
26
GREAT NEWS
Now we can….
Use my fingerprint scanner with Net Motion.
Fingerprint is indexed to my Public Key Token.
Token is submitted for Windows Certificate.
Windows Radius validates the Token.
I get my certificate.
I am good to go until my certificate expires.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
27
27
EXCEPT FOR…..
• 2. Internet Protocol Security (IPSec) does not meet the 2011 requirements for advanced
authentication; however, agencies that have funded/implemented IPSec in order to meet
the AA requirements of CJIS Security Policy v.4.5 may continue to utilize IPSec for AA
until 2013.
Examples:
a. A police officer is running a query for CJI from their laptop mounted in a police
vehicle. The police officer leverages a cellular network as the transmission medium;
authenticates the device using IPSec key exchange; and tunnels across the
cellular network using the IPSec virtual private network (VPN). IPSec was funded and
installed in order to meet the AA requirements of CJIS Security Policy version 4.5. AA
requirements are waived until 2013.
“I don’t know what this means. Windows Certificates use IPSec.”
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
28
28
THAT STATEMENT IS NOT THE REAL PROBLEM THOUGH…..
The 2nd Factor is being Authenticated at the Device and not to a
Back End Server. 2nd Factor is being replaced by a PIN in the
Certificate. Therefore…
1.
If the laptop is stolen then the CJI Identity is unusable
….forever.
2.
You cannot be made immediately aware of unsuccessful login
attempts.
3.
Reporting is difficult to say the least.
4.
Management of Shift Fleets becomes an impossible task.
5.
Now the Certificate is really validating the device.
“Our belief…Advanced Authentication can only be
validated within the secure environment.”
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
29
29
RECOMMENDATIONS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Participate in a ride along with one of your officers.
Know your State Security Officer.
If changing or adding VPN services, test capability thoroughly
before implementing.
Architect your network with the future in mind.
Just because they are a magic quadrant vendor doesn’t mean
they get Public Safety.
Use technologies that are NIST Certified Cryptographic Modules
as opposed to NIST Compliant.
Prepare yourself for the eventuality of the desktop requiring the
same authentication standards.
Your Wi-Fi and Bluetooth has to be brought into compliance as
well.
Keep in mind that your “Cloud” vendor/s may be required to
meet CJIS mandates.
AAaaS is emerging. Some vendors are developing offerings.
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
30
30
RECOMMENDATIONS
10. Join the Discussion at http://www.digitalcommunities.com
Request membership in the “Law Enforcement Information
Technology Task Force.”
CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.
31
31
HOUSTON THOMAS
PUBLIC SAFETY SOLUTION ARCHITECT
813.375.1033 | hthomas@cdwg.com
Download