UNDERSTANDING 2 FACTOR AUTHENTICATION TAGITM 2012 Houston Thomas Public Safety Solution Architect 800.800.4239 | CDW.com/peoplewhogetit CONFUSED YET? » Step 1 Encrypted VPN. » VPN Market. » 2 Factor Authentication – Single Purpose versus Identity Management. » Biometrics. » Tokens. » Smart Cards – Contact and Proximity. » Your Future Network. » Windows Certificates. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 2 2 A LITTLE HOUSEKEEPING…. I am not a cryptographer. If the math has letters with it then I am OUT. There are currently (57) separate State interpretations of what the CJIS Mandate is. A CJIS Mandate rumor is a premature fact. My presentations are typically entertaining and humorous. However, with respect to CJIS, entertainment and humor are unachievable. Not addressing Phones in this presentation. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 3 3 CJIS COMPLIANCE…REMEMBER » You must guard against eavesdropping and man in the middle attacks through a public accessible network. » The patrol car environment is a conveyance and not considered a secure environment. » You guard against unlawful access of Federal CJIS databases via 2 factor authentication. » 2 factor authentication is also in place to ensure officer accountability. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 4 4 STEP 1 = ENCRYPTED VIRTUAL PRIVATE NETWORK » Required to thwart eavesdropping and man in the middle attacks through public accessible wireless data networks and Wi-Fi. » Modern VPN solutions generally integrate well with 2 factor authentication platforms. » Only some solutions include session persistence features. Most offer roaming capabilities. » Apple IOS and Android support is evolving. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 5 5 VPN MARKET » Radio IP - LE Centric - supports RDLAP » Wireless carriers in some States have an approved offering. » Net Motion - LE Centric - Strong application session persistence - Android support coming - No plans to support IOS at this time. - Strong integration to 2 factor platforms. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 6 6 VPN MARKET » Cisco AnyConnect - Android and IOS support - Not there with session persistence yet - Integration to 2 factor platforms » Columbia Tech - Up and Coming - Quasi LE Centric - Session Persistence Capabilities - Android and IOS support - Integration to 2 factor platforms. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 7 7 TYPICAL VPN NETWORK DIAGRAM CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 8 8 3 FACTORS OF SECURITY What you know. Typically your standard username and password challenge/response. Requirements for length, strength and expirations. Pick this as one of your factors. What you have. Includes Contact and Proximity Smart Cards and USB Tokens. Who you are. Biometrics namely finger print readers. Other forms include facial recognition, palm vein and retina scanning. Behavioral Biometrics? CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 9 9 2 FACTOR AUTHENTICATION = 2 BASIC OPTIONS » Identity Management Solution. » Single Purpose Solutions. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 10 10 IDENTITY MANAGEMENT SYSTEMS CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 11 11 IDENTITY MANAGEMENT SOLUTION PROS/CONS More difficult to integrate into your environment. Most costly option. Manages most types of 2nd factor methods. Allows for a mixed environment. i.e. fingerprint in the car and hardware tokens at the desk. Replacing one method for another is not rip and replace. You are going to have to devote some training time and resources in order to fully comprehend, implement and manage the solution. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 12 12 IDENTITY MANAGEMENT SOLUTION PROS/CONS Over time and throughout an Enterprise this method will reduce Costs. More robust integration with Active Directory. Provide for comprehensive and consolidated reporting. Single Sign On features available. Can manage user based password resets. Imprivata, Symantec and Digital Persona seem to be the most Interested in the Public Safety Market. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 13 13 SINGLE PURPOSE SOLUTIONS CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 14 14 SINGLE PURPOSE SOLUTIONS PROS/CONS Quickest path to getting started. Least Costly. Mixed environments are separately managed. Might be able to implement it “Out of the Box”. Making the wrong decision is rip and replace. There is not generally a migration path to Identity Management. Complying with reporting requirements becomes difficult. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 15 15 BIOMETRICS Lets face it…Fingerprint readers are the only real solution here. • Nothing to carry or lose. • May already have technology. Embedded laptop readers. • Most secure method of authentication. Can’t easily be stolen. • Cannot read through gloves. • Skin condition a factor. • External factors contribute to read positives. i.e. light. • Often must clean between shifts/uses. • “Welcome to Registration Day”. • Too many decisions to make. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 16 16 FINGER PRINT SCANNER OPTIONS • Device Types. • Embedded • External • Reader Types. • Static • Swipe • Sensor Types. • Capacitive • Optical • Thermal • Pressure • RF • Ultrasonic CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 17 17 TOKENS • • • • • • • • • • Works with gloves. Skin condition is not a factor. Mitigates environmental conditions. Often least costly to introduce. Easily lost, forgotten or stolen. Considered complex and difficult to use. Often ty wrapped to the Dock or MDT. Typically requires less support. We have already seen a major breech. No external connection required. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 18 18 CARDS / PROXIMITY Our most recommended method. Currently least used. • Works with gloves. • Skin condition is not a factor. • Environmental conditions not a factor. • Easily lost, forgotten or stolen. • Officers are already accustomed to use. • Easiest method to utilize. • We have little to No historical perspective as to how the readers hold up in a mobile environment. • Readers themselves can be expensive. $150 to $400. • Externally connected…USB. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 19 19 CARDS / CONTACT • • • • • • • • Works with gloves. Skin condition is not a factor. Environmental conditions not a factor. Easily lost, forgotten or stolen. Officers are already accustomed to use. 2nd easiest method to utilize. Contact wear and tear an issue. Externally connected…USB. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 20 20 THE NEW NETWORK DILEMMA » Supporting wireless offload of In Car Video. » Supporting ALPR update and offload. » Supporting mobile updates from CAD RMS. » Access to video streaming now that 4G is here. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 21 21 COMPLEX VPN NETWORK DIAGRAM CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 22 22 YOUR FUTURE NETWORK » Prepare yourself for a secure and non-secure network. » Do not use your VPN Server as a choke point, firewall or a intermediate defense in depth strategy. » Prepare yourself to relax the VPN Client lockdown policy. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 23 23 DON’T SHOOT THE MESSENGER Net Motion, Windows Certificates, Radius Server, Public Key Infrastructure and IPsec. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 24 24 WINDOWS CERTIFICATES New (2013) 5. For agencies using public key infrastructure technology, the agency shall develop and implement a certificate policy and certification practice statement for the issuance of public key certificates used in the information system. Registration to receive a public key certificate shall: a) Include authorization by a supervisor or a responsible official. b) Be accomplished by a secure process that verifies the identity of the certificate holder. c) Ensure the certificate is issued to the intended party. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 25 25 WHAT DOES A WINDOWS CERTIFICATE LOOK LIKE <?xml version='1.0' encoding='utf-8' standalone='yes'?> <assembly xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" authors="charfa" buildFilter="" company="Microsoft" copyright="" creationTimeStamp="2005-01-01T00:35:52.6386021-08:00" description="$(resourceString.description1)" displayName="$(resourceString.displayName0)" lastUpdateTimeStamp="2005-03-01T23:47:26.4788237-08:00" manifestVersion="1.0" owners="charfa" supportInformation="" testers="" > <assemblyIdentity buildFilter="" buildType="release" language="*" name="Microsoft-Windows-CertificateServices-MSCEP-DL" processorArchitecture="*" publicKeyToken="" type="" version="0.0.0.0" versionScope="nonSxS" CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 26 26 GREAT NEWS Now we can…. Use my fingerprint scanner with Net Motion. Fingerprint is indexed to my Public Key Token. Token is submitted for Windows Certificate. Windows Radius validates the Token. I get my certificate. I am good to go until my certificate expires. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 27 27 EXCEPT FOR….. • 2. Internet Protocol Security (IPSec) does not meet the 2011 requirements for advanced authentication; however, agencies that have funded/implemented IPSec in order to meet the AA requirements of CJIS Security Policy v.4.5 may continue to utilize IPSec for AA until 2013. Examples: a. A police officer is running a query for CJI from their laptop mounted in a police vehicle. The police officer leverages a cellular network as the transmission medium; authenticates the device using IPSec key exchange; and tunnels across the cellular network using the IPSec virtual private network (VPN). IPSec was funded and installed in order to meet the AA requirements of CJIS Security Policy version 4.5. AA requirements are waived until 2013. “I don’t know what this means. Windows Certificates use IPSec.” CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 28 28 THAT STATEMENT IS NOT THE REAL PROBLEM THOUGH….. The 2nd Factor is being Authenticated at the Device and not to a Back End Server. 2nd Factor is being replaced by a PIN in the Certificate. Therefore… 1. If the laptop is stolen then the CJI Identity is unusable ….forever. 2. You cannot be made immediately aware of unsuccessful login attempts. 3. Reporting is difficult to say the least. 4. Management of Shift Fleets becomes an impossible task. 5. Now the Certificate is really validating the device. “Our belief…Advanced Authentication can only be validated within the secure environment.” CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 29 29 RECOMMENDATIONS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Participate in a ride along with one of your officers. Know your State Security Officer. If changing or adding VPN services, test capability thoroughly before implementing. Architect your network with the future in mind. Just because they are a magic quadrant vendor doesn’t mean they get Public Safety. Use technologies that are NIST Certified Cryptographic Modules as opposed to NIST Compliant. Prepare yourself for the eventuality of the desktop requiring the same authentication standards. Your Wi-Fi and Bluetooth has to be brought into compliance as well. Keep in mind that your “Cloud” vendor/s may be required to meet CJIS mandates. AAaaS is emerging. Some vendors are developing offerings. CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 30 30 RECOMMENDATIONS 10. Join the Discussion at http://www.digitalcommunities.com Request membership in the “Law Enforcement Information Technology Task Force.” CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY. 31 31 HOUSTON THOMAS PUBLIC SAFETY SOLUTION ARCHITECT 813.375.1033 | hthomas@cdwg.com