/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsOrganizations today are filling terabytes, even petabytes of information on
to their servers. This could be in the form of customer details, fianncial
information and other sensitive data. All this data is undoubtedly crucial for
an enterprise and the biggest challenge for any organization is to maintain
proper access rights to this information, so that only eligible persons can
access a given set of information. Luckily, there are quite a few mechanisms
through which one can guarantee a superior level of information security. These
mechanisms have evolved over the last couple of decades. Let's take a look at
the latest happenings in this field.
Network Access Control
The concept of stopping any unauthorized or malicious attack at the network
level sounds as a dream for security specialists. And that's what NAC
provides. As the name suggests, it checks for access right of any traffic
between two end points, and allows only the authentic traffic to reach the other
end. There are quite a few mechanisms through which NAC can work. One way is to
go back to each end point and verify the
authenticity of those devices before letting the traffic go pass. Some of them
run a set of vulnerability assessment and IDS tools on the traffic, to check for
authenticity. And there are some which are too smart and go a level beyond all
this and run and execute the traffic data, on top of a virtual machine, to check
for its behavior.
/pcq/media/post_attachments/0e91f96e6db97c6c36f694f378254c0b2b348136fec93dacf608ef6f342a8b03.jpg) |
After the traffic and the user generating it have been identified and
scanned, the device checks them against the policy and gives access to the user
according to the policies. For example, a user accessing the network from a VPN
might only get access to a certain part of the network whereas the same user
logging from the same network will get full access. On the other hand, any
malicious or unknown user can be automatically sent to a quarantine zone or a
honeypot for further analysis.
APP Firewalls
Firewalls are known to all. But there is a new type of firewall, creating a lot
of interest this year. This is the Application Firewall. The hype for App
Firewalls started after the release and success of SELinux, which is a good
example of an App Firewall. If you understand what is SELinux and what it does,
then you know what an App Firewall is.
If you don't understand it, then think of it as an advance form of the
Policy Editor of Windows. After the acceptance of SELinux in the industry, many
other players have entered the market. For example, SUSE brought a fully
graphical App firewall called APP Armor with its latest release of Enterprise
Linux (SELD 10 and SELS 10).
/pcq/media/post_attachments/20f20077e767bc42b517b4eb28eba8c71a6e459582e9ad70fa82488cae614f12.jpg) |
An Application Firewall is essentially a software which sits and communicates
with the OS kernel and isolates the memory space of every application from each
other. So, if one application gets attacked and compromised, then the other
applications will still continue to work without any problem.
For example if someone breaks the root password of a given Linux server by
running any brute force attack or dictionary attack, or by any other mechanism,
and gets into the # prompt then using an Application firewall he can be
restricted to change or play around with vital services running on the system
such as the Web Server or the SQL server. After logging as root he still gets
the privilege of a guest user.
/pcq/media/post_attachments/3b8f9c391ab3fc53b6ddee6c6458bf82e28746a007a02a82d390d2518b4680b4.jpg) |
"Our organization deals with IT and ITES (BPOs and call centers). Most of our customers implement their global development centers from our premises. In addition to iGATE specific security implementation, these customers want to implement their own security solutions for projects and processes. Due to this, handling and deploying security processes (which include access rights permission) to folders and applications, has become cumbersome. iGATE operates on heterogeneous systems due to its client requirements. Managing user accounts and associated passwords on a heterogeneous system is a cumbersome and difficult process. Due to above challenges, iGATE is evaluating various IDM solutions." |
| Shiva M, Vice President, Global IT Infra Support and Purchases, iGATE | |
Identity management
Web SSO: SSO or Single Sign On is a very well known concept. From ages software
giants such as Microsoft are preaching about SSO. And each and every Server
Level OS today has option for setting up interlinked Authentication servers,
that can provide SSO in a given network.
But when it comes to Internet, the scenario changes. Internet being an
unorganized entity, it traditionally does not have any SSO option built into its
core. And it was not needed as well. But after the increase of Web Services, SAS
(Software as service) and SOA it had become too necessary to have SSO over Web
as well.
This area is still too new and we don't have a full-fledged solution as of
now. But there are technologies such as SAML, WS-Security, etc that are working
towards this end. Let's see what these technologies are and what they do.
| Deploying RSA Authentication Manager and Agent |
|
The RSA Authentication Manager software is the management component of the RSA SecurID solution. It verifies authentication requests and policies for enterprise networks. It also provides features such as database replication and load balancing, automated LDAP import and LDAP synchronization, etc. RSA Authentication Manager 6.0 can authenticate Windows users in scenarios such as Local Authentication, Domain Logon, Terminal Services, Offline Authentication, etc. It works with the RSA Authentication Agent that provides RSA Authentication Authentication Manager |
Security Assertion Markup Language: SAML has been developed by the
Security Services Technical Committee of OASIS. This is essentially an XML-based
framework for user authentication, entitlement, and attribute information. SAML
makes businesses capable of making assertions regarding the identity,
attributes, and entitlements of a principal (user) to other entities in the
network. The challenge that SAML is trying to solve is the Web SSO. SAML assumes
that the principal has enrolled with at least one identity provider. The
identity providers are supposed to provide local level of authentication to the
principal.
WS (Web Service) Security: This is a protocol that uses and specifies
the use of SAML and Cerberus for securing Web Services. The protocol contains
specifications on how integrity and confidentiality can be enforced on Web
Services messaging. Microsoft, IBM and Verisign initially work out this
standard.
/pcq/media/post_attachments/055c895b1905b6b904020fff6a5371d795183990a35ee86dbe73a511c538a2fa.jpg) |
Two Factor Sign in: This is a mechanism with which a user gets an
additional layer of protection with a hardware token or card based
authentication, coupled with a standard PIN or password.
In such a scenario, at the first stage a user has to authenticate himself by
either swapping an RF or Magnetic card or by providing a random number generated
by a hardware device (called a token) to the system. In the second stage, the
user has to provide a standard PIN or password to gain the full authentication.
Automated provisioning: It's a system for creating and managing
multiple instances of a service within a shared IT infrastructure. The network
administrator maintains a set of computing resources that can be allocated to
different services and then to users based on policies.
The users can then request to access services of a particular type, and
instances of these services are then provisioned to meet their requirements.
Role based access control: There are roles for different job related
functions. And then permission is allotted according to the type of roles. Now,
instead of assigning direct policies to a certain user or group, they are
assigned roles. And through those role assignments, the users get the required
permissions to perform any particular task in the network.
| Useful Links |
| RSA: www.rsasecurity.com/node.asp?id=1191 Microsoft: http://tinyurl.com/z98dr Sun: http://www.sun.com/software/products/identity/index.jsp BMC Software: http://www.bmc.com/corporate/nr2005/032305_1.html CA: http://www3.ca.com/Press/PressRelease.aspx?CID=82552 |
As users/groups are not assigned policies directly but have acquired the
policies through roles, management of individual user/group rights becomes very
easy. All you have to do in this case is to allocate proper role to a given
user. This simplifies the task of editing a user, changing user policies or even
adding new users. This feature can be achieved by using any LDAP server.
Microsoft is a vendor in this space.
Self-destructive USB drives
Very recently Microsoft had patented a new technology and soon we will see those
all around us. This is an innovative idea and is called “Volatile Potable
Memory”. In normal terminology we will call it self-destructing Pen drives.
The idea comes from a point that MS has certain application which creates and
writes sensitive information related to the configuration of networks and
network devices to USB pen drives. And if by some means the devices is lost or
stolen, then it creates a high risk of Network Compromise.
So, to solve this issue MS had came up with this concept of VPM or Volatile
Portable Memory. The working mechanism of such a devices is very simple. When
you copy some data into the drive it also gets charged for one hour.
And after this time period it automatically discharges and shuts down erasing
all the data inside it. this mechanism is also called timed erasure mechanism.