by December 6, 2006 0 comments



Organizations today are filling terabytes, even petabytes of information on
to their servers. This could be in the form of customer details, fianncial
information and other sensitive data. All this data is undoubtedly crucial for
an enterprise and the biggest challenge for any organization is to maintain
proper access rights to this information, so that only eligible persons can
access a given set of information. Luckily, there are quite a few mechanisms
through which one can guarantee a superior level of information security. These
mechanisms have evolved over the last couple of decades. Let’s take a look at
the latest happenings in this field.

Network Access Control
The concept of stopping any unauthorized or malicious attack at the network
level sounds as a dream for security specialists. And that’s what NAC
provides. As the name suggests, it checks for access right of any traffic
between two end points, and allows only the authentic traffic to reach the other
end. There are quite a few mechanisms through which NAC can work. One way is to
go back to each end point and verify the
authenticity of those devices before letting the traffic go pass. Some of them
run a set of vulnerability assessment and IDS tools on the traffic, to check for
authenticity. And there are some which are too smart and go a level beyond all
this and run and execute the traffic data, on top of a virtual machine, to check
for its behavior.

After the traffic and the user generating it have been identified and
scanned, the device checks them against the policy and gives access to the user
according to the policies. For example, a user accessing the network from a VPN
might only get access to a certain part of the network whereas the same user
logging from the same network will get full access. On the other hand, any
malicious or unknown user can be automatically sent to a quarantine zone or a
honeypot for further analysis.

APP Firewalls
Firewalls are known to all. But there is a new type of firewall, creating a lot
of interest this year. This is the Application Firewall. The hype for App
Firewalls started after the release and success of SELinux, which is a good
example of an App Firewall. If you understand what is SELinux and what it does,
then you know what an App Firewall is.

If you don’t understand it, then think of it as an advance form of the
Policy Editor of Windows. After the acceptance of SELinux in the industry, many
other players have entered the market. For example, SUSE brought a fully
graphical App firewall called APP Armor with its latest release of Enterprise
Linux (SELD 10 and SELS 10).

An Application Firewall is essentially a software which sits and communicates
with the OS kernel and isolates the memory space of every application from each
other. So, if one application gets attacked and compromised, then the other
applications will still continue to work without any problem.

For example if someone breaks the root password of a given Linux server by
running any brute force attack or dictionary attack, or by any other mechanism,
and gets into the # prompt then using an Application firewall he can be
restricted to change or play around with vital services running on the system
such as the Web Server or the SQL server. After logging as root he still gets
the privilege of a guest user.

"Our organization deals with IT and ITES (BPOs and call centers). Most of our customers implement their global development centers from our premises. In addition to iGATE specific security implementation, these customers want to implement their own security solutions for projects and processes. Due to this, handling and deploying security processes (which include access rights permission) to folders and applications, has become cumbersome. iGATE operates on heterogeneous systems due to its client requirements. Managing user accounts and associated passwords on a heterogeneous system is a cumbersome and difficult process. Due to above challenges, iGATE is evaluating various IDM solutions."
Shiva M, Vice President, Global IT Infra Support and Purchases, iGATE

Identity management
Web SSO: SSO or Single Sign On is a very well known concept. From ages software
giants such as Microsoft are preaching about SSO. And each and every Server
Level OS today has option for setting up interlinked Authentication servers,
that can provide SSO in a given network.
But when it comes to Internet, the scenario changes. Internet being an
unorganized entity, it traditionally does not have any SSO option built into its
core. And it was not needed as well. But after the increase of Web Services, SAS
(Software as service) and SOA it had become too necessary to have SSO over Web
as well.

This area is still too new and we don’t have a full-fledged solution as of
now. But there are technologies such as SAML, WS-Security, etc that are working
towards this end. Let’s see what these technologies are and what they do.

Deploying RSA Authentication Manager and Agent
The RSA Authentication Manager software is the management
component of the RSA SecurID solution. It verifies authentication requests
and policies for enterprise networks. It also provides features such as
database replication and load balancing, automated LDAP import and LDAP
synchronization, etc. RSA Authentication Manager 6.0 can authenticate
Windows users in scenarios such as Local Authentication, Domain Logon,
Terminal Services, Offline Authentication, etc.

It works with the RSA Authentication Agent that provides
authentication interface on end user machines. The Manager maintains logs
of all transactions and user activity and has reporting tools for creating
reports about user activity, incidents, etc.

RSA Authentication
Agent has to be installed on the remote node. It can be installed manually
or be pushed through Windows installer. When the client agent is
installed, it replaces Windows Ctrl+ Alt +Del with that of RSA’s login
mechanism. The agent software intercepts access requests from local or
remote users and sends the UserID and Passcode to RSA Authentication
Manager, which verifies the authentication and tells the agent whether to
deny or grant access. The Manager then decrypts Windows password and
passes it to the Windows logon process.

Authentication Manager
Installing RSA Authentication Manager is easy but configuring and
implementing it for the first time is a bit difficult. It can be fully
integrated with Windows Active Directory to provide domain level access
management and offline authentication. In offline authentication, when a
user logs on to a node not connected to the network, the RSA
Authentication Agent compares the user-supplied information to the stored
codes and either grants or denies access. All of this process is
transparent to the user. The next time the user logs on to the network,
the RSA Authentication Manager will update the desktop software to prepare
it for offline authentication in future. This can be very useful if a user
wants to log on to his notebook away from the enterprise network.

Security Assertion Markup Language: SAML has been developed by the
Security Services Technical Committee of OASIS. This is essentially an XML-based
framework for user authentication, entitlement, and attribute information. SAML
makes businesses capable of making assertions regarding the identity,
attributes, and entitlements of a principal (user) to other entities in the
network. The challenge that SAML is trying to solve is the Web SSO. SAML assumes
that the principal has enrolled with at least one identity provider. The
identity providers are supposed to provide local level of authentication to the
principal.

WS (Web Service) Security: This is a protocol that uses and specifies
the use of SAML and Cerberus for securing Web Services. The protocol contains
specifications on how integrity and confidentiality can be enforced on Web
Services messaging. Microsoft, IBM and Verisign initially work out this
standard.

Two Factor Sign in: This is a mechanism with which a user gets an
additional layer of protection with a hardware token or card based
authentication, coupled with a standard PIN or password.

In such a scenario, at the first stage a user has to authenticate himself by
either swapping an RF or Magnetic card or by providing a random number generated
by a hardware device (called a token) to the system. In the second stage, the
user has to provide a standard PIN or password to gain the full authentication.

Automated provisioning: It’s a system for creating and managing
multiple instances of a service within a shared IT infrastructure. The network
administrator maintains a set of computing resources that can be allocated to
different services and then to users based on policies.
The users can then request to access services of a particular type, and
instances of these services are then provisioned to meet their requirements.

Role based access control: There are roles for different job related
functions. And then permission is allotted according to the type of roles. Now,
instead of assigning direct policies to a certain user or group, they are
assigned roles. And through those role assignments, the users get the required
permissions to perform any particular task in the network.

Useful Links
RSA: www.rsasecurity.com/node.asp?id=1191

Microsoft: http://tinyurl.com/z98dr

Sun: http://www.sun.com/software/products/identity/index.jsp

BMC Software: http://www.bmc.com/corporate/nr2005/032305_1.html

CA: http://www3.ca.com/Press/PressRelease.aspx?CID=82552

As users/groups are not assigned policies directly but have acquired the
policies through roles, management of individual user/group rights becomes very
easy. All you have to do in this case is to allocate proper role to a given
user. This simplifies the task of editing a user, changing user policies or even
adding new users. This feature can be achieved by using any LDAP server.
Microsoft is a vendor in this space.

Self-destructive USB drives
Very recently Microsoft had patented a new technology and soon we will see those
all around us. This is an innovative idea and is called “Volatile Potable
Memory”. In normal terminology we will call it self-destructing Pen drives.

The idea comes from a point that MS has certain application which creates and
writes sensitive information related to the configuration of networks and
network devices to USB pen drives. And if by some means the devices is lost or
stolen, then it creates a high risk of Network Compromise.
So, to solve this issue MS had came up with this concept of VPM or Volatile
Portable Memory. The working mechanism of such a devices is very simple. When
you copy some data into the drive it also gets charged for one hour.

And after this time period it automatically discharges and shuts down erasing
all the data inside it. this mechanism is also called timed erasure mechanism.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<