Sunday, July 05, 2009  
Google
Web pcquest.com

CIOL Network sites

Search by Issue | CD Search | Sitemap | Advanced Search

• Ad :- Enterprise Connect Awards 09: Nominations Open • Ad: Force.com Cloud Developer Challenge: Participate to win Apple MacBook
   
 Home > Top Stories

Info Security & ID Mgmt

Wednesday, December 06, 2006

Organizations today are filling terabytes, even petabytes of information on to their servers. This could be in the form of customer details, fianncial information and other sensitive data. All this data is undoubtedly crucial for an enterprise and the biggest challenge for any organization is to maintain proper access rights to this information, so that only eligible persons can access a given set of information. Luckily, there are quite a few mechanisms through which one can guarantee a superior level of information security. These mechanisms have evolved over the last couple of decades. Let's take a look at the latest happenings in this field.

Network Access Control
The concept of stopping any unauthorized or malicious attack at the network level sounds as a dream for security specialists. And that's what NAC provides. As the name suggests, it checks for access right of any traffic between two end points, and allows only the authentic traffic to reach the other end. There are quite a few mechanisms through which NAC can work. One way is to go back to each end point and verify the
authenticity of those devices before letting the traffic go pass. Some of them run a set of vulnerability assessment and IDS tools on the traffic, to check for authenticity. And there are some which are too smart and go a level beyond all this and run and execute the traffic data, on top of a virtual machine, to check for its behavior.

After the traffic and the user generating it have been identified and scanned, the device checks them against the policy and gives access to the user according to the policies. For example, a user accessing the network from a VPN might only get access to a certain part of the network whereas the same user logging from the same network will get full access. On the other hand, any malicious or unknown user can be automatically sent to a quarantine zone or a honeypot for further analysis.

APP Firewalls
Firewalls are known to all. But there is a new type of firewall, creating a lot of interest this year. This is the Application Firewall. The hype for App Firewalls started after the release and success of SELinux, which is a good example of an App Firewall. If you understand what is SELinux and what it does, then you know what an App Firewall is.

If you don't understand it, then think of it as an advance form of the Policy Editor of Windows. After the acceptance of SELinux in the industry, many other players have entered the market. For example, SUSE brought a fully graphical App firewall called APP Armor with its latest release of Enterprise Linux (SELD 10 and SELS 10).

An Application Firewall is essentially a software which sits and communicates with the OS kernel and isolates the memory space of every application from each other. So, if one application gets attacked and compromised, then the other applications will still continue to work without any problem.

For example if someone breaks the root password of a given Linux server by running any brute force attack or dictionary attack, or by any other mechanism, and gets into the # prompt then using an Application firewall he can be restricted to change or play around with vital services running on the system such as the Web Server or the SQL server. After logging as root he still gets the privilege of a guest user.

"Our organization deals with IT and ITES (BPOs and call centers). Most of our customers implement their global development centers from our premises. In addition to iGATE specific security implementation, these customers want to implement their own security solutions for projects and processes. Due to this, handling and deploying security processes (which include access rights permission) to folders and applications, has become cumbersome. iGATE operates on heterogeneous systems due to its client requirements. Managing user accounts and associated passwords on a heterogeneous system is a cumbersome and difficult process. Due to above challenges, iGATE is evaluating various IDM solutions."
Shiva M, Vice President, Global IT Infra Support and Purchases, iGATE

Identity management
Web SSO: SSO or Single Sign On is a very well known concept. From ages software giants such as Microsoft are preaching about SSO. And each and every Server Level OS today has option for setting up interlinked Authentication servers, that can provide SSO in a given network.
But when it comes to Internet, the scenario changes. Internet being an unorganized entity, it traditionally does not have any SSO option built into its core. And it was not needed as well. But after the increase of Web Services, SAS (Software as service) and SOA it had become too necessary to have SSO over Web as well.

This area is still too new and we don't have a full-fledged solution as of now. But there are technologies such as SAML, WS-Security, etc that are working towards this end. Let's see what these technologies are and what they do.

Deploying RSA Authentication Manager and Agent
The RSA Authentication Manager software is the management component of the RSA SecurID solution. It verifies authentication requests and policies for enterprise networks. It also provides features such as database replication and load balancing, automated LDAP import and LDAP synchronization, etc. RSA Authentication Manager 6.0 can authenticate Windows users in scenarios such as Local Authentication, Domain Logon, Terminal Services, Offline Authentication, etc.

It works with the RSA Authentication Agent that provides authentication interface on end user machines. The Manager maintains logs of all transactions and user activity and has reporting tools for creating reports about user activity, incidents, etc.

RSA Authentication
Agent has to be installed on the remote node. It can be installed manually or be pushed through Windows installer. When the client agent is installed, it replaces Windows Ctrl+ Alt +Del with that of RSA's login mechanism. The agent software intercepts access requests from local or remote users and sends the UserID and Passcode to RSA Authentication Manager, which verifies the authentication and tells the agent whether to deny or grant access. The Manager then decrypts Windows password and passes it to the Windows logon process.

Authentication Manager
Installing RSA Authentication Manager is easy but configuring and implementing it for the first time is a bit difficult. It can be fully integrated with Windows Active Directory to provide domain level access management and offline authentication. In offline authentication, when a user logs on to a node not connected to the network, the RSA Authentication Agent compares the user-supplied information to the stored codes and either grants or denies access. All of this process is transparent to the user. The next time the user logs on to the network, the RSA Authentication Manager will update the desktop software to prepare it for offline authentication in future. This can be very useful if a user wants to log on to his notebook away from the enterprise network.

Security Assertion Markup Language: SAML has been developed by the Security Services Technical Committee of OASIS. This is essentially an XML-based framework for user authentication, entitlement, and attribute information. SAML makes businesses capable of making assertions regarding the identity, attributes, and entitlements of a principal (user) to other entities in the network. The challenge that SAML is trying to solve is the Web SSO. SAML assumes that the principal has enrolled with at least one identity provider. The identity providers are supposed to provide local level of authentication to the principal.

WS (Web Service) Security: This is a protocol that uses and specifies the use of SAML and Cerberus for securing Web Services. The protocol contains specifications on how integrity and confidentiality can be enforced on Web Services messaging. Microsoft, IBM and Verisign initially work out this standard.

Two Factor Sign in: This is a mechanism with which a user gets an additional layer of protection with a hardware token or card based authentication, coupled with a standard PIN or password.

In such a scenario, at the first stage a user has to authenticate himself by either swapping an RF or Magnetic card or by providing a random number generated by a hardware device (called a token) to the system. In the second stage, the user has to provide a standard PIN or password to gain the full authentication.

Automated provisioning: It's a system for creating and managing multiple instances of a service within a shared IT infrastructure. The network administrator maintains a set of computing resources that can be allocated to different services and then to users based on policies.
The users can then request to access services of a particular type, and instances of these services are then provisioned to meet their requirements.

Role based access control: There are roles for different job related functions. And then permission is allotted according to the type of roles. Now, instead of assigning direct policies to a certain user or group, they are assigned roles. And through those role assignments, the users get the required permissions to perform any particular task in the network.

Useful Links
RSA: www.rsasecurity.com/node.asp?id=1191
Microsoft: http://tinyurl.com/z98dr
Sun: http://www.sun.com/software/products/identity/index.jsp
BMC Software: http://www.bmc.com/corporate/nr2005/032305_1.html
CA: http://www3.ca.com/Press/PressRelease.aspx?CID=82552

As users/groups are not assigned policies directly but have acquired the policies through roles, management of individual user/group rights becomes very easy. All you have to do in this case is to allocate proper role to a given user. This simplifies the task of editing a user, changing user policies or even adding new users. This feature can be achieved by using any LDAP server. Microsoft is a vendor in this space.

Self-destructive USB drives
Very recently Microsoft had patented a new technology and soon we will see those all around us. This is an innovative idea and is called “Volatile Potable Memory”. In normal terminology we will call it self-destructing Pen drives.

The idea comes from a point that MS has certain application which creates and writes sensitive information related to the configuration of networks and network devices to USB pen drives. And if by some means the devices is lost or stolen, then it creates a high risk of Network Compromise.
So, to solve this issue MS had came up with this concept of VPM or Volatile Portable Memory. The working mechanism of such a devices is very simple. When you copy some data into the drive it also gets charged for one hour.

And after this time period it automatically discharges and shuts down erasing all the data inside it. this mechanism is also called timed erasure mechanism.

Page(s)   1  



Untitled Document



Innovation, Winning the future with ZTE

Reduce your TCO now with INGRES
   
 


 
 

Magazine Subscription | RQS | Contact Us | Team PCQuest | Advertising - Print | jobs@cybermedia

 
 
 
 
   

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.
Broken links? Problems with site? Send email to webmasterciol@cybermedia.co.in