Upload
oswin-jones
View
212
Download
0
Embed Size (px)
Citation preview
®
Gradient Technologies, Inc.Gradient Technologies, Inc.
Inter-Cell InterworkingInter-Cell InterworkingAccess Control Across the BoundaryAccess Control Across the Boundary
Open Group Members MeetingOpen Group Members MeetingSand Diego, CA USASand Diego, CA USA
April 1998April 1998
Brian BretonBrian Breton
InternetInternet
Prospective CustomersProspective CustomersRest of the WorldRest of the World
ExtranetExtranet
Remote EmployeesRemote EmployeesCustomersCustomers
Business PartnersBusiness Partners
Multiple User PopulationsMultiple User Populations
EmployeesEmployees
IntranetIntranet
AuthenticationAuthentication
Data IntegrityData Integrity
AuthorizationAuthorization
Data PrivacyData Privacy
AvailabilityAvailability
ScalabilityScalability
SecureSecuredatabase accessdatabase access
Enterprise Security PerspectiveEnterprise Security Perspective
Leverage existing Leverage existing investmentsinvestments
The New Corporate NetworkThe New Corporate Network
StandardBrowser
Web and App Servers
Internet
Business Partners
Netscape and Microsoft
UNIX and NT
PrivateNetwork
Mainframes UNIX and NT
Data Sources
Intranet
Extranet
Remote Employees
DatabaseInformix
Ingredients to TrustIngredients to Trust• Pre-existing trust relationships have to be
established between enterprises
• Responsibility for user identification MUST be at local system, not target– potential for multi-authn mechanisms
• Target system should control access decisions
• Credentials serves as the basis for the target institution to make authorization decisions
• Secure communications channel
Trust via TechnologyTrust via Technology• DCE Inter-Cell DCE Inter-Cell
• Public KeyPublic Key– Common public key certificate authorityCommon public key certificate authority
– Between multiple certificate authoritiesBetween multiple certificate authorities
• Basic authentication at target siteBasic authentication at target site
DCE Inter-Cell TrustDCE Inter-Cell TrustCompany A lets Company B inCompany A lets Company B in• ProsPros
– B administers its own B administers its own usersusers
– Transparent to end-Transparent to end-usersusers
• ConsCons– A must trust B to A must trust B to
administer its users administer its users properlyproperly
PrivatePrivateNetwork(s)Network(s)
The Role of FirewallsThe Role of Firewalls
Problems with FirewallsProblems with Firewalls• Most attacks are internal, therefore less Most attacks are internal, therefore less
susceptible to prevention by firewallssusceptible to prevention by firewalls• FirewallsFirewalls
– Cannot provide full protection against external Cannot provide full protection against external attackattack
– Are not a security infrastructure, but a method of Are not a security infrastructure, but a method of access preventionaccess prevention
– Do not inherently provide out-of-the-box form of Do not inherently provide out-of-the-box form of fine-grained access control to internal resourcesfine-grained access control to internal resources
Firewalls + Security Infrastructure Firewalls + Security Infrastructure
External Networks
The Role of SSLThe Role of SSL
WebWebServerServer
• Authentication via Public Keys and Basic Auth.• Data Privacy
®
Gradient Technologies, Inc.Gradient Technologies, Inc.
NetCrusaderP R O D U C T F A M I L Y
CommonCommonAuthorization Authorization
ModelModel
NetCrusaderSecurity Server
Multiple Multiple AuthenticationAuthentication
MethodsMethods
Username/Password
Public-KeyCertificate
Two-FactorAuthentication
Customers
Partners
Employees
MultipleMultipleUserUser
PopulationsPopulations
Interoperating Across Security DomainsInteroperating Across Security DomainsMultiple Multiple
EncryptionEncryptionMethodsMethods
DES, RC4,RSA, CAST,
others
Object
Client/Server
Web-based
Multiple Application TypesMultiple Application Types
DistributedDistributedSecurity Security
ManagementManagement
NetCrusaderCommander
Heritage
NetCrusaderNetCrusaderSecurity ServerSecurity Server
Web browser
+ NetCrusaderNetCrusaderClientClient
Web browseronly
NetCrusader Web-based ArchitectureNetCrusader Web-based ArchitectureMicrosoft/Netscape/Oracle
Web Server(NT, Solaris, AIX, HP-UX)
NetCrusaderNetCrusaderCommanderCommander
ISAPI/NSAPIApplications
ProtocolFilter
Entrust/HTTP;DCE/HTTP
SSL NetCrusader Security Adapter
Username/Passwordor Public-Key Certificate
NetCrusaderCredentials
AccessPermissions
Delegationto backendresources
TokenCard /SmartCard(optional)
SmartCard(optional)
External Access to FinancialSystem Using Web C/S Architecture
Trading Partners
BrowserBrowser
CustomerCustomerDatabaseDatabase
OracleDatabase
Seamless Desktop-to-database Security
WebServer/WebServer/TradingTrading
ApplicationApplication
NetCrusader ExampleNetCrusader Example
Customers
SSLSSL
NetCrusaderNetCrusader NetCrusaderNetCrusader
Internetor PrivateNetworkNetCrusaderNetCrusader
SSL Basic AuthenticationSSL Basic Authentication
• Pros:Pros:– No additional client softwareNo additional client software
• Cons:Cons:– Separate logins to multiple web serversSeparate logins to multiple web servers
– Encrypted passwords transmittedEncrypted passwords transmitted
– Separate UserID/Password management across web Separate UserID/Password management across web serversservers
• Good Selection for:Good Selection for:– Thin client requirement scenarios with no ability to install Thin client requirement scenarios with no ability to install
public key certificatespublic key certificates
SSL with Public Key CertificatesSSL with Public Key Certificates• Pros:Pros:
– No additional client executablesNo additional client executables– Strong authenticationStrong authentication– Variable strength data privacy:Variable strength data privacy:– Enables SSO across multiple web serversEnables SSO across multiple web servers
• Cons:Cons:– Must deploy & manage certificates to clientMust deploy & manage certificates to client– Public Key Mgt. tools immaturePublic Key Mgt. tools immature
• Good Selection for:Good Selection for:– Organizations committed to public key technology Organizations committed to public key technology – Thin client requirement scenariosThin client requirement scenarios
Entrust Public Key InfrastructureEntrust Public Key Infrastructure• Pros:Pros:
– Strong Public key based AuthenticationStrong Public key based Authentication– Variable strength data privacy based upon strength of Entrust Variable strength data privacy based upon strength of Entrust
CAST software installedCAST software installed• CAST much faster than SSL CAST much faster than SSL • Enables SSO across multiple web serversEnables SSO across multiple web servers
– Strong Public Key Management supportStrong Public Key Management support
• Cons:Cons:– Must deploy & manage certificates to clientMust deploy & manage certificates to client– Must deploy & manage Entrust and NetC Client s/wMust deploy & manage Entrust and NetC Client s/w
• Good Selection for:Good Selection for:– Large organizations with control over users desktopsLarge organizations with control over users desktops
DCE/HTTP DCE/HTTP • Pros:Pros:
– Single Sign On across multiple web servers and back end Single Sign On across multiple web servers and back end applicationsapplications
– No Firewall Disruption:No Firewall Disruption:• Data tunneled thru HTTP portData tunneled thru HTTP port
– 56 Bit DES data privacy56 Bit DES data privacy• DES much faster than public keyDES much faster than public key
• Cons:Cons:– Requires Desktop NetCrusader softwareRequires Desktop NetCrusader software
• Good Selection for:Good Selection for:– Organizations using PC-DCE and/or KerberosOrganizations using PC-DCE and/or Kerberos
NetCrusader SummaryNetCrusader Summary
• Delivers a comprehensive Enterprise Security Delivers a comprehensive Enterprise Security InfrastructureInfrastructure– Integrates best of breed security and RAD Integrates best of breed security and RAD
technologiestechnologies
– Support for multiple authentication mechanismsSupport for multiple authentication mechanisms
– Single, centralized authorization modelSingle, centralized authorization model
– Fine-grained access controlFine-grained access control
– Ease of security administrationEase of security administration
– Supports common platforms and applicationsSupports common platforms and applications
®
P R O D U C T F A M I L Y
NetCrusaderSecurity SolutionsSecurity Solutionsfor the Enterprisefor the Enterprise
Gradient Technologies, Inc.Gradient Technologies, Inc.2 Mount Royal Avenue2 Mount Royal AvenueMarlborough, MA USA 01752Marlborough, MA USA 01752+1.508.624.9600+1.508.624.9600
www.gradient.comwww.gradient.com