Upload
ivona-rustem
View
121
Download
6
Tags:
Embed Size (px)
Citation preview
RSA SecurIDProduct capabilities
Ivona RustemSecurity Consultant
2
Agenda
The importance of two factor authentication
Overview of RSA SecurID Authentication
Solution architecture
RSA Radius Server
Software installation vs. appliance
Authenticators
Agents
Administrative structure
Credential manager
Policies
Disaster recovery and failover
3
The importance of two factor authentication
Weak passwords - the major cause for security breaches.
Passwords = poor security Difficult to remember
Often shared and written down
Easily cracked with freely available tools
The world needs an authentication and access solution that is:
Easy for users
Independent of location or device
Easy to administer, scale, adapt to change
Secure
4
The importance of two factor authentication
Two-factor authentication can:
mitigate risks (only authorized users can access valuable information)
increase productivity ( by enabling secure access for users who work from home or travel on a regular basis)
reduce costs (eliminating the risk for helpdesk support to manage and reset password)
create new business opportunities (use secure access to extend new online services or applications to your customers and parteners
address compliance requirements (address the burden of compliance and make the requirements for two factor authentication)
5
Overview of RSA SecurID Authentication
Benefits of an RSA SecurID Two-Factor User Authentication Solution
Ensures the positive identification of users before they gain access to valuable resources.
Ensures greater network security than the traditional static password that is easily hacked.
Helps to create a trusted e-business environment with new possibilities for innovation and growth.
6
Overview of RSA SecurID Authentication
An RSA SecurID two-factor user authentication solution consists of:
RSA SecurID authenticators
RSA Authentication Manager software
RSA Authentication Agent software
Authentication Manager
the engine that powers RSA SecurID technology software.
verifies the identity and legitimacy of all users attempting to login to the network.
compatible with many remote access and Internet products, as well as a range of applications,
so it fits easily into a corporation's existing network and systems infrastructure.
7
Overview of RSA SecurID Authentication
SecurID can be used to secure:
VPN access
Remote dial-in
Web access
Wireless networking
Secure access to Microsoft Windows
Network hardware devices (routers, firewalls, and switches)
8
Overview of RSA SecurID Authentication
9
Overview of RSA SecurID Authentication
Benefits of RSA SecurID solution for Microsoft Windows:
Security
Simplicity
Auditable
Efficiency
Investment protection
Advantages in general:
robust, easy-to-use, portable authentication solution
technology trusted and proven
10
Solution architecture
Server Architecture:
Primary Server the first server installed in a deployment
has an embedded Oracle database
Replica can be installed to provide failover & load balance
contains its own database synchronized with the primary
is non-administrative
can be promoted to primary if needed
A deployment supports up to 15 Replica instances
11
Solution architecture
12
RSA RASIUS Server
offered as a part of the RSA Authentication Manager package
no RSA software required at the end-user machine
RADIUS authentication flow:
End-user computer initiates a connection
request to RAS
RAS notifies the RADIUS server of the rq
TTLS/PAP tunnel created for this session
User prompted for username and passcode
User provides credentials
RADIUS sever verifies credentials using
embedded agent software
If successful AM returns an approval and
a RADIUS profile associated with the user
RADIUS server returns Access Accept message to the RAS and RADIUS attributes associated with that user (based on the user profile)
13
Software installation vs. appliance
Platforms and system requirements:Windows Server 2003 Standard and Enterprise Edition (32-bit and 64-bit)
Memory 2GB+512 MB for RADIUS ; 2 GB Page file
HDD 60 GB +128 MB for RADIUS
Red Hat Enterprise Linux 4.7 ES/AS (32-bit and 64-bit)
Memory 2GB+512 MB for RADIUS ; 2 GB Swap space
HDD 60 GB +470 MB for RADIUS
List of packages required
Solaris 10 UltraSparc (64-bit)
Memory 2GB+512 MB for RADIUS ; 4 GB Swap space
HDD 60 GB +650 MB for RADIUS
List of packages required
RADIUS is not supported on 64-bit Windows
14
Software installation vs. appliance
RSA SecurID Appliance solution:
-delivers Authentication Manager in an embedded
sole-purpose hardened Linux operating system
-available in two models:
Appliance 130 -designed to satisfy the requirements
for fast and simple deployments
Appliance 250 –designed for organizations that require high availability deployments (dual power and redundant discs)
-flexible and scalable
-easy to deploy and maintain
-lower total cost of ownership
15
Authenticators
RSA SecurID authenticators provide:
– Strong network security
– Reliable authentication
– Convenient solutions for end-users
– A choice of form factors and options:
-hardware
-software
-on-demand
Tokens contain: -a seed value for pseudo-random number generation
-an algorithm with which to calculate tokencodes
-all generate and display new codes every 60 seconds.
16
Authenticators
Software tokens
- available for Windows, Mac OS and for a variety of smart phone platforms including BlackBerry®, iPhone®, Windows®Mobile, Java™ ME, PalmOS and Symbian OS
- the symmetric key is safeguarded securely on the user’s PC, smart phone
- reduce the number of items a user has to manage for safe and secure access to corporate assets
On-demand Authenticator
-a great choice for users that do not need to frequently access the network remotely
-enables users to receive a one-time password as an SMS message delivered to their cell phone or via e-mail.
-users request a one-time password through an intuitive selfservice
web module by entering their PIN
17
Agents
RSA Authentication Agent software intercepts access requests—whether local or remote—from users or groups of users and directs them to the RSA Authentication Manager for authentication. Once verified, permission to access protected resources is granted.
-is designed to secure:
Microsoft® Windows® IIS,
Apache, Sun™ ONE web servers,
UNIX resources
and Novell® Network services
-ensures user accountability
-Agent software built into some 300 RSA
SecurID Ready™ products from over 200 leading manufacturers
18
Administrative structure
Realm- highest level organizational structure
-Security Domain - an organizational container
that defines an area of administrative
management within a realm.
–area of administrative responsibility
-organize and manage users
-enforce system policies
-limit the scope of administrators control
by limiting the security domanin to which
they have access
-can be used to enforce system policies
-contains Users, User Groups, Agents, Tokens
19
Administrative structure
An LDAP Identity Source can be defined as:
-Read-only
-Read/Write
Identity source
-linked at the Realm level
-multiple ISs can be linked to one
realm but any single IS can not be
linked to multiple realm
-an IS can be defined for an external
Active Directory/ LDAP datastore
20
Administrative structureLicence types:
Base
-One Primary and one Replica instance
-Credential Manager (Self-Service module)
-RADIUS Support
-Offline Authentication
Enterprise
-All Base licence features +PLUS
-Up to 15 Replica Instances
-Credetial Manager (Provisioning)
-Multi-Realm capabilities
Evaluation
-25 users, Base licence features with expiration periodLicence options
Active users upgrades allow the system to be expanded for more users
On-demand authentication –allow the capability for a user to receive one-time-use passcode through SMS or e-mail
21
Credential manager
a web-based workflow system that automates the token deployment process that provides user self-service options
consists of self-service and provisioning.
Self-service allows you to reduce the time that the Help Desk spends servicing deployed tokens—when users forget their PINs, misplace their tokens, and require emergency access, or resynchronization.
Provisioning streamlines the token deployment process if you are rolling out a large-scale token deployment. It also reduces administrative services and the time typically associated with deploying tokens.
22
Policies
- control various aspects of a user’s interaction with Authentication Manager, such as RSA SecurID PIN lifetime and format, fixed passcode lifetime and format, password length, format, and frequency of change
- are assigned to security domain
Policies protect against:
• Random guessing of passcodes
• Compromised PINs
• Stolen passcodes
• Easily guessed PINs
• Automated logon attempts
23
Policies
Token and PIN Policy
You can configure the following requirements and restrictions:
Require system generated PINs
Require periodic PIN changes
Restrict the use of old PINs
Limit PIN lengths
Use an excluded words dictionary
Set PIN character requirements
Lockout Policy
define how many failed logon attempts users can make before Authentication Manager locks their account.
Offline Authentication
extends RSA SecurID for Windows authentication to users
when they work away from the office, or when network conditions make the
connection temporarily unavailable.
24
Disaster recovery and failover
An instance might stop responding for any of the following reasons:
Power outage
Hardware malfunction
Database corruption
Inoperable database
Network malfunction
When a primary instance database server stops responding, the following events occur:
You cannot administer the system.
Authentication performance slows down
Help Desk Administrators are blocked
Users who are permanently locked out cannot be restored
The database on the stopped server may be temporarily unavailable
Data accumulates at replica instances, waiting to update the primary instance
25
Disaster recovery and failover
Recovery from the Loss of a Primary Instance :
Locate a replica instance at the same geographic site as the primary instance. The same personnel who administer the primary instance need access to this local replica instance in case of emergency.
Train your staff to learn recovery procedures and make sure they have the necessary privileges to promote a replica instance if the primary instance stops responding.
Confirm that a surviving replica has enough disk space to handle transactions that will queue while the primary is unavailable.
RSA recommends frequent backups to minimize data loss
Authentication Manager backup does not include RADIUS, which must be backed up separately
Run backups during off-peak periods because the backup operation can affect general system performance
Plan to store one backup copy at an off-site location
26
Q & A
27
Thank you!