Upload
wyatt-jackson
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Single Sign-On 101: Single Sign-On 101: Beyond the HypeBeyond the Hype
What SSO Can and Can’t Do For Your What SSO Can and Can’t Do For Your BusinessBusiness
BlackHat Briefings Diana Kelley & Ian Poynter 2
IntroductionsIntroductions
• Diana Kelley, Baroudi Group– [email protected]
• Ian Poynter, Security Consultant– [email protected]
BlackHat Briefings Diana Kelley & Ian Poynter 3
OutlineOutline
• Definitions
• Business Requirements
• SSO Technologies
• Authentication Methods
• SSO Case Studies
BlackHat Briefings Diana Kelley & Ian Poynter 4
DefinitionDefinition
• Single Sign-On– Fantasy
• One Password For Everything!
– Reality• Most Systems And Applications Already Have
Their Proprietary Login Functionality• Reduced Logins For Discreet Systems
– Corporate Systems– Shared Intranet/Web Applications– Web Logon Aggregators
BlackHat Briefings Diana Kelley & Ian Poynter 5
Business RequirementsBusiness Requirements
• Is There A Problem Here?– Mushrooming Passwords– Need For Re-use– “Sticky Note” Password Cache– Unencrypted Text Files On Laptops and PDAs
BlackHat Briefings Diana Kelley & Ian Poynter 6
Business RequirementsBusiness Requirements
• Deceptively Intuitive– Reduce Costs– Increase Security– Increase Efficiency– Increase Convenience– My Boss Told Me I Have To
BlackHat Briefings Diana Kelley & Ian Poynter 7
Business RequirementsBusiness Requirements
• Be Honest About the Cost / Benefit Analysis– Use Hard Numbers
• What Does it Cost to Reset a Password?• How Much Time is Spent Logging into Multiple
Systems Each Morning?• What is The Real Cost of Integration?• Will Additional Authentication Methods Need to be
Purchased?
BlackHat Briefings Diana Kelley & Ian Poynter 8
Business RequirementsBusiness Requirements
• Be Honest About the Cost / Benefit Analysis– Don’t Forget the Ease of Use Factor
• Consider Training for Administrators and All Users
– QA and Versioning Can Increase TCO
BlackHat Briefings Diana Kelley & Ian Poynter 9
Business RequirementsBusiness Requirements
• Think About the Inside and the Outside– Multiple User Populations Can Increase Costs– Tiered Authentication Levels– At a Minimum Need Secure Password
Selection Training for Everyone
BlackHat Briefings Diana Kelley & Ian Poynter 10
Business RisksBusiness Risks
• Single Point of Failure– Denial of Service/Lack of Availability
• Stolen Credentials via Insecure Implementations
• Overly Ambitious Projects– Physical and Network– Complicated Procedures
• n-factor Authentication
– Square Pegs in Round Holes
BlackHat Briefings Diana Kelley & Ian Poynter 11
Business RisksBusiness Risks
• Failure to Consider the Legacy– OS/390, AS/400, Custom Client/Server
Applications, RADIUS
• Failure to Consider Regulatory Requirements– Financial Services and GLBA– Health Care and HIPAA– Content Providers and COPPA– International Businesses and EU DPD
BlackHat Briefings Diana Kelley & Ian Poynter 12
Authentication MethodsAuthentication Methods
• Declaring and Proving Who or What You Are
• Sure, Signing on Once, but What With?
• Becomes an Even Larger Question with SSO Because More Systems are Involved
BlackHat Briefings Diana Kelley & Ian Poynter 13
Authentication MethodsAuthentication Methods
• Have, Know, Are– Tokens, Passwords, Fingerprints
• Single vs. Multi
BlackHat Briefings Diana Kelley & Ian Poynter 14
Authentication MethodsAuthentication Methods
• Passwords
• One Time Passwords
• Tokens and SmartCards
• PKI
• Digital / Machine Fingerprints
• Biometrics
BlackHat Briefings Diana Kelley & Ian Poynter 15
Authentication Protocols and Authentication Protocols and TechnologiesTechnologies
• Dial-In Users and Wireless (802.1x)– RADIUS
• S/390 Mainframes– RACF, ACF2, CA Top-Secret
• Unix– PAMs (Pluggable Authentication Modules)
• Windows– GINA, Kerberos, NTLM
BlackHat Briefings Diana Kelley & Ian Poynter 16
SSO TechnologiesSSO Technologies
• Traditional Single Sign-On
• Password Synchronization
• Authentication Platforms
• Web Logon Aggregators
• NB: Convergence Between Traditional SSO and Authentication Platforms
BlackHat Briefings Diana Kelley & Ian Poynter 17
SSO TechnologiesSSO Technologies
• Traditional Single Sign-On– Allows a User to Login Once, Using a Single
Authentication Method to Gain Access to Multiple Hosts and / or Applications
– May Also Provide Access Control / Authorization Features
• Authorization policies restrict which applications or systems a user has access
• And what the user can and can’t do on these applications and systems
BlackHat Briefings Diana Kelley & Ian Poynter 18
SSO TechnologiesSSO Technologies
• Traditional Single Sign-On
• Not an Entirely New Concept– Kerberos and Kerberized– RADIUS and Radiized
BlackHat Briefings Diana Kelley & Ian Poynter 19
Traditional SSO: How It WorksTraditional SSO: How It Works
• Authenticate Once To Access Many
• Login Credentials (ID And Authentication) Usually Stored Locally
• Transparently Presented to the System or Application When Needed
BlackHat Briefings Diana Kelley & Ian Poynter 20
Traditional SSO: How It WorksTraditional SSO: How It Works
• Single Credential for All Systems– Kerberos Model
• Multiple Credentials– Required for Most Heterogeneous
Environments
BlackHat Briefings Diana Kelley & Ian Poynter 21
Traditional SSO: How It WorksTraditional SSO: How It Works
• APIs And DLLs– Write the SSO Authentication into Each
Application or System (compare to: Radiized)– Or Use Replacement DLLs
• Scripts– Pieces of Code on the Client That Manage the
Login Procedure to Multiple Systems
• Cookies– For Web Applications Only
BlackHat Briefings Diana Kelley & Ian Poynter 22
Traditional SSO: Pros and ConsTraditional SSO: Pros and Cons
• Pros– Very Easy to Use– Reduces Support Costs– Reduces Logon Cycles
• Cons– Integration of Legacy Can Be Expensive and
Time Consuming– Single Point of Attack– Scripting Solutions Often Lead to Storage of
Passwords And IDs on the Client
BlackHat Briefings Diana Kelley & Ian Poynter 23
Traditional SSO: Business FitTraditional SSO: Business Fit
• Good Business Fit for– Companies That Want to Simplify the User
Experience– Companies That Need to Reduce the Login
Cycle
BlackHat Briefings Diana Kelley & Ian Poynter 24
Traditional SSO: Traditional SSO: Brand ExamplesBrand Examples
• IBM/Tivoli Global Sign-On
• Netegrity SiteMinder
• RSA ClearTrust (formerly Securant)
BlackHat Briefings Diana Kelley & Ian Poynter 25
SSO TechnologiesSSO Technologies
• Password Synchronization– Manage Passwords Across Platforms and
Systems– Keeps Same Password So User Only Needs
to Remember One– When User Changes Her Password,
Synchronization Server Automatically Updates User Password on All Available Systems or in the Central Repository Server
BlackHat Briefings Diana Kelley & Ian Poynter 26
Password Synchronization: Password Synchronization: How It WorksHow It Works
• Distributed– Agents Automatically Reset Passwords on
Applications and Systems
• Centralized– All Authentication Requests Are Forwarded to
a Central Server
BlackHat Briefings Diana Kelley & Ian Poynter 27
Password Synchronization: Password Synchronization: Pros and ConsPros and Cons
• Pros– User Has Only One Password to Remember– Usually Fairly Easy to Implement– Help Desk Can Reset Passwords to All
Systems From Single Console
• Cons– Does Not Reduce the Number of Logons– Only Supports Password Authentication
BlackHat Briefings Diana Kelley & Ian Poynter 28
Password Synchronization: Password Synchronization: Business FitBusiness Fit
• Good Business Fit for– Companies That Only Use Password
Authentication– Companies That Don’t Need to Reduce the
Login Cycle
BlackHat Briefings Diana Kelley & Ian Poynter 29
Password Synchronization:Password Synchronization:Brand ExamplesBrand Examples
• PassGo, InSync (formerly Axent/Symantec)
• Courion, Password Courier
BlackHat Briefings Diana Kelley & Ian Poynter 30
SSO TechnologiesSSO Technologies
• Authentication Platforms– Provide a Central Point of Management for
Multiple Authentication Schemes– Users Authenticate To A Gateway Using Any
Combination of Authentication Methods• Smartcards, PKI, Biometrics etc.
– Supports Multi-layer Authentication Policies
BlackHat Briefings Diana Kelley & Ian Poynter 31
Authentication Platforms: Authentication Platforms: How It WorksHow It Works
• Abstracts the Authentication Layer to an Authentication Gateway
• All Users Login to this Gateway
• Gateway Determines Level / Type of Authentication that is Required
BlackHat Briefings Diana Kelley & Ian Poynter 32
Authentication Platforms: Authentication Platforms: Pros and ConsPros and Cons
• Pros– Eases Integration With Abstracted Authentication
Layer– Support for Most Authentication Factors
• Cons– Does Not Reduce Number of Logins, Unless SSO is
Embedded in the Authentication Platform– Single Point of Attack / Failure
• Denial of Service
BlackHat Briefings Diana Kelley & Ian Poynter 33
Authentication Platforms: Authentication Platforms: Business FitBusiness Fit
• Good Business Fit for– Enterprises with Hierarchical, Complex
Authentication Requirements– Companies using N-factor Authentication
Solutions– Organizations with Regulated
Security / Privacy Requirements• Financial Institutions, HealthCare, Government
Agencies
BlackHat Briefings Diana Kelley & Ian Poynter 34
Authentication Platforms:Authentication Platforms:Brand ExamplesBrand Examples
• Bionetrix Authentication Server
• Novell Modular Authentication Service (NMAS)
• ActivCard (formerly Ankari)– Trinity Server with SSO Functionality
BlackHat Briefings Diana Kelley & Ian Poynter 35
SSO TechnologiesSSO Technologies
• Web Logon Aggregators– One Login, Access Multiple Sites– User Logs into Aggregator Software or Site at
Beginning of Session– All Subsequent Logins to Web Sites Visited
Are Handled Transparently
BlackHat Briefings Diana Kelley & Ian Poynter 36
Web Logon Aggregators:Web Logon Aggregators: How It Works How It Works
• Credentials Are Cached Either – Locally via Cookies– On Server via State Mechanism
• Automatically Presented to Sites as Needed
BlackHat Briefings Diana Kelley & Ian Poynter 37
Web Logon Aggregators: Web Logon Aggregators: Pros and ConsPros and Cons
• Pros– Ease of Use– Streamlines Web Experience
• Cons– Web Only– Sites May Need to Opt In– Outsources Trust to 3rd Party– Loss of Control
BlackHat Briefings Diana Kelley & Ian Poynter 38
Web Logon Aggregators: Web Logon Aggregators: Business FitBusiness Fit
• Good Business Fit for– Companies Providing Web Interfaces to
Customers or Employees– Home Users Who Want to Streamline Their
Web Experience
BlackHat Briefings Diana Kelley & Ian Poynter 39
Web Logon Aggregators:Web Logon Aggregators:Brand ExamplesBrand Examples
• .NET / Passport
• Liberty Alliance (in process)
• Yodlee– Account Aggregator
BlackHat Briefings Diana Kelley & Ian Poynter 40
Case StudiesCase Studies
• Example Architectures From the Real World
• Identifying Characteristics Have Been Changed Where Needed to Protect Client Confidentiality
BlackHat Briefings Diana Kelley & Ian Poynter 41
Case Study 1Case Study 1
• Large US Insurance Company– Project: Reduce ‘Wake Up’ Time for Internal
Personnel and External Agents by Integrating Login Function to Multiple Back and Front Ends
BlackHat Briefings Diana Kelley & Ian Poynter 42
Case Study 1Case Study 1
• Points for the RFP– State Business Requirements (cf. previous
slide)– Provide Hard Numbers
• Example: Time Goal for Reduced Wake-up Time
– Time and Cost Estimates• Don’t Forget QA Before Roll Out• Include Support and Training
BlackHat Briefings Diana Kelley & Ian Poynter 43
Case Study 1Case Study 1
• Points for the RFP– Technical Requirements
• All Internal Logins Triggered by NT Login• External Users Credentials Stored in
LDAP Directory• Login Support For
– S/390 with RACF– Oracle Database– RADIUS for Remote Agents– Custom DOS-Based Money Transfers with SecurID– Custom Web Applications
BlackHat Briefings Diana Kelley & Ian Poynter 44
Case Study 1Case Study 1
• Proposal from Selected Vendor– Hybrid Technical Solution
• Internal Users– Custom GINA– LDAP Support– Link to Traditional SSO for Web Application Logins– Trigger for Users That Needed to Access SecurID
Protected Solutions
• External Users– Traditional SSO for Web Application Logins
BlackHat Briefings Diana Kelley & Ian Poynter 45
Case Study 2Case Study 2
• International Consulting Firm– Project: Link Multiple Intranets, Distributed
Around the World, for Secure Access to Internal-Only Information Sharing And Project Collaboration
BlackHat Briefings Diana Kelley & Ian Poynter 46
Case Study 2Case Study 2
• Points for the RFP– State Business Requirements– Provide Hard Numbers
• Example: Define Secure Access– Type of Authentication– Encryption Requirements– Roaming User Needs
– Time and Cost Estimates• Don’t Forget QA Before Roll Out• Include Support and Training
BlackHat Briefings Diana Kelley & Ian Poynter 47
Case Study 2Case Study 2
• Points for the RFP– Technical Requirements
• Internationally Distributed Web Servers Across Multiple Domains
• Custom Web Applications• Netscape, ISS, Apache Web Servers• Mac And Windows Clients
BlackHat Briefings Diana Kelley & Ian Poynter 48
Case Study 2Case Study 2
• Proposal from Selected Vendor– Netegrity SiteMinder with Installation Services
BlackHat Briefings Diana Kelley & Ian Poynter 49
SummarySummary
• Know the Business Requirements• Complete a Cost-Benefit Analysis• Set Reasonable Goals• Investigate the Available Technologies• Investigate the Vendors• Match Requirements to Technology• Plan: Create an RFP and Architecture• Prototype, Build, Test, Train, and Deploy• Throw Away Those Yellow Sticky Password
Caches!