Tuesday, June 24, 2008

What's so important? I'm curious.


What's your guess as to why this ad has appeared two days in a row in the Seattle-Times? I know you can't tell how big the ad is but it is basically 2/3rds the width of a page and about 1/6th the size of the page high. So this is not a small ad. Additionally, it's in the main section of the newspaper - not stuck back in the classifieds - so you can't miss it.

What data does the owner need so badly? Is the phone itself so valuable?

I'm curious...are you?

Tuesday, June 17, 2008

Privileged Account Management

One of my colleagues just finished up a white paper that is worth reading: Privileged Account Management. Learn How to Secure Your Assets and Control Your Costs



Here's the abstract from the white paper:

Privilege Manager safely delegates administrative privileges, including root. It protects heterogeneous Unix systems from the threat of external attackers, as well as abuse and misuse from trusted internal users. This document addresses the security return on investment (ROI) of using Quest Software’s Privilege Manager for Unix security software to protect company assets stored on Unix systems. It also demonstrates how Privilege Manager can control costs and greatly improve system security, so an organization can increase productivity.



Privileged Account Management is something that I see more and more customers starting to talk about and consider solutions for this problem. It's worth a read just to better understand the problem space on Linux/Unix and specifically around "root" access control.

We have a broader white paper coming out regarding this topic that I'll let you know about.


Blogged with the Flock Browser

Friday, June 13, 2008

Quest ActiveRoles Server Integration with IBM Tivoli Identity Manager


After a lot of work at both Quest and IBM we have managed to get a "Ready for Tivoli e-Business Software" certification. We've seen more and more customers building a "tiered" identity infrastructure where they might have an identity framework - like Tivoli Identity Manager - and want to couple that with a best-of-breed solution for Windows and Active Directory like Quest's ActiveRoles Server. TIM allows you can effectively manage identities across your whole enterprise while benefiting from Quest's specialized Active Directory expertise while also enabling the consolidation of your Unix and Linux identities via Vintela Authentication Services.

Details below...

Quest Software has partnered with IBM to create a validated solution that helps facilitate and improve IBM Tivoli Identity Manager (ITIM) deployments to maximize efficiency, security, and compliance. This solution leverages an already-deployed Active Directory infrastructure in conjunction with ITIM. The solution enables ITIM to manage user accounts within Active Directory through Quest ActiveRoles Server via SPML 2.0 (Service Provisioning Markup Language - an Oasis International Standard).

Through this tiered approach, ITIM deployments can proceed quicker and more simply by delivering deeper ITIM-based identity administration for the Windows/AD environment. It enables a single connection to Active Directory to achieve codeless provisioning and management of Exchange, SharePoint, Active Directory Lightweight Directory Services accounts (AD LDS, formerly ADAM), and any Active Directory-enabled application. This approach can also benefit any Unix, Linux, or Mac system as well as a number of enabled applications that have been brought into the Active Directory "trusted realm" through Quest's identity integration technologies (Vintela Authentication Services and Vintela Single Sign-on for Java), further eliminating the need to build and maintain unique ITIM connectors and manage identity individually across the wide spectrum of platforms and applications.

Benefits of the combined Quest/Tivoli solution include:


  • Decreased time and cost for ITIM implementation

  • Wizard-driven configuration (out-of-the-box)

  • Pre-built SPML integration

  • No need to build and maintain connectors to Unix, Linux, Java, and Mac operating systems

  • Streamlining of on-going management because identities are managed through Active Directory and subject to rules and roles defined through Quest ActiveRoles Server

  • Quest's Active Directory management and identity integration solutions are:
    Easy to deploy - Codeless provisioning of Active Directory-based identity lifecycle management

  • Automated account creation in Active Directory with no custom code to maintain

  • Advanced/automated group management that supports segregation of duties

  • Approval workflow and attestation over group memberships

Technorati Tags:
, , , , , , , ,

Wednesday, June 11, 2008

Common Criteria (or other) Certification ≠ A Secure Product

Customers are demanding more and more security certifications. While I don't disagree with certifications I do have a problem with customers and the market equating a certification as meaning the product is secure. This is not true.

Here's an example of a just reported vulnerability (Computerworld, May 26/08):

Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service Vulnerabilities

The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.

Vulnerable Products: Cisco devices running certain 12.4-based IOS releases and configured to be managed via SSH may be affected by this issue.

And, from the Common Criteria Certification's list of certified products:

Cisco IOS Firewall Version 12.3(14)T and 12.4(4)T - EAL4+ certification on 27-NOV-06
Certification report: ST_VID10038-VR.pdf
Security target: ST_VID10038-ST.pdf

...and SSH was a "security target" of the evaluation:

...the security target specifies that administration of the TOE may be conducted locally via the console port or remotely via an SSH connection to the TOE-enabled router provided an external AAA service capable of single-use mechanisms is used

QED: Security Review or Certification ≠ A Secure Product

Technorati Tags:
, ,

Tuesday, June 10, 2008

Microsoft's Mesh supports SAML tickets

I was reading up on Microsoft Mesh and came across a blog posting regarding Mesh's support of SAML tickets. It's not quite clear enough to me what this exactly means but...

Live Mesh authorization tickets are standard SAML tickets. They are digitally signed with the Live Mesh private key to prevent spoofing and they expire after a limited lifetime. Some tickets are used to just authenticate users or devices, other tickets contain authorization information about user/device rights. Cloud services inspect each resource request and authorize access only if it contains valid tickets (correctly signed and not expired) and these tickets specify that the requestor indeed has access to the requested resource. For example, a device X can initiate P2P data synchronization with device Y only if it presents a ticket that is correctly signed by Live Mesh and contains a record saying that both device X and Y are claimed by the same user OR if it contains a record saying that X and Y have the same Live Mesh Folder mapped on them (in the case that the devices are claimed by different users that are members of this Live Mesh Folder). Tickets are passed to the cloud services in the Authorization header using HTTPS to prevent replay attacks.


My quick scan of Kim's blog and the Mesh community forum didn't reveal any nuggets.

I think it would be pretty cool if a P2P file and data synchronization could use a SAML token for authorization. Interesting that there's been no fanfare about this. Maybe I missed it?

Technorati Tags:
, , , , ,

Monday, June 09, 2008

Password Chart

Interesting post over at Ian Yip's blog titled "Paranoid About Your Passwords?"

Ian points us to this web site: http://www.passwordchart.com/. They have a tool that allows you to enter a phrase to generate a password chart. You also enter your desired password and this gives you the string to type in that is "complex". Rather than remember your complex password you just remember your chart phrase and type in your easy to remember password to generate your complex/hard password.





For example, the passphrase I tried was: thisisreallyinteresting

Then I typed in my easy-to-remember password: bozo

...and the output was: pLTP8sKLTP

Which I would use, for example, as my Active Directory password. "bozo" is certainly easier to remember than: pLTP8sKLTP

...but is pLTP8sKLTP easier to type than "bozo"?

Interesting concept but what do I do when I forget "bozo"? You know that I will.

Technorati Tags:

Microsoft on OpenSSH on Linux (and what the parrot saw)

I'm not sure why this post from Microsoft on OpenSSH on Linux just appeared, but it did. The document referenced is marked October, 2007.

In any case, the document explains, in little detail, what you need to do to set up OpenSSH and Kerberos so you can achieve single sign-on between Linux systems and Windows desktops through the use of your Active Directory credential.

As the author states, the main benefit for going through this is:

...many administrators currently use SSH for remote access management, utilizing Kerberos in this way allows an administrator to standardize to one remote access tool and centralize all authentication information.

What I would like to point out is the difference between the Open Source approach that the author proposes versus what Quest does with their Vintela Authentication Services product. You can also check out our work in the OpenSSH area too, here.

The author starts by stating:

On the Linux system, I have installed the following tools (Package names from Fedora Core 5):
 openssh
 openssh-server
 samba-common
 samba-client
 krb5-workstation
 krb5-libs

On the Windows side, I installed the following tools:
 Windows Support Tools



The first point I want to make is that the 6 steps mentioned around Fedora Core 5 are not just point, click and go installation steps. Put on your heavy gloves and get ready for some lifting. Anyway, let's assume you're a Linux guru and you breeze through those parts. The main points I want to bring to your attention are the following:

At a high-level the value in VAS is the same but Quest's value-add is:

  • Simpler install
  • Consistent install across more than just Linux (e.g., Unix!)
  • All the additional ‘value-add’ on top of core VAS (Group Policy is a good example)
  • More ‘enterprise ready’ (one package to install, support, tunable)

Specific examples:

  • The doc described how to manually configure Kerberos – VAS automates this configuration
  • The doc required the use of Samba to ‘join’ the linux system to AD – VAS replaces the need for Samba
  • The instructions and examples were for a single platform (Linux) – VAS expands the value to a bigger Unix/Linux/Mac picture
  • What happens if Active Directory isn't available? (i.e., network problems because we all know that AD would never just be down) - VAS provides a patent-pending "disconnected mode" for exactly this scenario or the more common scenario: You're on your laptop at home versus being at the office!

And a big one…the docs says:

Identity management is beyond the scope of this paper. Kerberos provides authentication but not identity management. If OpenSSH cannot find an identity relating to the login credentials, access will be denied.

I think you might actually need a bit of identity management with that OpenSSH solution. Additionally, scaling this up to support multiple Linux and Unix variants running on 32-bit and 64-bit systems would be a job that I'd jump at - not.

In my travels I've run across many customers that thought a 6 page document was enough to build an enterprise Unix/Linux/Active Directory integration and single sign-on strategy and deployment around. We even received an email from one today who said they were going to go with Samba and do the work themselves for their 400+ Unix/Linux servers. I always tell them the same thing: Give us a call when you're ready - We'll honor our quote! They always come back.

Technorati Tags:
, , , , , , , , ,

Sunday, June 08, 2008