I'm curious...are you?
Tuesday, June 24, 2008
I'm curious...are you?
Tuesday, June 17, 2008
Here's the abstract from the white paper:
Privilege Manager safely delegates administrative privileges, including root. It protects heterogeneous Unix systems from the threat of external attackers, as well as abuse and misuse from trusted internal users. This document addresses the security return on investment (ROI) of using Quest Software’s Privilege Manager for Unix security software to protect company assets stored on Unix systems. It also demonstrates how Privilege Manager can control costs and greatly improve system security, so an organization can increase productivity.
Privileged Account Management is something that I see more and more customers starting to talk about and consider solutions for this problem. It's worth a read just to better understand the problem space on Linux/Unix and specifically around "root" access control.
We have a broader white paper coming out regarding this topic that I'll let you know about.
Quest Software, QSFT, Unix, Linux, root, identity management, privileged account management
Friday, June 13, 2008
Quest Software has partnered with IBM to create a validated solution that helps facilitate and improve IBM Tivoli Identity Manager (ITIM) deployments to maximize efficiency, security, and compliance. This solution leverages an already-deployed Active Directory infrastructure in conjunction with ITIM. The solution enables ITIM to manage user accounts within Active Directory through Quest ActiveRoles Server via SPML 2.0 (Service Provisioning Markup Language - an Oasis International Standard).
Through this tiered approach, ITIM deployments can proceed quicker and more simply by delivering deeper ITIM-based identity administration for the Windows/AD environment. It enables a single connection to Active Directory to achieve codeless provisioning and management of Exchange, SharePoint, Active Directory Lightweight Directory Services accounts (AD LDS, formerly ADAM), and any Active Directory-enabled application. This approach can also benefit any Unix, Linux, or Mac system as well as a number of enabled applications that have been brought into the Active Directory "trusted realm" through Quest's identity integration technologies (Vintela Authentication Services and Vintela Single Sign-on for Java), further eliminating the need to build and maintain unique ITIM connectors and manage identity individually across the wide spectrum of platforms and applications.
Benefits of the combined Quest/Tivoli solution include:
- Decreased time and cost for ITIM implementation
- Wizard-driven configuration (out-of-the-box)
- Pre-built SPML integration
- No need to build and maintain connectors to Unix, Linux, Java, and Mac operating systems
- Streamlining of on-going management because identities are managed through Active Directory and subject to rules and roles defined through Quest ActiveRoles Server
- Quest's Active Directory management and identity integration solutions are:
Easy to deploy - Codeless provisioning of Active Directory-based identity lifecycle management
- Automated account creation in Active Directory with no custom code to maintain
- Advanced/automated group management that supports segregation of duties
- Approval workflow and attestation over group memberships
QSFT, Quest Software, IBM, ActiveRoles Server, SPML, Active Directory, Microsoft, MSFT, Vintela
Wednesday, June 11, 2008
Here's an example of a just reported vulnerability (Computerworld, May 26/08):
Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service Vulnerabilities
The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.
Vulnerable Products: Cisco devices running certain 12.4-based IOS releases and configured to be managed via SSH may be affected by this issue.
And, from the Common Criteria Certification's list of certified products:
Cisco IOS Firewall Version 12.3(14)T and 12.4(4)T - EAL4+ certification on 27-NOV-06
Certification report: ST_VID10038-VR.pdf
Security target: ST_VID10038-ST.pdf
...and SSH was a "security target" of the evaluation:
...the security target specifies that administration of the TOE may be conducted locally via the console port or remotely via an SSH connection to the TOE-enabled router provided an external AAA service capable of single-use mechanisms is used
QED: Security Review or Certification ≠ A Secure Product
Cisco, security, CSCO
Tuesday, June 10, 2008
Live Mesh authorization tickets are standard SAML tickets. They are digitally signed with the Live Mesh private key to prevent spoofing and they expire after a limited lifetime. Some tickets are used to just authenticate users or devices, other tickets contain authorization information about user/device rights. Cloud services inspect each resource request and authorize access only if it contains valid tickets (correctly signed and not expired) and these tickets specify that the requestor indeed has access to the requested resource. For example, a device X can initiate P2P data synchronization with device Y only if it presents a ticket that is correctly signed by Live Mesh and contains a record saying that both device X and Y are claimed by the same user OR if it contains a record saying that X and Y have the same Live Mesh Folder mapped on them (in the case that the devices are claimed by different users that are members of this Live Mesh Folder). Tickets are passed to the cloud services in the Authorization header using HTTPS to prevent replay attacks.
My quick scan of Kim's blog and the Mesh community forum didn't reveal any nuggets.
I think it would be pretty cool if a P2P file and data synchronization could use a SAML token for authorization. Interesting that there's been no fanfare about this. Maybe I missed it?
SAML, Microsoft, MSFT, authorization, WS-*, Active Directory Federation Services
Monday, June 09, 2008
Ian points us to this web site: http://www.passwordchart.com/. They have a tool that allows you to enter a phrase to generate a password chart. You also enter your desired password and this gives you the string to type in that is "complex". Rather than remember your complex password you just remember your chart phrase and type in your easy to remember password to generate your complex/hard password.
For example, the passphrase I tried was: thisisreallyinteresting
Then I typed in my easy-to-remember password: bozo
...and the output was: pLTP8sKLTP
Which I would use, for example, as my Active Directory password. "bozo" is certainly easier to remember than: pLTP8sKLTP
...but is pLTP8sKLTP easier to type than "bozo"?
Interesting concept but what do I do when I forget "bozo"? You know that I will.
In any case, the document explains, in little detail, what you need to do to set up OpenSSH and Kerberos so you can achieve single sign-on between Linux systems and Windows desktops through the use of your Active Directory credential.
As the author states, the main benefit for going through this is:
...many administrators currently use SSH for remote access management, utilizing Kerberos in this way allows an administrator to standardize to one remote access tool and centralize all authentication information.
What I would like to point out is the difference between the Open Source approach that the author proposes versus what Quest does with their Vintela Authentication Services product. You can also check out our work in the OpenSSH area too, here.
The author starts by stating:
On the Linux system, I have installed the following tools (Package names from Fedora Core 5):
On the Windows side, I installed the following tools:
Windows Support Tools
The first point I want to make is that the 6 steps mentioned around Fedora Core 5 are not just point, click and go installation steps. Put on your heavy gloves and get ready for some lifting. Anyway, let's assume you're a Linux guru and you breeze through those parts. The main points I want to bring to your attention are the following:
At a high-level the value in VAS is the same but Quest's value-add is:
- Simpler install
- Consistent install across more than just Linux (e.g., Unix!)
- All the additional ‘value-add’ on top of core VAS (Group Policy is a good example)
- More ‘enterprise ready’ (one package to install, support, tunable)
- The doc described how to manually configure Kerberos – VAS automates this configuration
- The doc required the use of Samba to ‘join’ the linux system to AD – VAS replaces the need for Samba
- The instructions and examples were for a single platform (Linux) – VAS expands the value to a bigger Unix/Linux/Mac picture
- What happens if Active Directory isn't available? (i.e., network problems because we all know that AD would never just be down) - VAS provides a patent-pending "disconnected mode" for exactly this scenario or the more common scenario: You're on your laptop at home versus being at the office!
And a big one…the docs says:
Identity management is beyond the scope of this paper. Kerberos provides authentication but not identity management. If OpenSSH cannot find an identity relating to the login credentials, access will be denied.
I think you might actually need a bit of identity management with that OpenSSH solution. Additionally, scaling this up to support multiple Linux and Unix variants running on 32-bit and 64-bit systems would be a job that I'd jump at - not.
In my travels I've run across many customers that thought a 6 page document was enough to build an enterprise Unix/Linux/Active Directory integration and single sign-on strategy and deployment around. We even received an email from one today who said they were going to go with Samba and do the work themselves for their 400+ Unix/Linux servers. I always tell them the same thing: Give us a call when you're ready - We'll honor our quote! They always come back.
Active Directory, Kerberos, Microsoft, MSFT, open source, OpenSSH, QSFT, Quest Software, single sign-on, Vintela
Sunday, June 08, 2008
There are lots of white papers and downloads available off this page and there's a link to win an XBox 360 and Guitar Hero:
What’s Your Scenario? – Submit your Recovery Manager for Active Directory scenario for a chance to win an Xbox 360 and Guitar Hero ® III game!
Quest Software, QSFT, MSFT, Active Directory