(Duo) Multifactor at Carleton College work in progress Rich Graves 8-28-14 1.

Slides:



Advertisements
Similar presentations
Sachin Rawat Crypsis SDL Threat Modeling.
Advertisements

Secure Single Sign-On Across Security Domains
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Woodland Hills School District Computer Network Acceptable Use Policy.
 SONA ENTERPRISE was founded in 2008 as a manufacturer and developer of high performance, versatile wireless solutions for Wireless Internet Service.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Access Control Methodologies
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Mobile and Wireless Security INF245 Guest lecture by Bjorn Jager Molde University College.
Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,
Security Jonathan Calazan December 12, 2005.
Authentication via campus single sign-on 2012 VIVO Implementation Fest.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Grouper UI Part 1 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
Course 201 – Administration, Content Inspection and SSL VPN
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
Campus Management Portal and Online Higher Education Cardean Learning Group.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,
Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Wireless Security: A Search for Public and Secure Wireless networks Kory Kirk.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Elevation of Privilege: Drawing Developers into Threat Modeling Adam Shostack
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Integrating with UCSF’s Shibboleth system
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
SEC835 Practical aspects of security implementation Part 1.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Directory and File transfer Services By Jothi. Two key resources Lightweight Directory Access Protocol (LDAP) File Transfer protocol Secure file transfer.
Shibboleth 2.0 IdP Training: Authentication January, 2009.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Integrating and Troubleshooting Citrix Access Gateway.
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
Module 11: Designing Security for Network Perimeters.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
© 2005,2006 NeoAccel Inc. Partners Presentation Authentication & Access Control.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
Web Services Security Patterns Alex Mackman CM Group Ltd
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
Computer Science, Software Engineering & Robotics Workshop, FGCU, April 27-28, 2012 RFID Security Nicholas Alteen Computer Science Program Florida Gulf.
Woodland Hills School District Computer Network Acceptable Use Policy.
SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.
Computers and Security by Calder Jones. What is Computer Security Computer Security is the protection of computing systems and the data that they store.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Access Account Activation and Electronic Signature Web Application.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
SY0-401 COMPTIA Security+ Certification Exam Vcepracticetest.com.
CompTIA Security+ Certification Exam SY
Barracuda SSL VPN Remote, Authenticated Access to Applications and Data Version 2.6 | July 2014.
Secure Single Sign-On Across Security Domains
Enabling Secure Internet Access with TMG
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Mike Goodwin OWASP Newcastle September 2017
Azure AD Application Proxy
CS 465 Terminology Slides by Kent Seamons Last Updated: Sep 7, 2017.
JAAS AuthN Tokens in uPortal and Beyond
Presentation transcript:

(Duo) Multifactor at Carleton College work in progress Rich Graves

Passwords Suck, and We Share Them 2 Since 2006, “carleton” not a valid password for most users, but…

“Policy” Background Since 2011, attempt to establish a norm that remote access to sensitive data requires two- factor authentication OpenVPN: certificate + password SSH: Duo (or RSA key) (key issues) Citrix: Duo for remote access only 3

2-Factor for Web Applications “The new version of X won’t need a VPN anymore because it uses a secure web server instead of the old fat client” Some web applications limited to campus IPs Moving toward single sign-on with Shibboleth, Duo 2-factor authentication Duo supports ADFS, which is probably in our future To Datatel/Ellucian Colleague, “single sign-on” means a portal that caches your cleartext password and forwards it in a SOAP call 4

Wake Up! Hands-On Tech Time CentOS 6, Tomcat, Apache Shibboleth Internet2 Multi Context Broker DuoSecurity web integration Thanks to InCommon and langedb (University of Chicago) for writing and packaging most of the code, making it “just a matter of following the directions” 5

Demo VM Download my OVF from DropBox: – –VM root login: root/shibboleth To play along and try Duo right now: – –user1/1 - user200/200 The password for “user101” is simply “101” 6

STRIDE Approach to SSO Threats From Adam Shostack’s book Threat Modeling and his card game “Elevation of Privilege” Spoofing & Tampering paramount here Key management may be your weak link Spoofing: Impersonating something or someone else. Tampering: Modifying data or code. Repudiation: Claiming to have not performed an action. Information Disclosure: Exposing info to someone not authorized. Denial of Service: Deny or degrade service to users. Elevation of Privilege: Gain capability without proper authorization. 7

Practical Complications Moodle, Zimbra , and other applications have “local” users –Make them talk a protocol that JAAS can understand (LDAP, JODBC), add to login.config after LDAP/Kerberos Wholly proprietary web applications –ADFS+Duo handles some Microsoft stuff. –Or: reverse proxy, VPN, accept the risk. 8

User-Facing FAQs Work in progress 9