Presentation is loading. Please wait.

Presentation is loading. Please wait.

Novell BrainShare 2002 Installing, Configuring, and Administering Novell Modular Authentication Service (NMAS™) Reed Haslam Sr. Software Engineer Novell,

Published byNathaniel Burke Modified over 6 years ago

Similar presentations

Presentation on theme: "Novell BrainShare 2002 Installing, Configuring, and Administering Novell Modular Authentication Service (NMAS™) Reed Haslam Sr. Software Engineer Novell,"— Presentation transcript:

1 Novell BrainShare 2002 Installing, Configuring, and Administering Novell Modular Authentication Service (NMAS™) Reed Haslam Sr. Software Engineer Novell, Inc. Hal Henderson Sr. Software Engineer Novell, Inc. TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

2 Outline What is NMAS™? Multiple factor authentication
NMAS methods and login sequences NMAS architecture Installing NMAS and login methods Configuring and using login methods What Is graded authentication? Configuring and using graded authentication NMAS troubleshooting tips

3 Secure Enterprise Access Management
What Is NMAS? Secure Enterprise Access Management “NMAS reduces this risk of information compromise within the organization by enabling strong authentication and advanced authorization”

4 Are Passwords Secure Enough?
Are you confident that the user is who he or she claims to be? Employee: Jane.Smith Password: jsmith Hacker aka: Jane.Smith Password: jsmith

5 What Does NMAS Do for Your Business?
Novell BrainShare 2002 What Does NMAS Do for Your Business? Provides many options for logging in, including things you Know: User names, passwords… Have: Tokens, certificates, smart cards, proximity cards… Are: Fingerprint, voice, or face recognition… Reduces risk of unauthorized access to or modification of data Complete, comprehensive feature set Centralized, enterprise-strength TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

6 Business Benefits Security Choice Simplicity Consistency
Completely integrated with Novell eDirectory™, offering easy setup for strong authentication and advanced authorization Choice Support of many authentication (login) methods Simplicity Single point of administration for identity management Consistency Consistent, company-wide security policy through eDirectory

7 Key Business Benefits of NMAS
Novell BrainShare 2002 Key Business Benefits of NMAS Security Choice Simplicity Consistency Convenience “Lowers the cost of ownership of advanced authentication solutions” TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

8 Vision…one Net Mission
A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

9

10 NMAS Standard Edition and NMAS Enterprise Edition
NMAS Standard Edition (SE) ships with NetWare 6 and Novell eDirectory™ NMAS Enterprise Edition (EE) can be purchased separately or as part of the Novell Secure Access Suite NMAS SE allows ONLY ONE method per login sequence NMAS SE allows ONLY selected Novell methods to be used NMAS EE allows multiple methods per sequence thus enabling multi-factor authentication NMAS EE allows all Novell and third-party methods to be used NMAS EE also enables “Graded Authentication”

11 Authentication Factors
Novell BrainShare 2002 Authentication Factors Something you are—biometrics Fingerprint Voice Facial recognition Etc. Something you hold Smart cards X.509 certificates Challenge/response tokens Proximity cards Something you know Passwords TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

12 NMAS EE Supports Multiple Factors
Novell BrainShare 2002 NMAS EE Supports Multiple Factors Password or biometric Biometric and smart card Password and biometric and smart card TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

13 NMAS Methods NMAS provides authentication through the use of one or more NMAS methods An NMAS method Is provided by Novell and many Novell partners Is a module that is separate from the NMAS framework allowing NMAS to be very flexible and modular Are digitally signed by Novell for preventing anyone from tampering with or substituting a bogus method in place of a real method Represented in the directory by a Login Method Object (LMO)

14 Suitability Of NMAS Methods
Only signed methods whose signature can be verified are loaded by NMAS server Novell does not represent the quality of any third-party NMAS login method NMAS customers must determine the suitability of a login method for their environment and systems Obtain method details/features directly from the vendor

15 NMAS Partners Novell BrainShare 2002
TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

16 Novell BrainShare 2002 Login Sequences NMAS EE allows methods to be “chained” together into login sequences Each method in a sequence is executed in the order specified Methods can be entered into “and”/“or” sequences All methods in an “and” sequences must be passed for authentication to be successful, only one method is required to be completed for success in an “or” sequence TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

17 Post Login Methods Methods added to a sequence which are executed after the authentication methods in the sequence have been successfully completed Can be used to automatically take care of any task(s) that require the user to first authenticate his identity Workstation Access—locks or forces logout of the user after a defined period of inactivity Download X.509 certificates and private keys

18 NMAS Components NOVELL User NMAS Client NMAS Server PWD PIN Method
Novell BrainShare 2002 NMAS Components NMAS Server NOVELL User (Login—NWGINA) Method management GUI (ConsoleOne® and iManager) NMAS Client PWD PIN LCM Smartcards Biometrics LSM Enhanced Password Novell Cert. Server NICI eDirectory CA service Third party services TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

19 NMAS Directory Objects
Root Security Policy Categories, Labels, Clearances O+org cn=security LMC Login Policy ou=org unit Login Sequence PLMC LMO cn=user LMO PLMO Tagged config store attribute Tagged Secret Store Attribute LSM code Attribute Other Attribute Tagged config store attribute Tagged Secret Store Attribute Novell Certificate Store Other Attribute

20 NMAS Product Installation Demonstration
Novell BrainShare 2002 NMAS Product Installation Demonstration Server TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

21 NMAS Server Installation

22 License Agreement

23 NetWare or Windows

24 Select Server Components

25 Select Server NMAS methods need only be installed once per eDirectory tree NMAS server software must be installed on all servers that authenticate users

26 Server Installation Summary Screen

27 NMAS Product Installation Demonstration
Novell BrainShare 2002 NMAS Product Installation Demonstration Client TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

28 Product Installation Initial Screen
Novell BrainShare 2002 Product Installation Initial Screen The program detects components already installed and reports on the current status on the client Client components must be installed on every client TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

29 The “Umbrella” Controls installation of the components NICI, client, and server pieces

30 Select the Methods to Install on the Client

31 Select the Post-Login Methods to Install on the Client

32 NMAS Method Installation Demonstration
Novell BrainShare 2002 NMAS Method Installation Demonstration (ConsoleOne) TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

33 ConsoleOne Administration

34 Installing a Login Method
1. Select the Login Method Container

35 Adding the Login Method Object
2. Select SAS: NMAS Login Method

36 Specify the Method Configuration File
3. Enter the name of the Method Configuration File

37 Vendor License Agreement
4. Accept the Vendor’s License Agreement

38 View Method Information
5. Specify the Method name (optional)

39 View Modules Provided for the Method
6. View method modules

40 Complete Installation
7. Auto-create a login sequence with the same name

41 View an Existing Login Method
Right click the LMO and select Properties

42 Description Tab Presents General Information; Allows Updates

43 Some Methods have Method-Specific Tabs (Enhanced Password)

44 Login Sequence Management
Novell BrainShare 2002 Login Sequence Management TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

45 Login Sequences are Stored on a Multi-Valued Attribute of the Login Policy Object

46 Enhanced Password Login Sequence

47 Engineering Login Sequence Multiple Method Sequence

48

49 Graded Authentication (GA) Protecting Information
Novell BrainShare 2002 Graded Authentication (GA) Protecting Information TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

50 Types of Access Controls
Novell BrainShare 2002 Types of Access Controls Two types of Access Controls Discretionary (DAC) User identity Mandatory (MAC) How the user authenticates (login factors) The user’s assignment to “closed user groups” TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

51 Access Control Paradigm Shift
Novell BrainShare 2002 Access Control Paradigm Shift Discretionary controls Manages users Trusts all logins equally User can grant access to others Difficult to determine what rights have been granted Mandatory controls Manages data Different levels of trust for each login Users cannot override the policy Simplifies the implementation of a security policy within a large enterprise TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

52 Access Control Paradigm Shift (cont.)
Novell BrainShare 2002 Access Control Paradigm Shift (cont.) Discretionary Access Controls (DAC) are neither changed nor replaced by Mandatory Access Controls (MAC) Access requirements for both Discretionary Controls and GA Controls must be met to gain access to data TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

53 Graded Authentication
Novell BrainShare 2002 Graded Authentication Based on Mandatory Access Controls Can control access to information based on “how the user authenticated” using authentication factors Prohibits sensitive information from access (secrecy) or modification (integrity) Prohibits sensitive information from being copied to less secure storage TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

54 How Graded Authentication Works
Volumes and eDirectory attributes can be “labeled” to restrict access Users are granted clearances dependant on Factors used during authentication (password, token, biometric) Membership in “closed user groups” At runtime a “logical and operation” is performed using the label (bits) and the clearance (bits) to determine access rights

55 Graded Authentication Terminology
Novell BrainShare 2002 Graded Authentication Terminology Categories Two types Integrity—who can change information Secrecy—who can see information Each category is assigned a bit Labels (A name for a set of categories) A set of zero or more categories Clearances Represents user trust Read label limits reading of data Write label limit writing of data TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

56 Graded Authentication Terminology (cont.)
Novell BrainShare 2002 Graded Authentication Terminology (cont.) Grades Qualities of a login method (password, biometric, token) All authenticated users are at a minimum given the grade of “logged-in” Closed User Groups Represent classes of data and users Implemented with categories that do not map to grades GA can be implemented with just grades (password, token, biometric) or just closed user groups or both TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

57 Who Should Get Access to What?

58 Sales Access Restricted

59 Information Flow Control

60 Labeling Resources Research data Biometric & password Payroll data
Novell BrainShare 2002 Labeling Resources Research data Biometric & password Payroll data Token Sales data Password TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

61 Biometric Access Control Example
Novell BrainShare 2002 Biometric Access Control Example Department Label Access Read Write Research Biometric and Password Payroll Token Biometric clearance Read Sales Password TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

62 Access Control Example SmartCard and Password
Novell BrainShare 2002 Access Control Example SmartCard and Password Research Biometric Token clearance Payroll Token Read Write Sales Password TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

63 Only Multi-Level Administrators can Move Data between Volumes
Must be assigned a multi-level clearance User must use login sequence that contains GA grades to access all areas Multi-level administration

64 Graded Authentication Demonstration
Novell BrainShare 2002 Graded Authentication Demonstration TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

65 Family Security Policy
Parents’ files can be modified only by parents Parents’ files can be read by children and parents Children’s files can be modified only by children Children’s files can be read by children and parents Parents’ secret files can only be read and modified by parents Those who are not family members (parents or children) have no access to the kids or parents information

66 Implementing Family Security Policy
Define categories Define labels Define clearances Assign clearances to users (family members)

67 Category Definitions Kids integrity category
Parents integrity category Parents secrecy category Biometric secrecy category (built-in) Password secrecy category (built-in)

68 Categories, Labels, and Clearances Are Attributes of the Security Policy Object

69 Define Integrity Categories

70 Define Secrecy Categories

71 Label Definitions Kids Parents Parents Private Kids integrity category
Password secrecy category (built-in) Parents Parents integrity category Parents Private Parents secrecy category Biometric secrecy category (built-in)

72 Label Definitions (cont.)
Password Password secrecy category (built-in) Family High Parents secrecy category Biometric secrecy category (built-in) Family Low Kids integrity category Parents integrity category

73 Define Parents Label

74 Define Kids Label

75 Define Family High Label

76 Clearance Definitions
Kid Read Label: Password Write Label: Kids Parent Write Label: Parent

77 Clearance Definitions (cont.)
Secret Parent Read Label: Parents Private Write Label: Parents Private Family Administrator Read Label: Family High Write Label: Family Low

78 Kid Clearance Definition

79 Family Administrator Clearance Definition

80 Access for Family Administrator Clearance

81 Access for Parent Clearance

82 Access for Kid Clearance

83 Clearance Assignments
Father Parent Secret Parent Family Administrator (Default) Mother Parent (Default) Each child Kid (Default)

84 Set Authorized and Default Clearances for Papa

85 Set Authorized and Default Clearances for a Child

86 Volume Labeling Parents Parents Kids Kids Parents Secret
Novell BrainShare 2002 Volume Labeling Parents Parents Kids Kids Parents Secret Parents Secret Read/Write Volumes Password TUT242—Installing, Configuring, and Administering Novell Modular Authentication Service

87 Label Kids’ Volumes with the “Kids” Label

88 Label the Parents’ Volumes with the “Parents” Label

89 Label Volumes for All Family Members with the Password Label

90 GAMSView Displays Your Current Clearance
In the System Tray Launch GAMSView using this Icon

91 Troubleshooting NMAS must be running on a server with a Read/Write replica of user object Tree key must be synchronized on all NMAS™ servers eDirectory must be synchronized Install login method server modules once per tree Update Login Method objects rather than delete and recreating them NMASMON * sys:\public\nmas.txt trunc

92 Troubleshooting (cont.) NMAS and BorderManager®
Problem applies to BorderManager 3.5 and later releases If a Login Policy Object does not exist in tree, create it using NWAdmin with the BorderManager snap-ins At a NetWare server console, run ADMATTRS.NLM This NLM has been shipping with NMAS since v2.0, and also ships with NetWare 6 Using NWAdmin with the BorderManager snap-ins to create login rules for the users who will use BorderManager Make sure the replicas of the partition containing the security container are in sync and reboot the server

93 Summary Provides authentication based upon other factors other than passwords Supports several third-party login devices Enables multi-factor authentication Centralized enterprise-wide access control Provides access control (grades) based on how a user logs in

94 wiN big Access and Security table one Net solutions lab visit the
in the to obtain an entry form

95

Download ppt "Novell BrainShare 2002 Installing, Configuring, and Administering Novell Modular Authentication Service (NMAS™) Reed Haslam Sr. Software Engineer Novell,"

Similar presentations

automated single login access to Novell storage resources

automated single login access to Novell storage resources
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Novell eDirectory™ Deployment at Hydro Quebec Richard Cabana Enterprise Technology Account Manager Novell Canada Ltd.

Novell eDirectory™ Deployment at Hydro Quebec Richard Cabana Enterprise Technology Account Manager Novell Canada Ltd.
 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.

 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
Chapter Nine NetWare-Based Networking. Objectives Identify the advantages of using the NetWare network operating system Describe NetWare’s server hardware.

Chapter Nine NetWare-Based Networking. Objectives Identify the advantages of using the NetWare network operating system Describe NetWare’s server hardware.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
1 Guide to Novell NetWare 6.0 Network Administration Chapter 11.

1 Guide to Novell NetWare 6.0 Network Administration Chapter 11.
1 Guide to Novell NetWare 6.0 Network Administration Chapter 12.

1 Guide to Novell NetWare 6.0 Network Administration Chapter 12.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
1 Guide to Novell NetWare 6.0 Network Administration Chapter 13.

1 Guide to Novell NetWare 6.0 Network Administration Chapter 13.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop

Similar presentations

Ads by Google