Presentation is loading. Please wait.

Presentation is loading. Please wait.

(Duo) Multifactor at Carleton College work in progress Rich Graves 8-28-14 1.

Published byMorgan Blake Modified over 9 years ago

Similar presentations

Presentation on theme: "(Duo) Multifactor at Carleton College work in progress Rich Graves 8-28-14 1."— Presentation transcript:

1 (Duo) Multifactor at Carleton College work in progress Rich Graves 8-28-14 1

2 Passwords Suck, and We Share Them 2 Since 2006, “carleton” not a valid password for most users, but…

3 “Policy” Background Since 2011, attempt to establish a norm that remote access to sensitive data requires two- factor authentication OpenVPN: certificate + password SSH: Duo (or RSA key) (key issues) Citrix: Duo for remote access only 3

4 2-Factor for Web Applications “The new version of X won’t need a VPN anymore because it uses a secure web server instead of the old fat client” Some web applications limited to campus IPs Moving toward single sign-on with Shibboleth, Duo 2-factor authentication Duo supports ADFS, which is probably in our future To Datatel/Ellucian Colleague, “single sign-on” means a portal that caches your cleartext password and forwards it in a SOAP call 4

5 Wake Up! Hands-On Tech Time CentOS 6, Tomcat, Apache Shibboleth 2.4.1 Internet2 Multi Context Broker DuoSecurity web integration Thanks to InCommon and langedb (University of Chicago) for writing and packaging most of the code, making it “just a matter of following the directions” 5

6 Demo VM Download my OVF from DropBox: –http://preview.tinyurl.com/shib-centos6 –VM root login: root/shibboleth To play along and try Duo right now: –https://login.carleton-edu.com/ –user1/1 - user200/200 The password for “user101” is simply “101” 6

7 STRIDE Approach to SSO Threats From Adam Shostack’s book Threat Modeling and his card game “Elevation of Privilege” Spoofing & Tampering paramount here Key management may be your weak link Spoofing: Impersonating something or someone else. Tampering: Modifying data or code. Repudiation: Claiming to have not performed an action. Information Disclosure: Exposing info to someone not authorized. Denial of Service: Deny or degrade service to users. Elevation of Privilege: Gain capability without proper authorization. 7

8 Practical Complications Moodle, Zimbra email, and other applications have “local” users –Make them talk a protocol that JAAS can understand (LDAP, JODBC), add to login.config after LDAP/Kerberos Wholly proprietary web applications –ADFS+Duo handles some Microsoft stuff. –Or: reverse proxy, VPN, accept the risk. 8

9 User-Facing FAQs Work in progress https://wiki.carleton.edu/x/CI08AQ 9

Download ppt "(Duo) Multifactor at Carleton College work in progress Rich Graves 8-28-14 1."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Woodland Hills School District Computer Network Acceptable Use Policy.

Woodland Hills School District Computer Network Acceptable Use Policy.
 SONA ENTERPRISE was founded in 2008 as a manufacturer and developer of high performance, versatile wireless solutions for Wireless Internet Service.

 SONA ENTERPRISE was founded in 2008 as a manufacturer and developer of high performance, versatile wireless solutions for Wireless Internet Service.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Access Control Methodologies

Access Control Methodologies
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Mobile and Wireless Security INF245 Guest lecture 17.10.2007 by Bjorn Jager Molde University College.

Mobile and Wireless Security INF245 Guest lecture by Bjorn Jager Molde University College.
Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,

Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,
Email Security Jonathan Calazan December 12, 2005.

Security Jonathan Calazan December 12, 2005.
Authentication via campus single sign-on 2012 VIVO Implementation Fest.

Authentication via campus single sign-on 2012 VIVO Implementation Fest.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Grouper UI Part 1 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

Grouper UI Part 1 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

Similar presentations

Ads by Google