3. • Identity Management
– Consolidate and streamlines the management of
user IDs, authentication, and access across multiple
system
– Bind user to establish policies, processes, privileges
to ensure consistency
• For that Identity Management should include:
» Password Management
» Account Management
» Profile Management
» Directory Management
» Single sign-on
4. Password Management
• Most common authentication tech in use
• Can be compromised over time
• So it has to be changed every 30 – 90 days
– Shorter the better but cumbersome to memorize
• Multiple passwords on multiple system if expires at separate
times, user tend to write it down (someone can steal it and
own the system)
• Users tend to rotate couple of passwords – hence
making easier to guess
• Password policies, standards, and complexity need to be
managed consistently
• Locking they system if password is guessed 3-5 wrong
attempts
5. Contd…
• This prevents damage with the cost of calling help desk (users are
notorious to forget passwords since they get changed every couple
of months or they return from long vacation)
• It creates helpdesk jobs but cost money to industry
• A password management system is designed to manage
password consistently across enterprise by a central tool
synchronizing passwords across multiple systems
• Can be deployed multifactor authentication,
• Use of self registration and verification (like the one used by larger
internet sites)
– Asking verification code in mobile
– Secret question
– Pictures
– Sending email to trusted email account to change password
(all these help helpdesk not to spend much time on unlocking account)
6. Account Management
• Got job = new access control
• Job ended = needs user account decommissioned asap
(minimize time to decommission inactive account)
• Web based access management addresses the issue
(e.g. hotmail)
• Old systems might not interact well with new single
centralized account directory. Even if does, it might still
have some limitations
• Account Management systems attempts to identify user
across multiple systems
• Management processes must be performed on each
system
7. Contd…
• This should include one or more features to insure a
central, cross-platform security administration capability
– Central facility to manage user access to multiple systems
(ensures consistency, reduces manual entry error, helps
system adimin)
– Workflow System (ensures prompt action like new/added or
terminated access )
– Automatic replication of Data (user records between systems
ensuring permission are propagated uniformly between
systems)
– Facility for loading batch changes (big hires/fires ,
restructuring organization is efficient)
– Automatic creation, change/removal of access triggered by
other departments (e.g. HR or corporate directory) is
minimized thereby chances of access permission is greatly
reduced.
8. Contd…
• Obstacle
– Higher cost of full deployment
– Complexity of account management system
Start small, gain experience and success before full scale
deployment
• Interface issues can be a big project killer
– Fully automated account management system has to interface
with each systems
– Its hard to do because of numerous application and directories
– Different interface which aren’t designed to interface with ACM
esp. with older systems and mainframes.
– Dedicated programmers needed and its time consuming
9. Profile Management
• Profile = collection of info associated with a particular identity or group
• In addition to user and password, a user profile should include personal
info like name, phone, emergency #, etc.
• These info are subjected to change over time.
• These changes can be done either administratively or by user.
• It is helpful for user to enter and manage those data which are
not sensitive and needn’t to be validated
• This will increase accuracy, saves time and cost to implement changes
10. Directory Management
• Is a comprehensive database designed to centralize
data management
• Typical directory contains hierarchy of objects storing
info about users, groups, systems, servers, printers
• Directory is stored in one or more servers to ensure
scalability and availability
• Applications will access data stored in a directory by
means of standard directory protocol
11. Contd…
• Benefit- provide centralized collection of user
data
– Can be used by many applications to avoid
replication of info and simplify architecture
• Using directory it’s possible to configure several
applications to share data about users rather
than each system managing user, authentication,
data
• Limitation
• Integration with legacy system, mainframes and out dated
servers
12. Directory Technologies
• Centralized directory service
• Supported by international standards.
• Developed by International
Telecommunications Union (ITU-T) for
communication protocol
Types of Directory Technologies
1. X.500
2. Lightweight Directory Access Protocol
3. Active Directory
4. X.400
13. Contd…
1. X.500
Developed by ITU-T in 1980s
Also known as ISO/IEC 9594
Facilitate standard method of developing electronic directories for use over telecom networks
Originally developed to work with OSI network communications model
Currently TCP/IP protocol can be used
Info in X.500 is in hierarchy. Key field in database is Distinguished Name (DN)
DN provides full path through X.500 database
Also supports Relative Distinguished Name (RDN) which provides specific entry without full
path component attached
Contains 4 separate protocols
Directory Access Protocol (DAP) – primary access in access information in X.500
Direcrtory System Protocol (DSP)
Directory Information Shadowing Protocol (DISP)
Directory operational bindings management Protocol (DOP)
14. 2. Lightweight Directory Access Protocol
(LDAP)
• X.500 is complex to implement & administer and used OSI
protocol
• Developed in 1990s, based on X.500 (DAP), used TCP/IP
port 389 – very simple
• Version 3 LDAP protocol supports TLS to encrypt
communication, can be used over SSL connection via TCP
port 636
• Supports DN, RDN
• Operates in client/server architecture
• Client request may be connecting to disconnecting LDAP,
searching directory entry comparing info, read, write, delete
directory info
Clien
t
Request
LDAP
ServerResul
t
15. 3. Active Direcrtory
• Implementation of LDAP protocol for Microsoft environments
• With additional plug-in AD can be used in UNIX, Linux, and mainframe
environments
• Provides central authentication and authorization capabilities for
users and system services in enterprise wide level
• AD has ability to enforce organizational security and configuration policies
• This is the reason why AD is used to enforce user and system level
security policies in uniform and highly auditable manner
• AD uses LDAP for naming structure, hierarchical framework to store info.
• AD are into forest(collection of all objects and their attributes) and
trees(logical groupings of one or more AD security domain within a forest)
• Domain in AD are identified by their name. Objects in AD are grouped by
organizational units.
16. Single Sign-On (SSO)
• SSO is referred to as reduced sign-on or federated ID management
• Sign-On on a centralized system so that user can access multiple
server/application without being signing on individual servers
• While opening an application SSO credentials of a user will automatically be
entered (client software is used to open appropriate application programs)
• Central repository of user credentials. If password is changed in application,
the password in SSO system must be changed
• The changed password must be stored in SSO system to maintain
synchronization among applications
• For SSO solutions, Smart Card (secured by pin to store array of user credentials in
memory card) is used
• Smart card with user credentials coupled with system software detects when
user wants to access application/server. Server authenticate and asks questions if
system wants to learn credentials for future. You can store the credentials in your
smart card. Now you can only remember passphrase to unlock smart card and
unlock the system to gain access
17. Contd…
Advantages of SSO solutions
• Efficient log-on process: Fewer password to remember and work
• No Need of Multiple password: SSO translates into single use credentials
for users.
• Users may create stronger passwords: a stronger password or
passphrase can be used
• Standards can be enforced across entire SSO system: access control
policies, and standards can be easily enforced through SSO. Timeouts can be
deployed if user is away from running workstation
• Centralized administration:
Disadvantages
• Costly devices and software.
• If centralized SSO system is compromised or fail the entire work will come to
halt at once causing company to lose money
• Only one password or passphrase per user- if password is cracked hacker can
make significant damage to data
• SSO password is stored in single database = great fun for hacker if the
database is not extremely secured
• SSO is complex and integration is challenging.
18. Script-Based Single Sign-On
• If available solutions are not be feasible for a company, use
of script-based single sign-on may be possible
• Script can manipulate the applications, interacting
with them as if they were the users and injecting
user ID password and other authentication
interaction with application on behalf of user
• Advantage – functionality
• Disadvantage- costly/complex maintenance and
development of such tool
19. Kerboros• It guards a network with 3 elements: authentication,
authorization, and auditing
• Essentially a network authentication protocol
• Designed to provide strong authentication for client/server
application using secret key cryptography
• Effective in open, distributed environments
• It verifies a user who they are claimed to be and network
services they use are contained within their permission
• It has 4 basic requirements for access control
– Security: network eavesdropper cannot obtain information by
impersonating a user
– Reliability: resources must be available when needed (to user)
– Transparency: user should not be aware of authentication process
and it should be nonintrusive
– Scalability: support large number o clients and servers
20. Kerberos Process
• Based on interaction between 3 systems
– Requesting system(principal) endpoint destination server
(application, information) and Kerberos or Key
Distribution Center (KDC).
•User workstation/application/service (principal) interacts with
Kerberos.
•Kerberos serves two functions- authentication Server (AS)
and Ticket granting Server(TGS)
•Kerberos is based on symmetric encryption and a secret
key shared amongst participants
•KDC maintains a database of secret keys of all principal on
network
21. Contd…
• While acting as Authentication Server (AS) it will authenticate principal
user via pre-shared secret key
• Once user is authenticated, Kerberos operates as TGS, providing ticket
• Ticket is a piece of electronic data validated by TGS to the user to establish
connection between network and user
• User requests for authentication
• Authentication server (AS) authenticate using pre-shared key and sends Ticket
(Ticket granting Ticket or TGT) and session key using Ticket Granting
Server(TGS)
• User gets ticket and secure the connection with network and user also has right
to request service tickets (STs) on KDC network
• TGTs are valid for certain period of time and needs to be reauthenticated after
expiration
• Once TGTs are issued, there is no use of passwords or log-on factors
• Now User again sends request application ticket (TGT) to TGS and TGS (after
validation of TGT) in returns generates unique session key with encryption to be
used between user and application server .
• KDC will pack data in Service Ticket (ST) and send it to User
• Now user will send this ST to Application Server for access. Once AS decrypt the
session key it authenticate the User
• Encrypted communication is now established
22. Contd…
• Kerberos are time sensitive and require
Network Time Protocol
• If time is not synchronized it will lead to
authentication failure = easy DOS attack
• Once KDC generates unique session key, it
is first sent to Client (User) to avoid DoS
attack against application server
• If it is not done, then application server will
be overloaded with encrypted session keys
23. Contd…
• Advantages
– Goal of Kerberos is to ensure private communications between systems over a
network.
– Managing encryption keys, it acts to authenticate principals in communication
based on secret keys, allows access session key
– Elegant solution used in many platforms for broad authentication process
• Disadvantages
Security of KDC should be physically secured and should not allow any non-kerberos activity
If Kerberos fails, whole system halts so backup and continuity plan should be made
Keys (both secret and session) are vulnerable to bruteforce attack. If it is long Kerberos will
be overloaded with encryption key. Achilles’ heel of Kerberos are encrypted based on
passwords. Traditional password guessing can compromise the system
Kerberizing ??? Please Explain
24. Secure European System for Applications in
a Multi-Vendor Environment (SESAME)
• Project funded by European Commission to eliminate the drawback of Kerberos
• Primary due to need to manage symmetric keys across environments.
Theweakness of Kerberos is scalability larger the entities more complex
and harder to manage KDC.
• The other weakness is privilege info is stored in server that user uses
the server. Access info need to be located in each server as environment
grows
• SESAME – an extension of Kerberos – overcome those limitations by offering
sign-on services with distributed access controls across environment
– Eliminates the need to replicate authorization data across servers
– Uses both symmetric and asymmetric cryptographic techniques for protection of
interchanged data which alleviate Kerberos’s key management issues
25. Contd…
• Key attributes of SESAME
– Single Sign-On
– Role-based access control
– Use of Privileged attribute certificate (PAC)
-similar to Kerberos ticket
– Use of Kerberos V5 Protocol to access SESAME
components
– Use of public key cryptography for distribution
of secret keys
26. Perimeter-Based Web Portal Access
• If LDAP is in place, a user can be identified, authenticated
and authorized on multiple web-based application using web
portal tied to Web Access Management (WAM)
• These solution replaces sign-on process in Web
application by the use of Plug-in services
• User needs to sign-on once then he/she can access multiple
web applications while plug-in will fill the authentication
ticket among applications
• These system provide effective user management and single
sign-on in web environment but they cannot support entire
access control environment.
• WAM has become common
27. Federated Identity Management
• Single Sign-On is good for a organization
• When two or more companies has to access each others’ system, trust is a big
issue
– E.g. Car company and Parts dealer
• The solution is to create Federated Identity Management infrastructure- similar policies, standards,
management of user identities, authentication and authorization
• Once verification and certification process is completed, each company will trust each other.
• This is an example of Cross-Certification Trust Model
• If 3 companies has to come to a fededration there will be 6 ways of trust. Higher the number of
companies to be federated higher the complexity (permutation in terms of trust)
• Lets see, several organizations has to be federated but Cross-Certification Trust model cannot be
used because of its complexity
• So Third Party Certification Trust Model or Bridge Model has been created.
• Third party will manage the verification and due diligence process for all participating organization.
• Each organization will trust third party and can gain access to database of other organization
28. Once In-Unlimited Access (OIUA)
• Some organizations don’t need to restrict their user access to
the resources. E.g. public service or website contributors
• Other companies allows their employee access all the
resources of company in their intranet without authentication.
• If the user got access to those resources, it is assumed that
the user is authorized- NO Question Asked
• There are no certificates or tokens passed between
authentication system and application.
• Unauthorized user like contractor or support person can easily
gain access to OIUA
29. Logging and Monitoring
• Logging is keeping records of users’ activities
• Monitoring is what users are doing in system
• Records of identification, authentication and authorization is useful to understand is
going on within a system
• Attempted logging or authenticated user trying to gain access to non-privileged
applications something is going wrong
• Logging and monitoring helps backtrack who is trying/doing malicious activities
• Security logs are important for forensics investigations for legal purposes
• Attacker tries to delete logs so that they wouldn’t be caught. It is therefore important
that security of storage and archive systems used to store log data is critical to
integrity of information
• In big organizations, security data logs are huge (gigabytes) and it will take lot of
time and personnel to review those data for malicious activities.
• Event filtering or Clipping Level should be used
30. Contd…
• When threshold of log data is reached, automated tools will parse out
the logs info.
• based on abnormal activity (using correlation of logs from multiple
system), it is possible to determine what exactly attacker was doing
• Best practices to establish a log collection and management
– Control the volume of data: based on available storage, processing
capacity and manpower
– Do not allow rollover of logs: deleting earlier logs will save disk space but
valuable info can be deleted. Coping those logs into permanent storage might
be important for forensic investigations
– Evaluate and implement auditing tools to reduce complex task of log
analysis
– Establish log review and investigative procedure in advance
– Train personnel to review logs
– Protect unauthorized access and change-Copied logs should be
physically secured
31. Audit Trail Monitoring
• It is the data collected from various systems’ event logging activity to
reconstruct event that happened in a system for legal purposes
• Record of activities can be investigated if network devices, systems are
operating within expected parameters
• Event logging can be done in any system
• It helps gain awareness of system and infrastructure
• Audit trail alerts suspicious activity for further investigation.
• E.g. administrator can see somebody logging into mission-critical system after work
hours. Admin can look at logs and determine if it was legitimate or expected. Other logs
can be checked to see if that user is doing questionable actions
• It provides details of intruder activity. Hacker will leave traces behind while
hopping different systems/applications. This will help to reconstruct the path,
what type of tool may have been used can be known etc.
• Finally , all these records can be used for legal actions
32. Audit Event Types
Based on Info Security and access
control, there are 5 key audit types
1. Network Events
2. System Events
3. Application Events
4. User Actions
5. Keystroke Activity
33. 1. Network Events
• Can play critical role during attack
• Devices supporting communications can provide info
• Network layer info is helpful in isolating threat activity
(e.g. worm of DoS attack)
• Helpful in detecting if user is using software or services
not permitted by policy (eg. Instant messenger, peer to
peer applications)
• Network logs shows source and destination address of
traffic, what application was the traffic, if the packets
are allowed or blocked
• How much traffic was received over a period of time
34. 2. System Events
• Part of audit trail which provides system activity info
• Reports if files are modified, deleted or added
• Shows if software is installed or removed, privilege
was changed
• If there is worm or virus in system, system will show
unexpected activities
• Also shows if there is strong change in management
activities (both legit and hack)
35. 3. Application Events
• Broad range of possibilities for monitoring activity
• Dependent on specific services of application
• E.g. attack on web server can be evaluated by
manipulation of URL in web server logs
• The objective to audit application is to isolate key
function to at least gain an initial perspective of
application activity.
• The reviewer should know the possible problems that
can be seen in logs while analyzing the logs
• If application was made by organization, security
oriented logs should be incorporated
36. 4. User Action
• It helps the behavior of activity of a
user
• Info on log-on and log-out times, use
of privileged access, application
executed, data file accessed are
basics of user monitoring
37. 5. Keystroke Activity
• Logging keystroke helps what user is typing
• Controversial because it can evade privacy (even if
company allows it)
• E.g. sending inappropriate message to coworker can
be the basis of firing a strong staff
• Lot of info can be found in command history files
found on some operating system
• E.g. In unix system, $HOME directory can have names
like .history , .sh_history, .bash_history
38. Intrusion Detection and Prevention
• IDS alerts attacks in real time to administrator but don’t take any action
• Considered audit/network monitoring technology
• It can be implemented as a part of router, firewall, or NIDS(Network IDS).
• If used with host to monitor activity, it can be called Host IDS (HIDS)
• IPS (Intrusion Prevention System) can detect threats and acts proactively. It
blocks unauthorized activity of hacker as well as user trying to use
non-privileged actions
• IPS is gaining popularity lately
• IDS needs to be tuned to normal traffic of organization
• If it is not tuned it becomes noisy box or sits quietly and cannot distinguish
between real attack or application the organization has made.
39. Network Intrusion Detection System
Architecture (NIDS/IDS)
• NIDS works passively/promiscuous mode
• It monitors every packets passing in/out of network
• Can be attached with firewall, switch, routers,
• NIDS should be able to handle enough traffic throughput equivalent (or greater
than) combined traffic load.
• Throughput = sum of all data flying by the network
• E.g. if 100 MB, 10 port switch is used, we need atleast 1GB IDS to handle traffic
load. If the capacity of IDS is smaller than 1GB then data packets will be lost
• If the session data is encrypted IDS fails
• Many tools are available which now a days break session encryption and
re-establish it.
• If IDS detects unwanted communication steam, it can attempt to terminate the
connection by blocking packets from source of traffic, or use features of TCP
protocol and inject packets into network forcing remote system to cancel
communication
40. Host-Based Intrusion Detection
Systemn(HIDS)
• Implementation of IDS at host level is HIDS
• Processes are limited to host boundries
• Advantage- effectively detects objectionable activities it runs on host
system
• Offers access to system logs, processes, system info, device info,
• Virtually eliminates limits associated with encryption
• Level of visibility of packets are higher
• Multi-host IDS allows system to share policy info and real time attack
making it easier to establish defensive posture
• It is invasive to operating system and uses lot of CPU and memory to
function during an attack thereby causing diminished performance of
laptops and workstations
• However, new servers eliminate these issues
41. IDS Analysis Engine Methods
• Based on strength and weakness different
methods can be used. Two basic methods are
– Pattern Matching (Signature Analysis)
• Based on characteristic of attack (specific packet sequence or
text in data stream)
• E.g. when attacker attacks the system they send specific
packets which IDS compares with its database. IDS has
thousands of signature patterns and needs to be updated
quite often to get new database pattern
• If sequence is matched then it alerts
• If there is a new attack or slight changes in packets,
signature can cause IDS to miss the attack
– Anomaly Detection
42. Anomaly Detection
• Uses behavioral characteristics of system’s operation or network
traffic to draw conclusion. Anomalies include:
– Multiple failed log-on attempts
– User logged on off hours
– Unexplained changes in system clock
– Unusual error message
– Unexplained system shut down and restarts
– Attempts to access restricted files
• Reports false positives as expected in behavioral change
• They aren’t dependent on Specific pattern/signature based
system
• Info from anomaly can be used to create pattern for signaute
based attack
43. Stateful Matching Intrusion
Detection
• Scans for attack signatures in context of traffic or overall behavior
• Intruder may send volley of valid packets to targeted system
• Matching pattern is virtually impossible as they are valid
• But why such huge volume of valid packets?
• To evade attack, attacker sends packets from multiple location with long
wait periods between each transmission to confuse detection System or
exhaust session timing window.
• If IDS is turned over a long period of time, it can detect the attack
• Stateful Matching IDS also uses signatures. So it has to be updated often
44. Statistical Anomaly-Based Intrusion
Detection
• Analyses event data by comparing to
normal/typical/predicted profiles
• Why the data is skewed at particular time?
• Very effective, high level, characteristics of IPS
• Defining normal is difficult task if not impossible in
a complex environment
• Prone to false positive
• Has potential to detect previously unknown attacks
• Using signature based with Statistical anomaly
based IDS is very effective to detect attack
45. Protocol Anomaly-Based Detection
• Catches when a protocol is deviated
from expected behavior
• E.g. if packets deviates from HTTP in
HTTP session protocol standard, IDS
thinks it is a malicious behavior
• Useful for HTTP, FTP, or telnet
47. Intrusion Response
• Upon suspicious activity, IDS or IPS if permitted to and configured
accordingly to interact with system to restrict or block traffic
• Early versions of IDS interact with firewall and allow firewall to
implement specific rules to the subject in question.
• Still used today. The proposed rule won’t conflict with normal
business operation.
• Firewalls might have lot of rules and the new rule can have
negative impact on normal mission-critical communications.
• Firewall shares rules with other firewall therefore attacker will be
blocked without affecting the system processes
48. Alarm and Signals
• Cre capability of IDS is to produce alarm and signals that
work to notify people and system to adverse events.
• Fundamental components of alarm capability
1. Sensor: A mechanism that identifies an event of attack and
informs an admin. Tuning sensors are important
2. Control and Communication: Mechanism of handling alerts. E.g.
email, text, instant message, pager, voice message etc.
3. Enunciator:
49. IDS Management
• Employ technically knowledgeable person
to select, install, configure, operate and
maintain IDS
• Update system regularly to avoid signature
attacks and behavioral profile
• IDS may be vulnerable to attacks so protect
it accordingly
• Intruders might try to disable IDS with false
info or overload the system