Top Banner
RSA SecurID Product capabilities Ivona Rustem Security Consultant
27
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: rsa presentation6

RSA SecurIDProduct capabilities

Ivona RustemSecurity Consultant

Page 2: rsa presentation6

2

Agenda

The importance of two factor authentication

Overview of RSA SecurID Authentication

Solution architecture

RSA Radius Server

Software installation vs. appliance

Authenticators

Agents

Administrative structure

Credential manager

Policies

Disaster recovery and failover

Page 3: rsa presentation6

3

The importance of two factor authentication

Weak passwords - the major cause for security breaches.

Passwords = poor security Difficult to remember

Often shared and written down

Easily cracked with freely available tools

The world needs an authentication and access solution that is:

Easy for users

Independent of location or device

Easy to administer, scale, adapt to change

Secure

Page 4: rsa presentation6

4

The importance of two factor authentication

Two-factor authentication can:

mitigate risks (only authorized users can access valuable information)

increase productivity ( by enabling secure access for users who work from home or travel on a regular basis)

reduce costs (eliminating the risk for helpdesk support to manage and reset password)

create new business opportunities (use secure access to extend new online services or applications to your customers and parteners

address compliance requirements (address the burden of compliance and make the requirements for two factor authentication)

Page 5: rsa presentation6

5

Overview of RSA SecurID Authentication

Benefits of an RSA SecurID Two-Factor User Authentication Solution

Ensures the positive identification of users before they gain access to valuable resources.

Ensures greater network security than the traditional static password that is easily hacked.

Helps to create a trusted e-business environment with new possibilities for innovation and growth.

Page 6: rsa presentation6

6

Overview of RSA SecurID Authentication

An RSA SecurID two-factor user authentication solution consists of:

RSA SecurID authenticators

RSA Authentication Manager software

RSA Authentication Agent software

Authentication Manager

the engine that powers RSA SecurID technology software.

verifies the identity and legitimacy of all users attempting to login to the network.

compatible with many remote access and Internet products, as well as a range of applications,

so it fits easily into a corporation's existing network and systems infrastructure.

Page 7: rsa presentation6

7

Overview of RSA SecurID Authentication

SecurID can be used to secure:

VPN access

Remote dial-in

Web access

Wireless networking

Secure access to Microsoft Windows

Network hardware devices (routers, firewalls, and switches)

Page 8: rsa presentation6

8

Overview of RSA SecurID Authentication

Page 9: rsa presentation6

9

Overview of RSA SecurID Authentication

Benefits of RSA SecurID solution for Microsoft Windows:

Security

Simplicity

Auditable

Efficiency

Investment protection

Advantages in general:

robust, easy-to-use, portable authentication solution

technology trusted and proven

Page 10: rsa presentation6

10

Solution architecture

Server Architecture:

Primary Server the first server installed in a deployment

has an embedded Oracle database

Replica can be installed to provide failover & load balance

contains its own database synchronized with the primary

is non-administrative

can be promoted to primary if needed

A deployment supports up to 15 Replica instances

Page 11: rsa presentation6

11

Solution architecture

Page 12: rsa presentation6

12

RSA RASIUS Server

offered as a part of the RSA Authentication Manager package

no RSA software required at the end-user machine

RADIUS authentication flow:

End-user computer initiates a connection

request to RAS

RAS notifies the RADIUS server of the rq

TTLS/PAP tunnel created for this session

User prompted for username and passcode

User provides credentials

RADIUS sever verifies credentials using

embedded agent software

If successful AM returns an approval and

a RADIUS profile associated with the user

RADIUS server returns Access Accept message to the RAS and RADIUS attributes associated with that user (based on the user profile)

Page 13: rsa presentation6

13

Software installation vs. appliance

Platforms and system requirements:Windows Server 2003 Standard and Enterprise Edition (32-bit and 64-bit)

Memory 2GB+512 MB for RADIUS ; 2 GB Page file

HDD 60 GB +128 MB for RADIUS

Red Hat Enterprise Linux 4.7 ES/AS (32-bit and 64-bit)

Memory 2GB+512 MB for RADIUS ; 2 GB Swap space

HDD 60 GB +470 MB for RADIUS

List of packages required

Solaris 10 UltraSparc (64-bit)

Memory 2GB+512 MB for RADIUS ; 4 GB Swap space

HDD 60 GB +650 MB for RADIUS

List of packages required

RADIUS is not supported on 64-bit Windows

Page 14: rsa presentation6

14

Software installation vs. appliance

RSA SecurID Appliance solution:

-delivers Authentication Manager in an embedded

sole-purpose hardened Linux operating system

-available in two models:

Appliance 130 -designed to satisfy the requirements

for fast and simple deployments

Appliance 250 –designed for organizations that require high availability deployments (dual power and redundant discs)

-flexible and scalable

-easy to deploy and maintain

-lower total cost of ownership

Page 15: rsa presentation6

15

Authenticators

RSA SecurID authenticators provide:

– Strong network security

– Reliable authentication

– Convenient solutions for end-users

– A choice of form factors and options:

-hardware

-software

-on-demand

Tokens contain: -a seed value for pseudo-random number generation

-an algorithm with which to calculate tokencodes

-all generate and display new codes every 60 seconds.

Page 16: rsa presentation6

16

Authenticators

Software tokens

- available for Windows, Mac OS and for a variety of smart phone platforms including BlackBerry®, iPhone®, Windows®Mobile, Java™ ME, PalmOS and Symbian OS

- the symmetric key is safeguarded securely on the user’s PC, smart phone

- reduce the number of items a user has to manage for safe and secure access to corporate assets

On-demand Authenticator

-a great choice for users that do not need to frequently access the network remotely

-enables users to receive a one-time password as an SMS message delivered to their cell phone or via e-mail.

-users request a one-time password through an intuitive selfservice

web module by entering their PIN

Page 17: rsa presentation6

17

Agents

RSA Authentication Agent software intercepts access requests—whether local or remote—from users or groups of users and directs them to the RSA Authentication Manager for authentication. Once verified, permission to access protected resources is granted.

-is designed to secure:

Microsoft® Windows® IIS,

Apache, Sun™ ONE web servers,

UNIX resources

and Novell® Network services

-ensures user accountability

-Agent software built into some 300 RSA

SecurID Ready™ products from over 200 leading manufacturers

Page 18: rsa presentation6

18

Administrative structure

Realm- highest level organizational structure

-Security Domain - an organizational container

that defines an area of administrative

management within a realm.

–area of administrative responsibility

-organize and manage users

-enforce system policies

-limit the scope of administrators control

by limiting the security domanin to which

they have access

-can be used to enforce system policies

-contains Users, User Groups, Agents, Tokens

Page 19: rsa presentation6

19

Administrative structure

An LDAP Identity Source can be defined as:

-Read-only

-Read/Write

Identity source

-linked at the Realm level

-multiple ISs can be linked to one

realm but any single IS can not be

linked to multiple realm

-an IS can be defined for an external

Active Directory/ LDAP datastore

Page 20: rsa presentation6

20

Administrative structureLicence types:

Base

-One Primary and one Replica instance

-Credential Manager (Self-Service module)

-RADIUS Support

-Offline Authentication

Enterprise

-All Base licence features +PLUS

-Up to 15 Replica Instances

-Credetial Manager (Provisioning)

-Multi-Realm capabilities

Evaluation

-25 users, Base licence features with expiration periodLicence options

Active users upgrades allow the system to be expanded for more users

On-demand authentication –allow the capability for a user to receive one-time-use passcode through SMS or e-mail

Page 21: rsa presentation6

21

Credential manager

a web-based workflow system that automates the token deployment process that provides user self-service options

consists of self-service and provisioning.

Self-service allows you to reduce the time that the Help Desk spends servicing deployed tokens—when users forget their PINs, misplace their tokens, and require emergency access, or resynchronization.

Provisioning streamlines the token deployment process if you are rolling out a large-scale token deployment. It also reduces administrative services and the time typically associated with deploying tokens.

Page 22: rsa presentation6

22

Policies

- control various aspects of a user’s interaction with Authentication Manager, such as RSA SecurID PIN lifetime and format, fixed passcode lifetime and format, password length, format, and frequency of change

- are assigned to security domain

Policies protect against:

• Random guessing of passcodes

• Compromised PINs

• Stolen passcodes

• Easily guessed PINs

• Automated logon attempts

Page 23: rsa presentation6

23

Policies

Token and PIN Policy

You can configure the following requirements and restrictions:

Require system generated PINs

Require periodic PIN changes

Restrict the use of old PINs

Limit PIN lengths

Use an excluded words dictionary

Set PIN character requirements

Lockout Policy

define how many failed logon attempts users can make before Authentication Manager locks their account.

Offline Authentication

extends RSA SecurID for Windows authentication to users

when they work away from the office, or when network conditions make the

connection temporarily unavailable.

Page 24: rsa presentation6

24

Disaster recovery and failover

An instance might stop responding for any of the following reasons:

Power outage

Hardware malfunction

Database corruption

Inoperable database

Network malfunction

When a primary instance database server stops responding, the following events occur:

You cannot administer the system.

Authentication performance slows down

Help Desk Administrators are blocked

Users who are permanently locked out cannot be restored

The database on the stopped server may be temporarily unavailable

Data accumulates at replica instances, waiting to update the primary instance

Page 25: rsa presentation6

25

Disaster recovery and failover

Recovery from the Loss of a Primary Instance :

Locate a replica instance at the same geographic site as the primary instance. The same personnel who administer the primary instance need access to this local replica instance in case of emergency.

Train your staff to learn recovery procedures and make sure they have the necessary privileges to promote a replica instance if the primary instance stops responding.

Confirm that a surviving replica has enough disk space to handle transactions that will queue while the primary is unavailable.

RSA recommends frequent backups to minimize data loss

Authentication Manager backup does not include RADIUS, which must be backed up separately

Run backups during off-peak periods because the backup operation can affect general system performance

Plan to store one backup copy at an off-site location

Page 26: rsa presentation6

26

Q & A

Page 27: rsa presentation6

27

Thank you!