OpenVMS Security Update 1M01
|
|
- Damon Chandler
- 6 years ago
- Views:
Transcription
1 OpenVMS Update M0 Helmut Ammer TCSC München Agenda Ratings ITSEC E C & E B update on V6. TCSEC C Ramp -> > Common Criteria COE DII Current Projects: Enterprise Features & Projects History Per- Profiles External Authentication Authenticated COM + Infrastructure (V7.-) Future Projects Kerberos for VMS Ratings Testing Procedures Current Ratings Status TCSEC ITSEC Common Criteria New Ratings DII COE OpenVMS Testing Independent of a rating, the OpenVMS security testing procedure is as follows All new functionality/changes is documented Each one is reviewed for impact to the security model Tests are created to assure security relevant changes behave as documented Each release must successfully complete the Test Suite before it is released. OpenVMS TCSEC Ratings C for OpenVMS VAX and Alpha V6. B for SEVMS VAX and Alpha V6. ITSEC Rating ITSEC Ratings in progress ITSEC E/F-B SEVMS (with B claims) ITSEC E/F-C VMS Targets: Alpha & VAX OpenVMS V6.-H & YK Patch Kit SEVMS V6.-H & YK Patch Kit 5 6
2 OpenVMS Future Ratings TCSEC/RAMP - Going Away OpenVMS 7. C RAMP Status Independent rd party evaluations CLEF (Commercially Licensed Evaluation Facility) Common Criteria Profiles C? Industry Specific? 7 What is DII COE? The Defense Information Infrastructure Common Operating Environment (DII COE) provides a foundation for building open systems. It is a "plug and play" open architecture designed around a client/server model. 8 DII COE..0 compliant OpenVMS Office Admin Track Communications Management J System Administration Standard (Back Office) API s Multimedia Standard (System Level) API s Execution Communication Administration Kernel components Workflow Data Geographic Exchange Information J J Messaging OpenVMS Operating System & Alpha HW Network Alert Data Access 9 COE Application Level s of Compliance 8 - Total COE compliance application does not need to know about Platform/OS at all. - 50/50 split. COE compliance but Application needs some system calls. (e.g. Cluster awareness) - Application makes no calls to COE Modules in O/S but can successfully run in COE O/S environment 0 - Application breaks when running in COE compliant O/S environment 0 MUPs OpenVMS Alpha V7. DEC-AXPVMS AXPVMS-VMS7_SYS-V000-.PCSI DEC-AXPVMS AXPVMS-VMS7_SYS-V000-.PCSI OpenVMS Alpha MUP ALPSMUP0_070 (Versionen V6., V6. & V7.0) OpenVMS VAX MUP VAXSMUP0 (All Versions prior to V6.) OpenVMS V7. & V7..- Projects Per-thread security V7..- Authenticated COM Future Projects LDAP Client investigation Cluster Wide Intrusion Detection (A/V) Kerberos V5 GSSAPI (Generic API) $ Login CDSA (Common Data Architecture) IR IPSEC support
3 Model before V7. Per- Profile Model Profile Execution Generic Profile (ARB,PCB,JIB etc.) The current model forces user threads to manage the security To really work the security must be switched by the scheduler A single fails with multiple threads actively using it Profile Profile Execution Profile Profile New model solves pre-emption problem as the scheduler switches the security on a context switch. Now the operating system takes care of the switching of handles when scheduling. Per- : Compatibility PCB/ARB/JIB/PHD maintained while process has a single user-mode persona System services now persona aware SDA understands persona structures Backward Compatibility New Generic Profile (ARB,PCB,JIB etc.) Profile in OpenVMS V7.- Authenticated COM Provide necessary NT security infrastructure (kernel objects, interfaces, and protocols) to support strategic technologies OpenVMS V7..- support for: Secure DCOM, RPC using NTLM-authentication (Authenticated RPC), select Win security APIs OpenVMS Alpha only! 6 NT Infrastructure View DCOM Win APIs Reserved interfaces in 7. Win Low-Level $PERSONA System SYS$ACM System Service _SERVER VMS UAF NT SSPI/NTLM System [Cluster IPC to multiple servers] PWRK$LMSRV AdvancedServer RPC SAM Future Projects LDAP V Client (Investigation Complete) Requirement: Kerberos Authentication Cluster Wide Intrusion Detection Kerberos V5 Client and KDC GSSAPI V CDSA (Common Data Architecture) IPSEC Support 7 8
4 TM Cluster Wide Intrusion Detection Intrusion detection and breakin evasion is not applied cluster-wide. Intrusion detection and breakin evasion data are volatile. CWID Requirements: Intrusion and breakin events will be visible across the cluster (both VAX and Alpha) Events from all nodes in the cluster will contribute to the detection and evasion mechanisms Events must persist across system reboots Only backwards-compatible compatible changes will be made to the SYS$INTRUSION interfaces 9 Kerberos VMS implementation Initially a separate installable kit featuring Support available back to V7. (VAX & ALPHA) GSSAPI V GUI & DCL interface KDC & Client Ready for Field Test in CY000 For more information on Kerberos see mit.edu/kerberos/www/ 0 LOGINOUT SYS$ACM Common User Authentication Interface OpenVMS Common User Authentication and Credential Management Model Authentication and Credential Management (ACM) Authority OpenVMS ACM Extension NT ACM Extension SYSUAF.DAT Native Authentication Agent External Authentication Agent PATHWORKS Login SYS$ACM published Additional Loginout image How to write an guide. Testing and Field Test exposure. Server X Server Y. The ability to have alternate external agents supported by the OpenVMS Common User Authentication Model will be in a future release. Kerberos ACM Extension X.509 Public- Key ACM Extension LAN The CDSA Solution Common Data Architecture (CDSA) CDSA defines a four-layer architecture Applications for cross-platform, high-level security services CSSM defines a common API & SPI for security services and integrity base Service Providers implement selectable security services Layered CSSM API Common Service Provider Interfaces Service Modules CDSA Framework Common Service Provider Modules CSP SPI Cryptographic Service Provider Integrity Smartcard TP Module TPI Trust Policy Applications in C and C++ CSSM API CL Module CLI Certificate Remote CAs Contexts DL Module DLI Data Storage Data store EM-API Elective Module Mgr EMI New Category of Service
5 CDSA User Benefits CDSA Forges a New US Export Model Users get consistently interoperable and usable security applications for heterogeneous environments Cross-platform and multi-system Reduced cost and reduced risk when deploying security solutions Replaceable components available from multiple providers Apps Framework CSSM is called Crypto-with with-a a hole Vendors must obtain a CJ General License Based on integrity services and other framework properties Applications and Non-crypto One time review, then decontrolled Based on all crypto services via CSSM Does not export a cryptographic API Cryptographic Service Provider Requires a CJ general license or ITAR license, depending on strength of cryptographic services App App CSSM CSP App 5 6 CDSA Adopters IPSEC support IPSEC as part of IPV6 Tru6 UNIX - SSH Contract for IPSEC provider VMS to Follow same model CDSA for Cryptography 7 8 SSPI NTLM Future OpenVMS /Cryptography Map Client/Server Applications COM, Browsers RPC SSL/TLS SSP GSSAPI V SNEGO SSL/TLS Run Time Kerb5 SSP Host/Interactive Authentication Logon, FTP, Rlogin Kerb Kerb5 Run Time $ACM NT VMS Cryptography Consumers PKI, IPSEC GSSAPI LDAP SASL other? KEY = Public = Internal = Example Kerberos for OpenVMS Cryptographic Provider RSA BSAFE Common Data Architecture API CSSM Trust Policy ENTRUST VERISIGN Certificate RSA BCERT ENTRUST Data Storage LDAP 0 5
6 Keberos Agenda What is it? A Cryptographic Authentication protocol History Benefit How it works OpenVMS Specific details Kerberos Authentication What s in a name? Kerberos is from Greek Mythology and is the three headed guard dog to Hades Cerberus is the Roman spelling. Kerberos project History Developed in 98 at M.I.T. in Project Athena Versions - M.I.T. Internal Athena use only Version (Available to the public) ~988 Version 5 (Commercial ready) ~997 Authorization vs. Authentication So what s the problem? A system administrator Authorizes someone to use a computer by creating them an account. Example: UAF> CREATE ASTRO The person proves that they are the authorized user of the account by Authenticating themselves typically with a password. Example: Username: ASTRO PASSWORD: itsadogeatdogworld Distributed computing forces the user to authenticate themselves to remote machines by having their passwords travel over the network. A simple packet sniffing tool on a PC could read the password on it s way to the destination system So how can you solve the Remote Authentication problem? How does Kerberos work? Solutions: Standards: IPSEC (Part of the IPV6 protocol) SSH Secure Shell SSH server for VMS eng.ohio-state. state.edu/~jonesd/ /~JONESD/ssh/DOC/ SSH client for VMS lp.se/fish/ Info on SSLEay lp.se/.se/openssl/ Kerberos for OpenVMS 5 Authentication using cryptographic tickets. Client KDC Key Distribution Center TGS Ticket Granting Service Remote Host 6 6
7 Kerberos Components Key Components: KDC (Key Distribution Center) Grant Principle Account & Service Account Administration of the Kerberos Users Keytab files (Securely distributed to every node) TGT (Ticket Granting Ticket) TGS (Ticket Granting Service) Valid account on the Remote Host 7 A sample Kerberos Authentication Walkthrough Client (HOST) Login:ODIE Password: $ KINIT Password: decrypted encrypt $ SET HOST /RLOGIN /AUTHENTICATE HOST encrypt encrypt SID PWD time RLOGIN SID SID PWD PWD PWD TGT Request Encrypted TGT TGS Request Encrypted SRT [SID] Created KDC (HOST) encrypt KDB ODIE: Password TGS: Password host: Password PWD PWD SID time RLOGIN [SID] Created time RLOGIN TGS encrypt PWD PASSWORD [SID] Remote Server (Host) HOST> communications Authenticated! VMS GUI User Features 0 VMS GUI KDC 7
CDSA Technology. Intel Corporation Denise Ecklund July 1998
CDSA Technology Intel Corporation Denise Ecklund July 1998 Agenda Problem of Protecting Applications The CDSA Solution What is CDSA? Intel s Technology Role CDSA Today CDSA Tomorrow 2 Protecting an Application
More informationIBM KeyWorks Accelerate Development of your Secure e-business Solutions Sekar Chandersekaran IBM
IBM KeyWorks Accelerate Development of your Secure e-business Solutions Sekar Chandersekaran IBM chanders@us.ibm.com IBM KeyWorks Market Needs History KeyWorks KeyWorks KeyWorks KeyWorks KeyWorks Suite
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationSecurity Training Seminars An integral part of The Open Group Security Programme
Security Training Seminars An integral part of The Open Group Security Programme Dean Adams Director, Security & Electronic Commerce Agenda Check! M Brief Overview of Security Program Key Projects Introduction
More informationIntel s Common Data Security Architecture
Intel s Common Data Security Architecture Draft Release 2.0 version 1.0 Presented at TOG Members Meeting PKI-TG Session June 26, 1997 Denise Ecklund, Intel Architecture Labs Today s Agenda History of CDSA
More informationIdentity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect
Identity Management In Red Hat Enterprise Linux Dave Sirrine Solutions Architect Agenda Goals of the Presentation 2 Identity Management problem space What Red Hat Identity Management solution is about?
More informationNetwork Security: Kerberos. Tuomas Aura
Network Security: Kerberos Tuomas Aura Kerberos authentication Outline Kerberos in Windows domains 2 Kerberos authentication 3 Kerberos Shared-key protocol for user login authentication Uses passwords
More informationCDSA Program Update SECURITY. Graham Bird. opengroup.org (650)
CDSA Program Update SECURITY Graham Bird g.bird@opengroup opengroup.org (650) 323 7992 Agenda Product Standards The Open Brand program Diffusion Schedules Q&A Product Standards Product Standards Real World
More informationAuthentication & Authorization
Authentication & Authorization Anuj Gupta 1, 1 M.Tech Scholar, Department of C.F.I.S, G.I.T.A.M, Kablana, Jhajjar Ashish Kumar Sharma 2 2 Assistant Professor, Department of C.F.I.S & C.S.E, G.I.T.A.M,
More informationConfiguring Kerberos
Configuring Kerberos Last Updated: January 26, 2012 Finding Feature Information, page 1 Information About Kerberos, page 1 How to Configure Kerberos, page 5 Kerberos Configuration Examples, page 13 Additional
More informationWindows 2000 Security. Security. Terminology. Terminology. Terminology. Terminology. Security. Security. Groups. Encrypted File Security (EFS)
Terminology Security Windows 000 Security Access Control List - An Access Control List is a list of Access Control Entries (ACEs) stored with the object it protects ACE Inheritance - Inheritance allows
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationGlobal Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without
More informationreview of the potential methods
Mandatory iscsi Security review of the potential methods IPS Interim Meeting Nashua NH, May 01 2001 Ofer Biran Thanks to: IBM Research Lab in Haifa Bernard Aboba, David Black, Julian Satran, Steve Senum
More informationSysgem Enterprise Manager
Sysgem Enterprise Manager Sysgem Enterprise Manager (SEM) The Sysgem Enterprise Manager (SEM) provides companies of all sizes with a simple, powerful tool for managing IT, auditing security, administering
More informationRadius, LDAP, Radius used in Authenticating Users
CSCD 303 Lecture 5 Fall 2017 Kerberos Radius, LDAP, Radius used in Authenticating Users Introduction to Centralized Authentication Kerberos is for authentication only and provides Single Sign-on (SSO)
More informationKerberos and Active Directory symmetric cryptography in practice COSC412
Kerberos and Active Directory symmetric cryptography in practice COSC412 Learning objectives Understand the function of Kerberos Explain how symmetric cryptography supports the operation of Kerberos Summarise
More informationUser Authentication Principles and Methods
User Authentication Principles and Methods David Groep, NIKHEF User Authentication - Principles and Methods 1 Principles and Methods Authorization factors Cryptographic methods Authentication for login
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationApple Product Security
Apple Product Security Meeting IT Security Needs Fed/Ed XIV Washington,DC - December 14, 2006 Shawn Geddis Enterprise Security Consulting Engineer geddis@apple.com December 2006 Certificates and Keys Everywhere
More informationImplementing Security in Windows 2003 Network (70-299)
Implementing Security in Windows 2003 Network (70-299) Level 1 Authorization & Authentication 2h 20m 20s 1.1 Group Strategy 1.2 Group Scopes 1.3 Built-in Groups 1.4 System or Special Groups 1.5 Administrating
More informationU.S. E-Authentication Interoperability Lab Engineer
Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI
More informationSDC EMEA 2019 Tel Aviv
Integrating Storage Systems into Active Directory SDC EMEA 2019 Tel Aviv Volker Lendecke Samba Team / SerNet 2019-01-30 Volker Lendecke AD integration (2 / 16) Overview Active Directory Authentication
More informationKey distribution and certification
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must be ensured. Problem solution: Certification Authority
More information13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.
Key distribution and certification Kerberos In the case of public key encryption model the authenticity of the public key of each partner in the communication must be ensured. Problem solution: Certification
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationHardware Tokens in META Centre
MWSG meeting, CERN, September 15, 2005 Hardware Tokens in META Centre Daniel Kouřil kouril@ics.muni.cz CESNET Project META Centre One of the basic activities of CESNET (Czech NREN operator); started in
More informationKerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008
Kerberos Pehr Söderman Pehrs@kth.se Natsak08/DD2495 CSC KTH 2008 Project Athena Started 1983 at MIT 10 000 workstations 1000 servers Unified enviroment Any user, any workstation, any server, anywhere...
More informationAAI-SSO with Active Directory. Kerberos Login Handler
AAI-SSO with Active Directory Kerberos Login Handler Project Overview One of FHNW s AAA projects Use case: SSO for AAI Applications with Active Directory domain logins Project goal: Development of a Kerberos
More informationNetwork Security (NetSec)
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Network Security (NetSec) IN2101 WS 17/18 Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius
More informationHP OO 10.x Network Architecture
Technical white paper HP OO 10.x Network Architecture Table of Contents Overview 2 Advancing to a Scalable Model 2 The Old Model 2 The New Model 3 Configuring the New Model 4 Firewall Configuration 4 Worker
More informationSSH Communications Tectia SSH
Secured by RSA Implementation Guide for 3rd Party PKI Applications Last Modified: December 8, 2014 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product
More informationUsing the MyProxy Online Credential Repository
Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu What is MyProxy? Independent Globus Toolkit add-on
More informationOSCon Open Source
: Open Source Security Development John Hurley, Ph.D. Security Policy Architect Apple Computer Overview OS X Security Architecture Common Data Security Architecture Open source security advantages Open
More informationNetwork Security. Kerberos and other Frameworks for Client Authentication. Dr. Heiko Niedermayer Cornelius Diekmann. Technische Universität München
Network Security Kerberos and other Frameworks for Client Authentication Dr. Heiko Niedermayer Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: January
More informationMobile Secure Management Platform
Mobile Secure Management Platform Mobile Automation Security Analysis White Paper Document Revision 5.1 Document ID: MLMS security white paper 5.1.2.doc July 2, 2003 Prepared by: Revision History VERSION/RELEASE
More informationAuthentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005
Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After learning all the foundation of modern cryptography, we are ready to see some real world applications based
More informationOPENVMS SECURITY & NEW FEATURES IN V8.4
OPENVMS SECURITY & NEW FEATURES IN V8.4 Presenters: Rupesh Shantamurty OpenVMS Engineering 1 AGENDA Introduction to OpenVMS Security New Features in V8.4 Support for special characters in user names HP
More informationAUTHENTICATION APPLICATION
AUTHENTICATION APPLICATION WHAT IS KERBEROS? Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
More informationXenApp 5 Security Standards and Deployment Scenarios
XenApp 5 Security Standards and Deployment Scenarios 2015-03-04 20:22:07 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents XenApp 5 Security Standards
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationUnit-VI. User Authentication Mechanisms.
Unit-VI User Authentication Mechanisms Authentication is the first step in any cryptographic solution Authentication can be defined as determining an identity to the required level of assurance Passwords
More informationOperated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA
Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA LANL s Multi-Factor Authentication (MFA) Initiatives NLIT Summit 2018 Glen Lee Network and Infrastructure Engineering
More information<Insert Picture Here> Active Directory and Windows Security Integration with Oracle Database
1 Active Directory and Windows Security Integration with Oracle Database Santanu Datta ` Christian Shay Mark Wilcox Sr. Director Principal Product Manager Principal Product Manager
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationThe SafeNet Security System Version 3 Overview
The SafeNet Security System Version 3 Overview Version 3 Overview Abstract This document provides a description of Information Resource Engineering s SafeNet version 3 products. SafeNet version 3 products
More informationSecurity in Bomgar Remote Support
Security in Bomgar Remote Support 2018 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their
More informationDetecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC
Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC Agenda Introduction to JPCERT/CC About system-wide intrusions
More informationLotus Domino Security NSL, Web SSO, Notes ID vault. Collin Murray Program Director, Lotus Domino Product Management
Lotus Domino Security NSL, Web SSO, Notes ID vault Collin Murray Program Director, Lotus Domino Product Management Challenge: Reduce Cost of Ownership IBM Lotus Notes and Domino have been providing a secure
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationUnit OS7: Security The Security Problem. Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze
Unit OS7: Security 7.1. The Security Problem Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze 2 Copyright Notice 2000-2005 David A. Solomon and Mark Russinovich
More informationSecurity Certifications Compliance
, page 1 Enable FIPS Mode, page 2 Enable Common Criteria Mode, page 3 Generate the SSH Host Key, page 3 Configure IPSec Secure Channel, page 4 Configure Static CRL for a Trustpoint, page 9 About the Certificate
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1 Kerberos History: from UNIX to Networks (late 80s) Solves: password eavesdropping Also mutual authentication
More informationCisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1
Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Kerberos History: from UNIX to Networks (late
More informationAlliance Key Manager A Solution Brief for Partners & Integrators
Alliance Key Manager A Solution Brief for Partners & Integrators Key Management Enterprise Encryption Key Management This paper is designed to help technical managers, product managers, and developers
More informationHIPAA Privacy and Security. Richard Wark Product Technologist - Security Technologies
HIPAA Privacy and Security Richard Wark Product Technologist - Security Technologies Nothing is more private than someone's medical or psychiatric records. And, therefore, if we are to make freedom fully
More informationSECURING A MARATHON INSTALLATION 2016
MesosCon EU 2016 - Gastón Kleiman SECURING A MARATHON INSTALLATION 2016 2016 Mesosphere, Inc. All Rights Reserved. 1 Gastón Kleiman Distributed Systems Engineer Marathon/Mesos contributor gaston@mesosphere.io
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Authentication Applications We cannot enter into alliance with neighbouring princes until
More informationkeepalive (isakmp profile)
keepalive (isakmp profile) keepalive (isakmp profile) To allow the gateway to send dead peer detection (DPD) messages to the peer, use the keepalive command in Internet Security Association Key Management
More informationManaging Your Privileged Identities: The Choke Point of Advanced Attacks
Managing Your Privileged Identities: The Choke Point of Advanced Attacks Shirief Nosseir EMEA Alliances Director Identity & API Management Tuesday, 16 May 2017 Agenda Why Privileged Access Management Why
More informationRamnish Singh IT Advisor Microsoft Corporation Session Code:
Ramnish Singh IT Advisor Microsoft Corporation Session Code: Agenda Microsoft s Identity and Access Strategy Geneva Claims Based Access User access challenges Identity Metasystem and claims solution Introducing
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The
More informationOverview of Kerberos(I)
Overview of Kerberos(I) Network Authentication Protocol for C/S application based on symmetric cryptosystem TTP authentication service Based on secret key, single login Part of MIT's project Athena (public
More informationKerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos
Kerberos and Public-Key Infrastructure Key Points Kerberos is an authentication service designed for use in a distributed environment. Kerberos makes use of a thrusted third-part authentication service
More informationComputers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady
Computers Gone Rogue Abusing Computer Accounts to Gain Control in an Active Directory Environment Marina Simakov & Itai Grady Motivation Credentials are a high value target for attackers No need for 0-day
More informationSetting up Microsoft Exchange Server 2016 with Avi
Page 1 of 14 Setting up Microsoft Exchange Server 2016 with Avi Networks view online What is Exchange Server 2016 Microsoft Exchange Server 2016 is an e-mail server solution, with calendar and contact
More informationMCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security Certified Ethical Hacker CISA.
NTLM Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security Certified Ethical Hacker CISA ondrej@sevecek.com www.sevecek.com GOPAS: info@gopas,cz www.gopas.cz www.facebook.com/p.s.gopas
More informationAxway Validation Authority Suite
Axway Validation Authority Suite PKI safeguards for secure applications Around the world, banks, healthcare organizations, governments, and defense agencies rely on public key infrastructures (PKIs) to
More informationNetMotion Mobility and Microsoft DirectAccess Comparison
Product Comparison and Comparison Guidelines for Comparing and optimizes and secures all traffic to mobile devices across any network, application or operating system. It provides IT with root cause detection
More informationWHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365
WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365 Airwatch Support for Office 365 One of the most common questions being asked by many customers recently is How does AirWatch support Office 365? Customers often
More informationRead the following information carefully, before you begin an upgrade.
Read the following information carefully, before you begin an upgrade. Review Supported Upgrade Paths, page 1 Review Time Taken for Upgrade, page 1 Review Available Cisco APIC-EM Ports, page 2 Securing
More informationCisco ASA Next-Generation Firewall Services
Q&A Cisco ASA Next-Generation Firewall Services Q. What are Cisco ASA Next-Generation Firewall Services? A. Cisco ASA Next-Generation Firewall Services are a modular security service that extends the Cisco
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationThe Kerberos Authentication Service
The Kerberos Authentication Service By: Cule Stevan ID#: 0047307 SFWR 4C03 April 4, 2005 Last Revision: April 5, 2005 Stevan Cule 0047307 SOFTWARE ENGINEERING 4C03 WINTER 2005 The Kerberos Authentication
More information<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Security Drive Encryption 7.1.3
RSA SECURID ACCESS Authenticator Implementation Guide Intel Security Daniel R. Pintal, RSA Partner Engineering Last Modified: December 12, 2016 Solution Summary Intel Security/McAfee
More informationKerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810
Kerberos Constrained Delegation Authentication for SEG V2 VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you
More informationMIT Kerberos & Red Hat
MIT Kerberos & Red Hat Past, Present and Future Dmitri Pal Sr. Engineering Manager, Red Hat Inc. October 2012 Agenda MIT Kerberos and Red Hat involvement Project details Future plans Context Red Hat has
More informationGuide to Windows 2000 Kerberos Settings
Report Number: C4-018R-01 Guide to Windows 2000 Kerberos Settings Architectures and Applications Division of the Systems and Network Attack Center (SNAC) Author: Updated: June 27, 2001 David Opitz Version
More informationGuide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1
Guide to Deploying VMware Workspace ONE VMware Identity Manager 2.9.1 VMware AirWatch 9.1 Guide to Deploying VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware
More informationArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith
ArcGIS Enterprise Security: An Introduction Gregory Ponto & Jeff Smith Agenda ArcGIS Enterprise Security Model Portal for ArcGIS Authentication Authorization Building the Enterprise Encryption Collaboration
More informationApplied IT Security. Device Security. Dr. Stephan Spitz 10 Development Security. Applied IT Security, Dr.
Applied IT Security Device Security Dr. Stephan Spitz Stephan.Spitz@gi-de.com Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System Security
More informationBest Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter
White Paper Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter Overcoming Security, Privacy & Compliance Concerns 333 W. San Carlos Street San Jose, CA 95110 Table of Contents
More informationSpencer Harbar. Kerberos Part One: No ticket touting here, does SharePoint add another head?
Spencer Harbar Kerberos Part One: No ticket touting here, does SharePoint add another head? About the speaker... Spencer Harbar - www.harbar.net spence@harbar.net Microsoft Certified Master SharePoint
More informationFencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1
Fencing the Cloud with Identity Roger Casals Senior Director Product Management Shared vision for the Identity: Fencing the Cloud 1 Disclaimer Copyright 2014 Symantec Corporation. All rights reserved.
More informationKerberos Introduction. Jim Binkley-
Kerberos Introduction Jim Binkley- jrb@cs.pdx.edu 1 outline intro to Kerberos (bark, bark) protocols Needham Schroeder K4 K5 miscellaneous issues conclusion 2 Kerberos history Kerberos came from MIT part
More informationFrom Public Key to Exploitation: Exploiting the Authentication in MS-RDP [CVE ]
From Public Key to Exploitation: Exploiting the Authentication in MS-RDP [CVE-2018-0886] Eyal Karni, Preempt Research Team Contents 1. Introduction...3 2. Vulnerability...4 2.1 Issue #1...4 2.2 Toward
More informationKerberized Certificate Issuance Protocol (KX509)
Kerberized Certificate Issuance Protocol (KX509) Jet Propulsion Laboratory Copyright 2010 California Institute of Technology. Government sponsorship acknowledged. Overview and Purpose KX509 is a wire protocol
More informationNew methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall
New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall Claudiu Onisoru, Senior Network Specialist Cisco Connect - 15 May 2014 1 Agenda Frontal Communication: Who
More informationChapter 4 Authentication Applications
Chapter 4 Authentication Applications Henric Johnson Blekinge Institute of Technology,Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se Henric Johnson 1 Outline Security Concerns Kerberos X.509
More informationFIPS SECURITY POLICY FOR
FIPS 140-2 SECURITY POLICY FOR SPECTRAGUARD ENTERPRISE SENSOR August 26, 2011 FIPS 140-2 LEVEL-2 SECURITY POLICY FOR AIRTIGHT NETWORKS SPECTRAGUARD ENTERPRISE SENSOR 1. Introduction This document describes
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More information<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x
RSA SECURID ACCESS Implementation Guide Pulse Connect Secure 8.x Daniel R. Pintal, RSA Partner Engineering Last Modified: January 24 th, 2018 Solution Summary The Pulse
More informationThis Security Policy describes how this module complies with the eleven sections of the Standard:
Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24 th, 2012 2011 Vormetric Inc. All rights
More informationKEY DISTRIBUTION AND USER AUTHENTICATION
KEY DISTRIBUTION AND USER AUTHENTICATION Key Management and Distribution No Singhalese, whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman
More informationGuide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE
Guide to Deploying VMware Workspace ONE with VMware Identity Manager SEP 2018 VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationIBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights
IBM Secure Proxy Advanced edge security for your multienterprise data exchanges Highlights Enables trusted businessto-business transactions and data exchange Protects your brand reputation by reducing
More informationCommon Access Card for Xerox VersaLink Printers
Common Access Card for Xerox VersaLink Printers System Configuration Guide Version 1.3 NOVEMBER 2017 2017 Xerox Corporation. All rights reserved. Unpublished rights reserved under the copyright laws of
More informationRoadmap for This Lecture
Windows Security 2 Roadmap for This Lecture Windows Security Features Components of the Security System Protecting Objects Security Descriptors and Access Control Lists Auditing and Impersonation Privileges
More information