Vidder PrecisionAccess

Similar documents
Software Defined Perimeter & PrecisionAccess. Secure. Simple.

PrecisionAccess Trusted Access Control

Defeating All Man-in-the-Middle Attacks

Securing Office 365 & Other SaaS

Integrated Access Management Solutions. Access Televentures

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Authentication Methods

Building Trust in the Internet of Things

OWASP Top 10 The Ten Most Critical Web Application Security Risks

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Vulnerabilities in online banking applications

Copyright

Network Security and Cryptography. 2 September Marking Scheme

Verizon Software Defined Perimeter (SDP).

Ethical Hacking and Prevention

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Solutions Business Manager Web Application Security Assessment

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Wireless LAN Security. Gabriel Clothier

Web Application Security. Philippe Bogaerts

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

MobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Coordinated Threat Control

6 Vulnerabilities of the Retail Payment Ecosystem

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

Bank Infrastructure - Video - 1

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Evaluating the Security Risks of Static vs. Dynamic Websites

CompTIA Security+ (2008 Edition) Exam

Segmentation for Security

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Getting Into Mobile Without Getting Into Trouble

POA Bridge. Security Assessment. Cris Neckar SECUREWARE.IO

Achieving End-to-End Security in the Internet of Things (IoT)

Aguascalientes Local Chapter. Kickoff

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Security+ SY0-501 Study Guide Table of Contents

Introduction...1. Authentication Methods...1. Classes of Attacks on Authentication Mechanisms...4. Security Analysis of Authentication Mechanisms...

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Proving who you are. Passwords and TLS

Keep the Door Open for Users and Closed to Hackers

CIS Controls Measures and Metrics for Version 7

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

(2½ hours) Total Marks: 75

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Cyber Moving Targets. Yashar Dehkan Asl

Securing Internet Communication: TLS


COMPUTER NETWORK SECURITY

Pass Microsoft Exam

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Web Application Penetration Testing

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring BIG-IP ASM v12.1 Application Security Manager

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

CTS2134 Introduction to Networking. Module 08: Network Security

Web Application Vulnerabilities: OWASP Top 10 Revisited

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

RiskSense Attack Surface Validation for Web Applications

Security context. Technology. Solution highlights

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

BraindumpsVCE. Best vce braindumps-exam vce pdf free download

CIS Controls Measures and Metrics for Version 7

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

5. Execute the attack and obtain unauthorized access to the system.

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Network Access Flows APPENDIXB

Wireless LAN Security (RM12/2002)

CSci530 Final Exam. Fall 2011

Access Controls. CISSP Guide to Security Essentials Chapter 2

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Effective Strategies for Managing Cybersecurity Risks

Security Solutions. Overview. Business Needs

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Endpoint Security - what-if analysis 1

Application Layer Security

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Secure coding practices

Securing Devices in the Internet of Things

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Transcription:

Vidder PrecisionAccess Transparent Multi-Factor Authentication June 2015 910 E HAMILTON AVENUE. SUITE 430. CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM

Table of Contents I. Overview... 3 II. The Challenge... 3 III. Security Artifacts... 4 IV. Transparent MFA Defined... 4 Single Packet Authorization... 4 Transport Layer Security... 5 Device Fingerprinting... 5 Step-up Authentication Process... 5 V. Defeated Attacks... 6 Credential Theft... 6 Denial of Service... 6 Server Exploitation... 6 Connection Hijacking... 7 PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 2

Overview Multi-factor authentication is a mechanism used in modern day work environments to step-up the trust level of a user by requiring the fulfillment of additional authentication mechanisms before permitting access a network or application. Vidder PrecisionAccess (PrecisionAccess) solution utilizes an authentication system referred to as Transparent Multi-factor Authentication ( Transparent MFA ), a key security component of the solution. PrecisionAccess, in its totality, combines various security methods/mechanism into a single solution. This paper focuses on PrecisionAccess key differentiator: Transparent MFA. The Transparent MFA system was inspired by existing technologies, including port knocking, single packet authorization, and machine authentication. Transparent MFA takes the best aspects of these technologies and combines them in order to provide true and comprehensive multi-factor authentication without impacting user experience. This document is intended to answer the following questions: What is Transparent MFA? How does Transparent MFA work? What are the advantages of using Transparent MFA? What attack vectors does Transparent MFA mitigate? The Challenge Multi-factor authentication ( MFA ) is a highly secure authentication system that requires many separate authentication stages before providing access. The most common initial authentication stage in use today is a normal username and password, which is used to prove the authenticity of the person accessing an application or network. This is combined with an additional authentication stage such as a one-time password, certificate, or biometric system in order to decrease the likelihood that the users first authentication stage has been compromised. The main challenge with existing MFA solutions is the negative impact on user experience. Most solutions require the user to take some action such as typing in a one-time password or scanning their fingerprint. PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 3

However, PrecisionAccess unique implementation of Transparent MFA provides a secure way to provide a second factor device authentication without impeding the user experience. Security Artifacts The Transparent MFA authentication process requires security artifacts to be onboarded to each authorized client. The on-boarding process is extremely automated and appears to the user as a normal software installation. The following security artifacts are used in the Transparent MFA process: Device Identifier A unique number that is used to identify a device. One user can be associated with many devices and therefore can have many associated device identifiers. Seed A one-time password seed that is used to generate tokens for the Single Packet Authorization process. This is stored in an encrypted format. Counter A counter that is used to maintain synchronization in the Single Packet Authorization process. Private Key A private key that is used for both the signing of Single Packet Authorization tokens and establishment of TLS connections. This is stored in the systems keychain or certificate store and is marked as nonexportable. Certificate A certificate that is used for the establishment of TLS connections. This is stored in the systems keychain or certificate store. Transparent MFA Defined Transparent MFA can be thought of as the equivalent of a one-time password that would normally have to be typed out but is instead conducted in a secure connection process. In order to achieve this level of security, a complex step-up authentication system must be used that allows for efficient validation of connections. Single Packet Authorization The first mechanism used in the Transparent MFA process is called Single Packet Authorization (SPA). This concept, originally derived from port knocking, has the client embed a one-time password (OTP) in the single packet of the SPA which is then validated on the server. This OTP is generated and validated using a very efficient, hardware accelerated algorithm that allows for packets to be validated PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 4

with very little performance impact on the server. PrecisionAccess implementation embeds this token (i.e., the SPA packet) in an SSL ClientHello packet. The OTP is also sent along with a counter for synchronization, device identifier for identification, and a signature for integrity validation. Transport Layer Security Transport Layer Security (TLS) is a protocol for protecting data in transit. A secure TLS session is established immediately after the validation of the SPA packet. This connection is established with mutual trust and provides a high level of security against connection hijacking. PrecisionAccess implements the best security possible in TLS by utilizing a single algorithm (AES-256-GCM) and only trusting one Certificate Authority for the connection (through Certificate Pinning ). Device Fingerprinting The next step in the Transparent MFA process is to prove that the authentication artifacts were not moved to an unauthorized device. A fingerprint is created on the Controller when the device is on-boarded and is then associated with its security artifacts. The fingerprint is composed of multiple factors returned by the operating system to create a signature that can later be attested to. It s important to note that the individual fingerprint factors are sent to the Controller and the Controller choses which factors to use for the fingerprint. This means that factors can be randomly changed and the fingerprinting algorithm cannot be reverse engineered from the client. Step-up Authentication Process Three separate authentication stages as mentioned below are combined into a secure, step-up authentication process. As noted above, Transparent MFA is extremely secure but has a very low performance impact on Gateways and Controllers because the first stage of authentication has the least impact on the system. As the trust of the client increases the performance impact can also increase but minimally. Stage 1: Single Packet Authorization This first stage of the process is the most important. This stage will mitigate the vast majority of attacks on the server and must be performed very efficiently. Single Packet Authorization was designed with this foundational premise and has proven to be very effective in thwarting advanced attack vectors. Stage 2: Transport Layer Security The second stage of the process is creating a secure connection using TLS. Since the trust of the client has been partially verified using SPA, this more intensive process can be conducted without increasing the risk of denial of service. PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 5

Stage 3: Device Fingerprinting The last stage is to verify that the security artifacts used for the authentication process are coming from a legitimate device. PrecisionAccess will transmit the fingerprint and compare it to the fingerprint that was created during onboarding time. This proves to a high level of likelihood that the security artifacts were not copied to another device. Defeated Attacks PrecisionAccess Transparent MFA is a key component of the architecture and security value of the solution. It mitigates a multitude of attack vectors by using a secure, lightweight device authentication system. Credential Theft Credential theft is one of the most common attack vectors prevalent in today s enterprise environments. The theft can occur from a variety of channels including key loggers, phishing or brute force attacks to name a few. However, PrecisionAccess Transparent MFA is able to mitigate stolen credentials by requiring that all connections destined to a protected application come from a PrecisionAccess Gateway. In order to gain access to this Gateway a user must undergo the Transparent MFA process that acts as a second factor of authentication. Denial of Service Denial of Service is an attack that is used to compromise the availability of an application. Often performed by activists or competitors, it can ruin the reputation of an organization and cause a loss of services for customers. This attack vector has been exploited in many implementations, all of which aim to starve the resources of a network, application, or server. PrecisionAccess is able to defeat a large portion of these attack vectors by limiting connectivity to only authorized users. For example, a common denial of service attack called the SSL Renegotation DoS continually re-establishes SSL connections to a server until it runs out of resources to service future requests. Malicious adversaries generally perform this attack against internet-accessible websites. Protecting the application with PrecisionAccess Gateway makes the attack far more challenging: it isolates the application server by disallowing anyone to connect to the application until they have been proven their trust. Server Exploitation Server Exploitation can come in many different varieties including SQL Injection, Buffer Overflows, Cross-site Scripting and many others. Attackers are able to perform these attacks remotely and without legitimate credentials. PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 6

For example, one of the most common vulnerabilities is SQL Injection often performed against login and search forms. These forms can generally be accessed and attacked without having a username and password. Attacks such as these are a very serious problem since many applications have been moved to be internetaccessible, ultimately allowing attackers to hack into systems and gain access to an internal network and corporate data. Transparent MFA is able to protect these applications by moving them behind a PrecisionAccess Gateway. An attacker would need to have valid security artifacts and a valid device in order to gain any connectivity to the application. Doing this reduces the attack surface of the application to authorized users, which greatly reduces the likelihood of an attack. Connection Hijacking Connection Hijacking, also known as man-in-the-middle, is an attack vector that is used to steal or modify data in flight. It s not uncommon to hear about users that used a wireless hotspot in public coffee shops that resulted in an eventual compromise of an organization. This is caused by insufficient in-flight encryption systems used by many organizations today. Most applications will use the system s Trusted Certificate Store or Keychain to enumerate a trusted list of Certificate Authorities. This store contains approximately 300 unique Certificate Authorities that could be potentially compromised and result in a connection hijacking attack. PrecisionAccess uses a methodology referred to as Certificate Pinning which only trusts a small subset of trusted Certificate Authorities. This greatly reduces the likelihood that the Certificate Authority is compromised. In addition, PrecisionAccess implements mutual trust in the authentication process by utilizing SPA and TLS. This requires both the client and server to present security artifacts during the connection and authentication process. An adversary will generally not have the artifacts from both parties and will not be able to break the connection as a result. This mutual trust provides an extremely high level of confidentiality and integrity on remote connections being initiated from untrusted locations. Contact Us Email: PrecisionAccess@vidder.com Phone: 408.418.0440 www.vidder.com PRECISIONACCESS TRANSPARENT MFA - JUNE 2015 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback