Beyond Enterprise Security
Download
Report
Transcript Beyond Enterprise Security
Analyzing Security In
A Novell Environment
www.novell.com
Alan Mark
Chief Security Strategist
Novell, Inc.
[email protected]
Geir Mork
Manager, Products and Services
Sospita
[email protected]
Vision…one Net
A world where networks of all types—corporate and public,
intranets, extranets, and the Internet—work together as
one Net and securely connect employees, customers,
suppliers, and partners across organizational boundaries
Mission
To solve complex business and technical challenges with Net
business solutions that enable people, processes, and
systems to work together and our customers to profit from
the opportunities of a networked world
Agenda
•
•
•
•
•
•
•
Analyzing your network
Auditing servers and services
Tracking users
Tracking workstations
Protecting applications
Olympic security vs. network security
Disaster recovery methods
Analyzing Your Network
Directory
Services
User Security
Server/Service
Security
Desktop/Laptop
App Security
Security
Router Security
Goal: Secure the
entire network
environment
Risk Analysis
• Determine what to protect
Servers
Data
Communication
systems
• Determine the prime intruders
Outsiders
Inside
hackers
Disgruntled employees
What Is the Data Path?
Internet
Transmitted Data
Where Is Your Data?
• Electronic
Secured
servers
Public servers
Secluded systems
• Printed
Stored
in closets
Sent to off-site warehouses
The public printer exposed
How Is Your Data Protected?
•
•
•
•
•
Simple passwords
Secure transmissions
Advanced authentication
Is there an alternate path?
Is there an alternate staff?
How Do You Get Data?
• Communication channels
Traditional
cabling (e.g., Ethernet)
Dial-up
DSL/ISDN
Wireless
VPN
Determine
the weakest link…
Portals: Single Point of Access
• A single point of
failure
• Will DOS attacks
take down your
business
• Setup alternate
front-ends
Who Holds the Keys
• Encrypted data may be secure,
but who can decrypt it
• PKI for everyone
Security Policies
• Policies are both written and electronic
• Periodically evaluate policies
• Use ZENworks® and other products to enforce
• Ensure that IS staff follows policies
Security Policy Goals
• Identification
What,
where, who someone is
• Access control
Data
privacy
Where someone can go
• Integrity/availability
Virus
protection
Redundancy
Backup
Contingency plans
Blue Lance
Blue Lance
VisualClick—DSMeter
VisualClick—DSMeter
NetVision
• NetVision’s Policy Management Suite—Security
for Novell eDirectory®, NetWare® OS/file system,
real-time monitoring, auditing and enforcement
Automate
policy enforcement
Detect security breaches in real-time
Trigger action to reverse the change, disable the user
account and stop the perpetrator
Automate the granting and revoking of access rights
NetVision
Novell Advanced Auditing Services
• Auditing framework
The
frame work will be a common piece which can
be applied on to any product which has an auditing
requirement
The frame work will export several interfaces to
develop Audit Solutions for applications
The framework will be available cross-platform
• Auditing solutions for Novell products
All
Novell products to be based on the above frame
work
This will result in a uniform auditing and reporting
solution across Novell products
Tracking Server Access
• Control physical access to servers
• Watch where departmental servers reside
• Control console access with third-party utilities
AdRem sfConsole
Access to “Hung Console” (Emergency Console)
www.adremsoft.com
AdRem sfConsole
Secure console authentication via eDirectory
AdRem sfConsole
Audit console users
Tracking Users
• Control when and
where users can
access information
• Control what
applications users
can access
• ZENworks for
Desktops user
policies
Managing User Passwords
The single most difficult aspect for
users is managing their passwords
Novell SecureLogin
• Secure storage of passwords based on user
authentication
Tracking Workstation Access
• Consolidated
policy packages
• Windows 2000/XP
group policy
integration
• Auto desktop
import (AWI)
Including desktop
removal
Application Policies in
ZENworks for Desktops
• Managed exposure of applications
Users
get consistent view of applications
Users successfully run ANY application they can “see”
• Fault-tolerant
Desktop
always goes to correct “state” for the
application
Uninstall option
• Application installation/execution
Force-run
virus check
Repair damaged apps
CD creation utility—install applications
Protecting Your
Applications In A Novell
Environment
www.novell.com
Geir Mork
Technical Product Manager
Sospita
Sospita License Protection (SLP)
Overview Of SLP
•
•
•
•
•
•
•
Application protection solution
Prevents un-authorized use of applications
A solution for both in-house developers and ISVs
SLP is based on smart card technology
Supports several programming languages
Easy-to-use interface
Integrated with MS Visual Studio
Sospita License Protection
Key Features
• Execution of protected source code on smart
cards or USB tokens (Secure Token)
• Unique four-step security provided through
“Best
Practise” software protection
3DES encryption
Security evaluated micro chips
Individual transport codes available for software
vendors
Sospita License Protection
Key Features (cont.)
• Protecting valuable source code from being reengineered
• Protecting software applications from being used
by non authorized end-users
• Providing a variety of secure licensing schemes
• Providing Secure Electronic Software Distribution
opportunities (SESD)
Sospita License Protection
Core Modules
• Sospita QX™ QX is a multi-application, secure token operating system
that handles high performance execution of license-protected
software
•
•
•
Provides the interface between the license protected software
application and an external token
Allows developers to protect software easily and with a high degree
of security—The software application can be written and debugged
using an ordinary compiler and debugging tools, then the code
sections are simply marked for encryption and the development kit
protects it
Handles basic license management on smart cards or tokens
Protecting Applications
in Your Environment
• Using the SLP enables full control of application
code with
Authorization to the smart card
Authorization to single applications
32 different access rights levels per applications
(modules or functions)
Time-based usage constraints
How to Protect an Application
• At source code level
• Encryption with 3DES in hardware
• Protected code are decrypted and
run on the token
• All security pertinent operations are
executed in a safe tamper-resistant
environment
• Integrated with MS-Visual Studio v6.0
One click to protect source code
One click to unprotect source code
One click to make release
Sospita License Protection
Secure Execution
“Unlike traditional application protection, Sospita’s
technology creates a ‘usage based’ protection which
encourages and supports open electronic (or physical )
distribution, but allows only the paid license holders
to ‘use’ the software.”
Sospita License Protection
Security Aspects—4 Step
1. What source code is protected
Best practices
2. Encrytion algoritm used to protect software
3xDES
3. Security of chip (micro module)
Phillips EAL 5+
Atmel EAL 1+
4. Transport License
Hierarchy, using 3xDES, only between two valid
tokens
Sospita License Protection
Security Aspects—Access Control and Constraints (cont.)
• Access control to smart card or applications
Based
on PIN/PUK code or password
Can be linked to other applications
Sospita License Protection
Security Aspects—Access Control and Constraints (cont.)
• Access control within the application
Based
on Access Control Levels
Can be any function or module in the application
32 levels available
Sospita License Protection
Security Aspects—Access Control and Constraints (cont.)
• Access control within the application
Based
on time
Lenght of use
Fixed time
Uptime
Number of execution
combinations
Sospita License Protection
QX Operating System
• Features
Multi-application support
License-controlled applet
execution
Inter-applet firewall
32 bit Virtual Machine
Dynamic (runtime) applet
upload and deletion
Secure garbage collection
Support for HUGE applets
On-card crypto support
Sospita License Protection
Micro-controllers
• Micro-controllers
Secure micro-controllers
Typically 8-32 bits with onboard
crypto processors, running at
4-16Mhz
Large amount of ROM/EEPROM—
Typically from 32K-64K (128K)
ITSEC 15408 certified EAL1-5
Typically 1-5K RAM
Comm. speed up to 300Kb
(Theoretically up to 750K+)
Today: Atmel and Philips
Sospita License Protection
Future
• Distribution in a Novell network
Using eDirectory as license repository
Extended schema
Distributing licenses at log in
Linking App objects to user and license
objects
Your Novell
network
Sospita License Protection
Thank you for your time—
Back to you, Alan...
Olympic Security
•
•
•
•
•
10,000 security officers
$310 million
“Soft” zone
“Hard” zone
Breaking the zone
Olympic Village
Olympic Village
(cont.)
Olympic Village
Vehicle Checkpoint
Personnel Checkpoint
• IDs
Photos
Venue
ID
Bar code (date/time policy)
• Bags x-rayed
Olympic IDs
Disaster Recovery
• Also known as business continuity
• What’s new after September 11?
Backup
systems really are important
Cross-trained personnel really is important
• New threats face western businesses
Security
needed for remote offices
Quick-ship startup systems (wireless, NAS,
pre-configured workstations)
Disaster Recovery Basics
• Create a duplicate hardware and software
environment away from the main business
• Test the backup system by restoring data
• Cross-train personnel on key systems
• Document key systems, including any tricks that
are learned
DR Basics
• Create basic server images on bootable CD or
DVD, ready to be installed
• Create a method to store keys and passwords in
a safe place
• Outsource some services, especially web-based
applications
More Info
• See Novell Connections articles from January
(“Rethinking Security”) and April 2002
(“Disaster Recovery”)
• http://www.nwconnection.com/