• Home

  • Documents

  • Www.novell.com Analyzing Security In A Novell Environment Alan Mark Chief Security Strategist...

If you can't read please download the document

Www.novell.com Analyzing Security In A Novell Environment Alan Mark Chief Security Strategist Novell, Inc. [email protected] Geir Mork Manager, Products

Tags:

Embed Size (px)

Citation preview

  • Slide 1

www.novell.com Analyzing Security In A Novell Environment Alan Mark Chief Security Strategist Novell, Inc. [email protected] Geir Mork Manager, Products and Services Sospita [email protected] Slide 2 Visionone Net A world where networks of all typescorporate and public, intranets, extranets, and the Internetwork together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world Slide 3 Slide 4 Agenda Analyzing your network Auditing servers and services Tracking users Tracking workstations Protecting applications Olympic security vs. network security Disaster recovery methods Slide 5 Slide 6 Analyzing Your Network Directory Services Directory Services User Security Desktop/Laptop Security Server/Service Security App Security Router Security Goal: Secure the entire network environment Slide 7 Risk Analysis Determine what to protect Servers Data Communication systems Determine the prime intruders Outsiders Inside hackers Disgruntled employees Slide 8 What Is the Data Path? Transmitted Data Internet Slide 9 Where Is Your Data? Electronic Secured servers Public servers Secluded systems Printed Stored in closets Sent to off-site warehouses The public printer exposed Slide 10 How Is Your Data Protected? Simple passwords Secure transmissions Advanced authentication Is there an alternate path? Is there an alternate staff? Slide 11 How Do You Get Data? Communication channels Traditional cabling (e.g., Ethernet) Dial-up DSL/ISDN Wireless VPN Determine the weakest link Slide 12 Portals: Single Point of Access A single point of failure Will DOS attacks take down your business Setup alternate front-ends Slide 13 Who Holds the Keys Encrypted data may be secure, but who can decrypt it PKI for everyone Slide 14 Security Policies Policies are both written and electronic Periodically evaluate policies Use ZENworks and other products to enforce Ensure that IS staff follows policies Slide 15 Security Policy Goals Identification What, where, who someone is Access control Data privacy Where someone can go Integrity/availability Virus protection Redundancy Backup Contingency plans Slide 16 Blue Lance Slide 17 Slide 18 VisualClickDSMeter Slide 19 Slide 20 NetVision NetVisions Policy Management SuiteSecurity for Novell eDirectory , NetWare OS/file system, real-time monitoring, auditing and enforcement Automate policy enforcement Detect security breaches in real-time Trigger action to reverse the change, disable the user account and stop the perpetrator Automate the granting and revoking of access rights Slide 21 NetVision Slide 22 Novell Advanced Auditing Services Auditing framework The frame work will be a common piece which can be applied on to any product which has an auditing requirement The frame work will export several interfaces to develop Audit Solutions for applications The framework will be available cross-platform Auditing solutions for Novell products All Novell products to be based on the above frame work This will result in a uniform auditing and reporting solution across Novell products Slide 23 Tracking Server Access Control physical access to servers Watch where departmental servers reside Control console access with third-party utilities Slide 24 AdRem sfConsole Access to Hung Console (Emergency Console) www.adremsoft.com Slide 25 AdRem sfConsole Secure console authentication via eDirectory Slide 26 AdRem sfConsole Audit console users Slide 27 Tracking Users Control when and where users can access information Control what applications users can access ZENworks for Desktops user policies Slide 28 Managing User Passwords The single most difficult aspect for users is managing their passwords The single most difficult aspect for users is managing their passwords Slide 29 Novell SecureLogin Secure storage of passwords based on user authentication Slide 30 Tracking Workstation Access Consolidated policy packages Windows 2000/XP group policy integration Auto desktop import (AWI) Including desktop removal Slide 31 Application Policies in ZENworks for Desktops Managed exposure of applications Users get consistent view of applications Users successfully run ANY application they can see Fault-tolerant Desktop always goes to correct state for the application Uninstall option Application installation/execution Force-run virus check Repair damaged apps CD creation utilityinstall applications Slide 32 www.novell.com Protecting Your Applications In A Novell Environment Geir Mork Technical Product Manager Sospita Slide 33 Sospita License Protection (SLP) Overview Of SLP Application protection solution Prevents un-authorized use of applications A solution for both in-house developers and ISVs SLP is based on smart card technology Supports several programming languages Easy-to-use interface Integrated with MS Visual Studio Slide 34 Sospita License Protection Key Features Execution of protected source code on smart cards or USB tokens (Secure Token) Unique four-step security provided through Best Practise software protection 3DES encryption Security evaluated micro chips Individual transport codes available for software vendors Slide 35 Sospita License Protection Key Features (cont.) Protecting valuable source code from being re- engineered Protecting software applications from being used by non authorized end-users Providing a variety of secure licensing schemes Providing Secure Electronic Software Distribution opportunities (SESD) Slide 36 Sospita License Protection Core Modules Sospita QX QX is a multi-application, secure token operating system that handles high performance execution of license-protected software Provides the interface between the license protected software application and an external token Allows developers to protect software easily and with a high degree of securityThe software application can be written and debugged using an ordinary compiler and debugging tools, then the code sections are simply marked for encryption and the development kit protects it Handles basic license management on smart cards or tokens Slide 37 Protecting Applications in Your Environment Using the SLP enables full control of application code with Authorization to the smart card Authorization to single applications 32 different access rights levels per applications (modules or functions) Time-based usage constraints Slide 38 How to Protect an Application At source code level Encryption with 3DES in hardware Protected code are decrypted and run on the token All security pertinent operations are executed in a safe tamper-resistant environment Integrated with MS-Visual Studio v6.0 One click to protect source code One click to unprotect source code One click to make release Slide 39 Sospita License Protection Secure Execution Unlike traditional application protection, Sospitas technology creates a usage based protection which encourages and supports open electronic (or physical ) distribution, but allows only the paid license holders to use the software. Slide 40 Sospita License Protection Security Aspects4 Step 1. What source code is protected Best practices 2. Encrytion algoritm used to protect software 3xDES 3. Security of chip (micro module) Phillips EAL 5+ Atmel EAL 1+ 4. Transport License Hierarchy, using 3xDES, only between two valid tokens Slide 41 Sospita License Protection Security AspectsAccess Control and Constraints (cont.) Access control to smart card or applications Based on PIN/PUK code or password Can be linked to other applications Slide 42 Sospita License Protection Security AspectsAccess Control and Constraints (cont.) Access control within the application Based on Access Control Levels Can be any function or module in the application 32 levels available Slide 43 Sospita License Protection Security AspectsAccess Control and Constraints (cont.) Access control within the application Based on time Lenght of use Fixed time Uptime Number of execution combinations Slide 44 Sospita License Protection QX Operating System Features Multi-application support License-controlled applet execution Inter-applet firewall 32 bit Virtual Machine Dynamic (runtime) applet upload and deletion Secure garbage collection Support for HUGE applets On-card crypto support Slide 45 Sospita License Protection Micro-controllers Micro-controllers Secure micro-controllers Typically 8-32 bits with onboard crypto processors, running at 4-16Mhz Large amount of ROM/EEPROM Typically from 32K-64K (128K) ITSEC 15408 certified EAL1-5 Typically 1-5K RAM Comm. speed up to 300Kb (Theoretically up to 750K+) Today: Atmel and Philips Slide 46 Sospita License Protection Future Distribution in a Novell network Using eDirectory as license repository Extended schema Distributing licenses at log in Linking App objects to user and license objects Your Novell network Slide 47 Sospita License Protection Thank you for your time Back to you, Alan... Slide 48 Olympic Security 10,000 security officers $310 million Soft zone Hard zone Breaking the zone Slide 49 Olympic Village Slide 50 Olympic Village (cont.) Slide 51 Olympic Village Slide 52 Vehicle Checkpoint Slide 53 Personnel Checkpoint IDs Photos Venue ID Bar code (date/time policy) Bags x-rayed IDs Photos Venue ID Bar code (date/time policy) Bags x-rayed Slide 54 Olympic IDs Slide 55 Disaster Recovery Also known as business continuity Whats new after September 11? Backup systems really are important Cross-trained personnel really is important New threats face western businesses Security needed for remote offices Quick-ship startup systems (wireless, NAS, pre-configured workstations) Slide 56 Disaster Recovery Basics Create a duplicate hardware and software environment away from the main business Test the backup system by restoring data Cross-train personnel on key systems Document key systems, including any tricks that are learned Slide 57 DR Basics Create basic server images on bootable CD or DVD, ready to be installed Create a method to store keys and passwords in a safe place Outsource some services, especially web-based applications Slide 58 More Info See Novell Connections articles from January (Rethinking Security) and April 2002 (Disaster Recovery) http://www.nwconnection.com/ Slide 59


Www.novell.com Novell DirXML ™ Commands, Events, and Transformations Shon Vella Software Engineer, Consultant Novell, Inc. svella@novell.com Perin Blanchard

Www.novell.com Novell DirXML ™ Commands, Events, and Transformations Shon Vella Software Engineer, Consultant Novell, Inc. [email protected] Perin Blanchard

Documents
Www.novell.com Expose the Power of Novell eDirectory ™ Using Novell eGuide: Advanced Configuration and Customization Nathan Jensen Software Engineer Novell,

Www.novell.com Expose the Power of Novell eDirectory ™ Using Novell eGuide: Advanced Configuration and Customization Nathan Jensen Software Engineer Novell,

Documents
Www.novell.com Beginning Programming with Novell GroupWise ® C3POs John Cox DSE Worldwide Developer Support Novell, Inc. devsup@novell.com

Www.novell.com Beginning Programming with Novell GroupWise ® C3POs John Cox DSE Worldwide Developer Support Novell, Inc. [email protected]

Documents
Novell ZENworks Application Virtualization · Novell ZENworks Application Virtualization. . Presenting Novell ZENworks Application Virtualization. Novell ZENworks Application Virtualization

Novell ZENworks Application Virtualization · Novell ZENworks Application Virtualization. . Presenting Novell ZENworks Application Virtualization. Novell ZENworks Application Virtualization

Documents
OCS NOVELL SOFTWARE. Novell Clients Typical Novell Configuration Novell Server Print jobs retained in server queue(s)

OCS NOVELL SOFTWARE. Novell Clients Typical Novell Configuration Novell Server Print jobs retained in server queue(s)

Documents
Www.novell.com Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc. candrews@novell.com

Www.novell.com Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc. [email protected]

Documents
Www.novell.com Directory Development Fundamentals Ed Shropshire NDS Partner Programs Novell, Inc. eshropshire@novell.com

Www.novell.com Directory Development Fundamentals Ed Shropshire NDS Partner Programs Novell, Inc. [email protected]

Documents
Www.novell.com Practical NDS ® iMonitor: Case Studies in Novell eDirectory ™ Diagnosis Duane Buss Senior Software Engineer Novell, Inc. dbuss@novell.com

Www.novell.com Practical NDS ® iMonitor: Case Studies in Novell eDirectory ™ Diagnosis Duane Buss Senior Software Engineer Novell, Inc. [email protected]

Documents
Www.novell.com Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. mblackham@novell.com Danita Zanrè Senior Consultant Caledonia

Www.novell.com Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. [email protected] Danita Zanrè Senior Consultant Caledonia

Documents
Www.novell.com iChain ® 2.1: Introduction and Overview Lee Howarth Product Manager Novell, Inc. lhowarth@novell.com

Www.novell.com iChain ® 2.1: Introduction and Overview Lee Howarth Product Manager Novell, Inc. [email protected]

Documents
Www.novell.com Installing, Configuring, and Optimizing Novell Internet Messaging System ™ Lynn Madsen NIMS Product Manager Novell, Inc. lmadsen@novell.com

Www.novell.com Installing, Configuring, and Optimizing Novell Internet Messaging System ™ Lynn Madsen NIMS Product Manager Novell, Inc. [email protected]

Documents
Www.novell.com Intermediate Programming with the Novell GroupWise ® Object API John Cox DSE Worldwide Developer Support Novell, Inc. devsup@novell.com

Www.novell.com Intermediate Programming with the Novell GroupWise ® Object API John Cox DSE Worldwide Developer Support Novell, Inc. [email protected]

Documents
Www.novell.com Keeping Your Business Online with eDirectory ™ Backup and Restore Brian Hawkins Software Engineer Novell, Inc. bhawkins@novell.com Roger

Www.novell.com Keeping Your Business Online with eDirectory ™ Backup and Restore Brian Hawkins Software Engineer Novell, Inc. [email protected] Roger

Documents
Www.novell.com Introduction to NDS ® iMonitor Duane Buss Senior Software Engineer Novell, Inc. dbuss@novell.com Tom Doman Senior Software Engineer Novell,

Www.novell.com Introduction to NDS ® iMonitor Duane Buss Senior Software Engineer Novell, Inc. [email protected] Tom Doman Senior Software Engineer Novell,

Documents
Www.novell.com Integrating NetWare ® and Linux Jim Henderson Novell Support SysOp Novell Support Forums hendersj@mindspring.com Brad Doster Novell Support

Www.novell.com Integrating NetWare ® and Linux Jim Henderson Novell Support SysOp Novell Support Forums [email protected] Brad Doster Novell Support

Documents
Www.novell.com Introduction to Novell GroupWise ® Administrative Object API Glade Monson Software Engineer Novell, Inc. gmonson@novell.com

Www.novell.com Introduction to Novell GroupWise ® Administrative Object API Glade Monson Software Engineer Novell, Inc. [email protected]

Documents
Www.novell.com Tips and Tricks for Using Novell eDirectory ™ Utilities Roger G. Harrison Manager, Software Engineering Novell, Inc. roger_harrison@novell.com

Www.novell.com Tips and Tricks for Using Novell eDirectory ™ Utilities Roger G. Harrison Manager, Software Engineering Novell, Inc. [email protected]

Documents
Www.novell.com Understanding Novell DirXML ™ Technology Nick Nikols DirXML Architect and Engineering Manager Novell, Inc. nick@novell.com Steven Weitzeil

Www.novell.com Understanding Novell DirXML ™ Technology Nick Nikols DirXML Architect and Engineering Manager Novell, Inc. [email protected] Steven Weitzeil

Documents
Www.novell.com Beginning Programming with the Novell GroupWise ® Object API John Cox DSE Worldwide Developer Support Novell, Inc. devsup@novell.com

Www.novell.com Beginning Programming with the Novell GroupWise ® Object API John Cox DSE Worldwide Developer Support Novell, Inc. [email protected]

Documents
Www.novell.com Configuring DirXML™ Drivers for ERP Systems Mark Worwetz Senior Software Engineer Novell, Inc. mworwetz@novell.com Dave Horne eSolutions

Www.novell.com Configuring DirXML™ Drivers for ERP Systems Mark Worwetz Senior Software Engineer Novell, Inc. [email protected] Dave Horne eSolutions

Documents
Www.novell.com High-Availability Messaging: Clustering Novell GroupWise ® Stephen C. Payne Senior Consultant Protocom Development Systems stephen.payne@protocom.com.au

Www.novell.com High-Availability Messaging: Clustering Novell GroupWise ® Stephen C. Payne Senior Consultant Protocom Development Systems [email protected]

Documents
Www.novell.com Using ACLs in LDAP: Creating a Secure Novell eDirectory ™ Infrastructure Mike Richichi Assistant Director of Academic Technology Drew University

Www.novell.com Using ACLs in LDAP: Creating a Secure Novell eDirectory ™ Infrastructure Mike Richichi Assistant Director of Academic Technology Drew University

Documents
Www.novell.com Using Novell iChain ® 2 to Deliver Internal Network Access without a VPN Brian Six Technical Account Manager Novell, Inc. bsix@novell.com

Www.novell.com Using Novell iChain ® 2 to Deliver Internal Network Access without a VPN Brian Six Technical Account Manager Novell, Inc. [email protected]

Documents
Www.novell.com Avoiding the Top iChain ® Technical Support Issues Neil Cashell Technical Support Engineer Novell, Inc. ncashell@novell.com Shane Johns

Www.novell.com Avoiding the Top iChain ® Technical Support Issues Neil Cashell Technical Support Engineer Novell, Inc. [email protected] Shane Johns

Documents
Www.novell.com Introduction to the Hot New LDAP Features in Novell eDirectory ™ 8.7 Gary L. Anderson Senior Development Manager Novell, Inc. glanderson@novell.com

Www.novell.com Introduction to the Hot New LDAP Features in Novell eDirectory ™ 8.7 Gary L. Anderson Senior Development Manager Novell, Inc. [email protected]

Documents
Www.novell.com Dave Horne eSolutions Deployment Mgr Novell, Inc. dhorne@novell.com Designing and Managing Novell DirXML ™ Deployments

Www.novell.com Dave Horne eSolutions Deployment Mgr Novell, Inc. [email protected] Designing and Managing Novell DirXML ™ Deployments

Documents
464-000064-005 Novell, Inc. Novell AppNotes

464-000064-005 Novell, Inc. Novell AppNotes

Documents
Www.novell.com Troubleshooting Novell BorderManager ® Craig Johnson Novell SysOp craigsj@ix.netcom.com Caterina Luppi Novell

Www.novell.com Troubleshooting Novell BorderManager ® Craig Johnson Novell SysOp [email protected] Caterina Luppi Novell

Documents
Www.novell.com Using Novell eDirectory™ to Unify Cross-Platform Authentication at Florida Hospital Stephen Lynch Project Manager Florida Hospital Stephen.Lynch@flhosp.org

Www.novell.com Using Novell eDirectory™ to Unify Cross-Platform Authentication at Florida Hospital Stephen Lynch Project Manager Florida Hospital [email protected]

Documents
Www.novell.com Securely Audit and Monitor NetWare ® and eDirectory™ with Blue Lance Jeff Christensen Product Manager Novell, Inc. jrchristensen@novell.com

Www.novell.com Securely Audit and Monitor NetWare ® and eDirectory™ with Blue Lance Jeff Christensen Product Manager Novell, Inc. [email protected]

Documents