Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Authentication question & problem

from [Sheldon Malm] Network Security [Permanent Link]
Subject: RE: Authentication question & problem
Date: Tue, 22 Apr 2008 14:18:07 -0700 
There are pretty standard solutions out there to accomplish this with
one or more of the following solutions in place (I would recommend
combining some of these solutions if it's practical):
1. VPN between sites (pretty much as outlined below)
        - note that "their own authentication) mechanism" as stated
below by Tremaine does not necessarily mean user logon prompt (see point
#2 below).

2. Federated identity solutions (spanning authentication, authorization,
and probably federated provisioning as well)
        - SSO is a key component of making this work

3. Trusted strong authentication, if necessary
        - Trusted RSA ACE/Token realms have been in place for ages
        - PKI/Cert solutions have similar value

There is a tonne of information on the 'net about enabling Third Party
trust relationships with a simplified user experience.  The 3 outlined
above should give you a starting point to look over your options.  The
bottom line is, this is a business need that is well understood and has
lots of relatively mature options to address it. 


Sheldon Malm
Director
Security Research & Development
nCircle Network Security

Check out the VERT daily post
http://blog.ncircle.com/vert



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Tremaine Lea
Sent: Tuesday, April 22, 2008 3:31 PM
To: evilwon12@yahoo.com
Cc: security-basics@securityfocus.com
Subject: Re: Authentication question & problem

It may be relatively straightforward, if approached differently.

Create a vpn tunnel between site B and site C.  Allow users from site B
to access the application on site C.  Allow users to remote in to site B
with credentials.

There should be no need for site C to be involved in your ldap
credentials.  The fact they are authenticated on a domain that site C
has chosen to trust should be sufficient.  If it's not sufficient, they
should be providing their own authentication mechanism.

It's a bit difficult to provide specific suggestions without more
information, but the above solution is definitely workable.

---
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"



On 22-Apr-08, at 10:41 AM, evilwon12@yahoo.com wrote:

Here is what my developers are wanting to do, and I cannot think of a 
secure way to do this.

Have a user (at home) authenticate against our LDAP through a company 
portal/site and have that authentication information passed to an 
external vendor, allowing the user at home to utilize the application 
from home after being authenticated.

So, it's user at site A, authenticating with site B, and the user at 
site A using the application (after authentiation) at site C.

Sorry for being long winded, but everything there screams MITM to me.



I am probably missing something easy.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Authentication question & problem, Tremaine Lea
Next by Date:  Re: HTTP tunneling to bypass proxy filter, Francisco Neira Basso
Previous by Thread:  Re: Authentication question & problem, Tremaine Lea
Next by Thread:  Re: Authentication question & proble, Yousef Syed
Indexes:  [Date] [Thread] [Top] [All Lists]