Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS.

Slides:

Advertisements

Similar presentations

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Pilot PaperTalent Workshop – End users. Content Training o Introduction PaperTalent o Dashboard o My Dashboard o My account o My learning Status o Organization.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

LAL Site Report Michel Jouvin LAL / IN2P3

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password?. Project CLASP: Common Login and Access rights across Services Plan

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

Password?. Project CLASP: Common Login and Access rights across Services Plan

1/11/2000LDAP Status Report - HEPix - JLab 2000 LDAP Status Report Michel Jouvin LAL / IN2P3

HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Collaborative tools in NICE Alex Lossent - CERN IT/IS Hepix Fall 2005.

Web hosting services at CERN Alex Lossent – CERN IT/IS Hepix Fall 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

OpenSSH: A Telnet Replacement Presented by Aaron Grothe Heimdall Linux, Inc.

HEPiX Orsay 27 th April 2001 Alan Silverman HEPiX Large Cluster SIG Report Alan Silverman 27 th April 2001 HEPiX 2001, Orsay.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

CERN’s Computer Security Challenge

Portable Computer Registration Jean-Michel Jouanigot et al. Presentation to FOCUS on 2 October 2003.

Agenda Overview of Seneca Computer System –File Servers / Student Computer Accounts –Telnet application –How to Logon to Learn / Phobos accounts How to.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Riva Managed Identity Integration for Active Directory and Novell ® GroupWise ® Aldo Zanoni CEO, Managing Director Omni Technology Solutions

W2K and Kerberos at FNAL Jack Mark

1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.

9/12/2006 TPTF MIS portal Update Pat Harris A portal is a web site or service that offers a broad array of resources and services such as , forums,

Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

Grid Operations Centre LCG Accounting Trevor Daniels, John Gordon GDB 8 Mar 2004.

Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Status of Exchange deployment Alberto Pace for the IT/IS group Desktop Forum, April 3 rd 2003.

CASTOR evolution Presentation to HEPiX 2003, Vancouver 20/10/2003 Jean-Damien Durand, CERN-IT.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

HEPiX 2 nd Nov 2000 Alan Silverman Proposal to form a Large Cluster SIG Alan Silverman 2 nd Nov 2000 HEPiX – Jefferson Lab.

The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.

Module 3 Planning for Active Directory®

Plan for the Exchange 2000 Deployment Proposal Desktop Forum IT/IS 30/10/02.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

The New CERN Mail Services Information for group Administrators Alberto Pace for the Internet Service Group and the Mail Migration Task Force.

JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999.

Password? CLASP Phase 2: Revised Proposal FOCUS, 3 May 2001 Denise Heagerty, IT/IS.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Project CLASP: Common Login and Access rights across Services Plan Goal  Propose a detailed plan to reduce the number of login/passwords entered by users.

Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,

Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

CAS and Web Single Sign-on at UConn

Data and Applications Security Developments and Directions

GGUS Partnership between FZK and ASCC

CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov

CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN

Grid Engine Diego Scardaci (INFN – Catania)

PLANNING A SECURE BASELINE INSTALLATION

IT Office hours – 1 Data Sharing 101

Presentation transcript:

Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS

Outline  Reminder of CLASP Project Goal  Recent progress relevant to CLASP project  Phase 2 Milestones (defined in Oct 2000)  Authentication Test Results  Implementation Issues  Recommendations based on test results and implementation issues  Revised CLASP Phase 2 Proposal Deliverables and Milestones

 Propose a detailed plan to reduce the number of login/passwords entered by users to access services they are authorised to use CLASP Project Goal “Single Sign On” Access Control +

Recent progress relevant to the CLASP project  Common authentication for mail services tested for roaming SMTP, web mail, listbox lists and listbox archives - based on LDAP  CA implemented at CERN for Grid testbed will issue certificates for CERN Grid testbed users  One Time Password authentication card tests tests starting in CS Group of VPN (Virtual Private Network) access with Cryptocard and RSA support  Loginid harmonisation continues AIS modified to accommodate loginid changes conflicting AIS loginids resolution resumed web form will be written to harmonise remaining loginids mechanism will be added to delete unused accounts

Phase 2 Milestones (Oct 2000) Oct 2000:  Test authentication environment available serving Kerberos v5, AFS, and Grid certificates in collaboration with the Grid testbed available to services preparing implementation plans Feb 2001:  Implementation plans available for a production authentication service most IT and AS services May 2001:  Final proposal available security review, off-site access, access control added presentations to C5, FOCUS and Desktop Forum

Authentication Test Results  Kerberos v5 authentication server running successfully converts between Grid certificates, Kerberos v5 tickets and AFS tokens base software from FNAL (MIT+fixes+AFS) linked with Globus certificate extensions  Successful AFS tests a Grid user authenticated with a certificate successfully accessed an AFS test cell at CERN  W2000 client successfully authenticated login authentication succeeded for standalone client concerns about functionality  Kerberised IMAP mail server compiled Kerberos client support in Pine and Outlook 10?

Implementation Issues  Commercial support is not available common authentication supporting Kerberos v5, Grid Certificates & AFS will require local expertise  Replacing AFS authentication by Kerberos v5 invalidates the AFS support contract preference not to change until AFS future decided  Use by W2000 needs significant testing will current and future applications continue to work?Conclusion:  concerns about support and functionality of tested common authentication solution

Recommendations  Keep existing authentication services not a good time for changes to Windows 2000 nor AFS  Continue to track authentication technology Kerberos, Certificates, smart cards,...  Revisit options when AFS future is clarified Windows 2000 can provide Linux authentication  Provide an alternative way to achieve CLASP project goal in the short term password synchronisation is a step in the right direction

Revised CLASP Phase 2 Proposal  Design and pilot a password synchronisation tool includes at least Windows, AFS, Mail, AIS passwords synchronisation will be optional - not forced security review and password check & change policy use experience at CERN (NICE) and within HEPiX (JLAB)  Recommend off-site access mechanisms including CERN and non-CERN portables  Design and pilot a tool for common access control of web pages and files (“e-groups”) based on CERN databases & existing listbox mechanism needs to map people to accounts

Revised CLASP Phase 2 Milestones & Deliverables Milestones: Mar 2001: Design teams formed and met Apr 2001: Design plans available May 2001: Prototypes available Jun 2001: pilot evaluation starts Sep 2001: CLASP project final review (after-C5)Deliverables: password synchronisation tool off-site access and security recommendations automatically generated access groups available for web page and file protection (NICE and AFS) proposed follow on actions after project closure

Password? CLASP studies have been made in collaboration with many colleagues both inside and outside IT Division - Thanks!