Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.

Slides:

Advertisements

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Advertisements

Welcome to Middleware Joseph Amrithraj

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password?. Project CLASP: Common Login and Access rights across Services Plan

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

A.Vandenberg August 7, 2001 HE PKI Summit State of Georgia and PKI Art Vandenberg Director, Advanced Campus Services Information Systems & Technology.

Password?. Project CLASP: Common Login and Access rights across Services Plan

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Active Directory: Final Solution to Enterprise System Integration

Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS.

Oracle Beehive Vivek Pavle Orabyte LLC Orabyte.

Presented by: Mark Hendricks

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Update and Discussions on Technology Initiatives TSAG Meeting 4/11/02.

Web hosting services at CERN Alex Lossent – CERN IT/IS Hepix Fall 2005.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

Internet Services Alberto Pace. Internet Services Group u Mission and Goals u Provide core computing services, worldwide u Three specific areas u Collaborative.

Brian Arkills Software Engineer, LDAP geek, AD bum, Senior Heckler, and Associate Troublemaking Officer State of Windows Services at the UW.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

For more notes and topics visit:

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

Welcome to HEPNT Gian Piero Siroli, Physics Dept., Univ. of Bologna LAL, HEPiX-HEPNT 2001.

CERN’s Computer Security Challenge

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.

Secure Shell for Computer Science Nick Czebiniak Sung-Ho Maeung.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

NETWORKING IN LINUX. WHAT IS LINUX..? Freely implemention of UNIX-like Kernel. Free & Open source Software. Developed by Linus Torvalds in 1991.

The NICE 2000 Web Services Ivan Deloose, Frédéric Hemmer, Alberto Pace, Maciej Sobczac, and others Information Technology Division - CERN.

NMI End-to-End Diagnostic Advisory Group BoF Fall 2003 Internet2 Member Meeting.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

File sharing requirements of remote users G. Bagliesi INFN - Pisa EP Forum on File Sharing 18/6/2001.

The HEP White Pages Project Ray Jackson CERN / IT - Internet Services Group 23rd April HEPiX/HEPNT Conference, LAL-Orsay, France.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

Logging into the linux machines This series of view charts show how to log into the linux machines from the Windows environment. Machine name IP address.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.

Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.

Web Services Security Patterns Alex Mackman CM Group Ltd

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

Remote Access Usages. Remote Desktop Remote desktop technology makes it possible to view another computer's desktop on your computer. This means you can.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.

The New CERN Mail Services Information for group Administrators Alberto Pace for the Internet Service Group and the Mail Migration Task Force.

JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999.

XXIII HTASC Meeting – CERN March 2003 LIP and the Traveling Physicist Jorge Gomes LIP - Computer Centre.

Password? CLASP Phase 2: Revised Proposal FOCUS, 3 May 2001 Denise Heagerty, IT/IS.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Project CLASP: Common Login and Access rights across Services Plan Goal  Propose a detailed plan to reduce the number of login/passwords entered by users.

Registration StratusLab Tutorial (Orsay, France) 28 November 2012.

ECMM6018 Enterprise Networking For Electronic Commerce Tutorial 1 Installing A Web Server.

Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,

The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done.

Al Lilianstrom and Dr. Olga Terlyga NLIT 2016 May 4 th, 2016 Under the Hood of Fermilab’s Identity Management Service.

Secure Connected Infrastructure

Control system network security issues and recommendations

SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH

GGUS Partnership between FZK and ASCC

Goals Introduce the Windows Server 2003 family of operating systems

Management of users at UNIL

Computer Security Distributed System Security

CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN

Presentation transcript:

Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS

Outline  What is CLASP? Common Login and Access rights across Service Plan Project Goal Project Milestones so far  Phase 1 Results Service survey results Feasibility study results Common Access Rights  Phase 2 Proposal Phase 2 Deliverables Phase 2 Milestones

 Propose a detailed plan to reduce the number of login/passwords entered by users to access services they are authorised to use Project Goal “Single Sign On” Access Control +

Project Scope  Address computing services offered by at least IT and AS Divisions  Normal user access from in or outside CERN  Target Linux and W2000 for web, mail, interactive (telnet, X, ftp) and file (AFS, NICE) access  Focus on a common solution, even if it does not cover all services today  Define security levels and password policy elimination of clear-text passwords is desirable

Project Milestones so far Dec 1999: Project Mandate defined  Goal, Background, Purpose, Scope, Phases Jun 2000: Phase 1 initial results  Service Survey and Feasibility Study what we have now and what is possible for the future Oct 2000: Phase 2 Proposal available:  Detailed Implementation Plans which services and how they will change

Service Survey Results  Service Survey at  Survey lists more than 30 different user services in IT, AS, EST, SL and ST Division using more than 12 different passwords  Most IT services use a common loginid centrally managed in CCDB database AS Division integration is in progress  Some password harmonisation exists where easily possible  The explosion of different loginid/password pairs is mainly driven by web authors

Feasibility Study Results  Kerberos v5 provides a good basis for common authentication and Single Sign On infrastructure available in W2000 and Linux RH v6.2 standard application interfaces (RFC 2078, MS-SSPI)  Some PKI (Public Key Infrastructure) is required for GRID applications Can be integrated with Kerberos v5 Single Sign On  Enhanced security is essential to overcome the vulnerability of the initial sign on  We need to control the explosion of web loginid/password pairs need to consider non-Kerberos solutions

Key applications known to support Kerberos v5  Mail IMAP server (U of Washington) - Yes! Outlook and Pine - Yes! Netscape - No  Interactive Commands telnet, ftp, rcp, rlogin: UNIX - Yes! / W Yes? Exceed: Yes!  File Access (single platform) AFS - Yes (via Kerberos v4 extension on UNIX KDC) Microsoft DFS: W Yes!  Web Internet Explorer - Yes Netscape - No

Common Access Rights  Key/Initial applications: distribution lists web page protection file protections  Concept of “e-groups” looks useful electronic grouping of people/accounts defined centrally and made available to applications LDAP / Active Directory play a key role work is in progress

Password? CLASP Phase 2 Proposal

Phase 2 Deliverables  Implementation plan for the base authentication service Kerberos v5 with support for AFS and Grid certificates  Implementation plans for services mail, web (IT & AIS), interactive (login, telnet, ftp, Exceed, ssh), file (AFS, Windows DFS), batch (LSF), Oracle and future GRID services  Final Recommendations security review, password (check and change) policy, opt-out mechanism, off-site access, platform independent access control for web pages, files and listbox lists

Services included in Phase 2 Services included in Phase 2 Base authentication service:  Kerberos v5 with support for AFS and Grid Application Services:  mail  web (IT and AIS services)  file access (AFS and Windows DFS)  interactive (login, telnet, ftp, Exceed, ssh)  batch (LSF)  Oracle  future GRID services

Phase 2 will conclude with:  Base Authentication Service defined  Service/Application implementation plans  An opt-out mechanism for special cases  Security review and password (check & change) policy  Recommendations for off-site access including CERN and non-CERN portables  Proposal for common access control for web pages, files and listbox lists

Phase 2 Milestones Oct 2000:  Test authentication environment available serving Kerberos v5, AFS, and Grid certificates available to services preparing implementation plans Feb 2001:  Implementation plans available for a production authentication service most IT and AS services May 2001:  Final proposal available security review, off-site access, access control added presentations to C5, FOCUS and Desktop Forum

Password? CLASP studies have been made in collaboration with many colleagues both inside and outside IT Division - Thanks!