Re: Multi-Tier logons + Legacy Apps?

From: Kelly Martin (kel_at_securityfocus.com)
Date: 11/06/03

  • Next message: greg gede: "possible arp spoofing"
    Date: Wed, 5 Nov 2003 17:50:06 -0700 (MST)
    To: John Cole <JohnC@LGEFCU.org>
    
    

    On Wed, 5 Nov 2003, John Cole wrote:

    > I'm currently looking for options for multi-tier logons. Currently we have
    > just usernames/passwords. We would like to find options with Smart Cards,
    > USB keys, or the like. The problem we have is we have many legacy
    > applications. Are there any systems out that will auto-fill in a
    > username/password to a system if you have the correct username/password to
    > go with your key?

    John,

    One approach would be to investiage some client-based single sign-on
    applications that authenticate legacy apps to a single LDAP or X.509
    compatible directory service. I suspect that authenticating legacy apps
    will be your biggest hurdle, and also the biggest security obstacle to
    overcome (so many legacy apps out there have widely varing username/pwds
    lengths and policies). Single sign-on would have to be tested with each
    legacy apps to ensure compatibility, and the only way to do that is one at
    a time. The advantage is that it can be another layer of security, as the
    user would authenticate (login) to the directory service and he/she may
    not even know the username/password of the legacy app they need access
    to... the client app can handle all that.

    Then once you have a common framework for simple authentication you could
    look at adding multi-factor authentication capabilities on top of that.
    Smart cards, PKI certificates or biometrics could work.

    Depending on whether you use Active Directory, eDirectory or iPlanet as an
    authentication directory tree, there are some commercial solutions
    available to do both of the above. These options aren't cheap and are
    generally positioned for large enterprises, but they'll do what you
    describe.

    -- Kelly Martin SecurityFocus kel@securityfocus.com +001-403-261-5468

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------


  • Next message: greg gede: "possible arp spoofing"