800.800.4239 | CDW.com/peoplewhogetit UNDERSTANDING 2 FACTOR AUTHENTICATION Houston Thomas Public...

800.800.4239 | CDW.com/peoplewhogetit

UNDERSTANDING 2 FACTOR AUTHENTICATION

Houston ThomasPublic Safety Solution Architect

TAGITM 2012

22CDW — PROPRIETARY AND CONFIDENTIAL. COPYING RESTRICTED. FOR INTERNAL USE ONLY.

CONFUSED YET?

» Step 1 Encrypted VPN.» VPN Market. » 2 Factor Authentication – Single Purpose versus Identity

Management.» Biometrics.» Tokens.» Smart Cards – Contact and Proximity.» Your Future Network.» Windows Certificates.


A LITTLE HOUSEKEEPING….

I am not a cryptographer. If the math has letters with it then I am OUT.

There are currently (57) separate State interpretations of what the CJIS Mandate is.

A CJIS Mandate rumor is a premature fact.

My presentations are typically entertaining and humorous. However, with respect to CJIS, entertainment and humor are unachievable.

Not addressing Phones in this presentation.


CJIS COMPLIANCE…REMEMBER

» You must guard against eavesdropping and man in the middle attacks through a public accessible network.

» The patrol car environment is a conveyance and not considered a secure environment.

» You guard against unlawful access of Federal CJIS databases via 2 factor authentication.

» 2 factor authentication is also in place to ensure officer accountability.


» Required to thwart eavesdropping and man in the middle attacks through public accessible wireless data networks and Wi-Fi.

» Modern VPN solutions generally integrate well with 2 factor authentication platforms.

» Only some solutions include session persistence features. Most offerroaming capabilities.

» Apple IOS and Android support is evolving.

STEP 1 = ENCRYPTED VIRTUAL PRIVATE NETWORK


» Radio IP- LE Centric- supports RDLAP

» Wireless carriers in some States have an approved offering.

» Net Motion- LE Centric- Strong application session persistence- Android support coming- No plans to support IOS at this time.- Strong integration to 2 factor platforms.

VPN MARKET


» Cisco AnyConnect- Android and IOS support- Not there with session persistence yet- Integration to 2 factor platforms

» Columbia Tech- Up and Coming- Quasi LE Centric- Session Persistence Capabilities- Android and IOS support- Integration to 2 factor platforms.

VPN MARKET


TYPICAL VPN NETWORK DIAGRAM


3 FACTORS OF SECURITY

What you know. Typically your standard username and password challenge/response. Requirements for length, strength and expirations. Pick this as one of your factors.

What you have. Includes Contact and Proximity Smart Cards and USB Tokens.

Who you are. Biometrics namely finger print readers. Other forms include facial recognition,palm vein and retina scanning. Behavioral Biometrics?


2 FACTOR AUTHENTICATION = 2 BASIC OPTIONS

» Identity Management Solution.

» Single Purpose Solutions.


IDENTITY MANAGEMENT SYSTEMS


IDENTITY MANAGEMENT SOLUTION PROS/CONS

More difficult to integrate into your environment.

Most costly option.

Manages most types of 2nd factor methods.

Allows for a mixed environment. i.e. fingerprint in the car andhardware tokens at the desk. Replacing one method for anotheris not rip and replace.

You are going to have to devote some training time and resourcesin order to fully comprehend, implement and manage the solution.


IDENTITY MANAGEMENT SOLUTION PROS/CONS

Over time and throughout an Enterprise this method will reduceCosts.

More robust integration with Active Directory.

Provide for comprehensive and consolidated reporting.

Single Sign On features available.

Can manage user based password resets.

Imprivata, Symantec and Digital Persona seem to be the most Interested in the Public Safety Market.


SINGLE PURPOSE SOLUTIONS


SINGLE PURPOSE SOLUTIONS PROS/CONS

Quickest path to getting started.

Least Costly.

Mixed environments are separately managed.

Might be able to implement it “Out of the Box”.

Making the wrong decision is rip and replace.

There is not generally a migration path to Identity Management.

Complying with reporting requirements becomes difficult.


BIOMETRICS

Lets face it…Fingerprint readers are the only real solution here.• Nothing to carry or lose.• May already have technology. Embedded laptop

readers.• Most secure method of authentication. Can’t easily be

stolen.• Cannot read through gloves.• Skin condition a factor.• External factors contribute to read positives. i.e. light.• Often must clean between shifts/uses.• “Welcome to Registration Day”.• Too many decisions to make.


FINGER PRINT SCANNER OPTIONS

• Device Types.• Embedded• External

• Reader Types.• Static• Swipe

• Sensor Types.• Capacitive• Optical• Thermal• Pressure• RF• Ultrasonic


TOKENS

• Works with gloves.• Skin condition is not a factor.• Mitigates environmental conditions.• Often least costly to introduce.• Easily lost, forgotten or stolen.• Considered complex and difficult to use.• Often ty wrapped to the Dock or MDT.• Typically requires less support.• We have already seen a major breech.• No external connection required.


CARDS / PROXIMITY

Our most recommended method. Currently least used.• Works with gloves.• Skin condition is not a factor.• Environmental conditions not a factor.• Easily lost, forgotten or stolen.• Officers are already accustomed to use.• Easiest method to utilize.• We have little to No historical perspective as to

how the readers hold up in a mobile environment.• Readers themselves can be expensive. $150 to

$400.• Externally connected…USB.


CARDS / CONTACT

• Works with gloves.• Skin condition is not a factor.• Environmental conditions not a factor.• Easily lost, forgotten or stolen.• Officers are already accustomed to use.• 2nd easiest method to utilize.• Contact wear and tear an issue.• Externally connected…USB.


THE NEW NETWORK DILEMMA

» Supporting wireless offload of In Car Video.

» Supporting ALPR update and offload.

» Supporting mobile updates from CAD RMS.

» Access to video streaming now that 4G is here.


COMPLEX VPN NETWORK DIAGRAM


YOUR FUTURE NETWORK

» Prepare yourself for a secure and non-secure network.

» Do not use your VPN Server as a choke point, firewall or a intermediate defense in depth strategy.

» Prepare yourself to relax the VPN Client lockdown policy.


DON’T SHOOT THE MESSENGER

Net Motion, Windows Certificates, Radius Server, Public Key Infrastructure and IPsec.


WINDOWS CERTIFICATES

New (2013) 5. For agencies using public key infrastructure technology, the agency shall develop and implement a certificate policy and certification practice statement for the issuance of public key certificates used in the information system. Registration to receive a public key certificate shall:

a) Include authorization by a supervisor or a responsible official.b) Be accomplished by a secure process that verifies the identity of the certificate holder.c) Ensure the certificate is issued to the intended party.


WHAT DOES A WINDOWS CERTIFICATE LOOK LIKE

<?xml version='1.0' encoding='utf-8' standalone='yes'?>

<assembly

xmlns="urn:schemas-microsoft-com:asm.v3"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

authors="charfa"

buildFilter=""

company="Microsoft"

copyright=""

creationTimeStamp="2005-01-01T00:35:52.6386021-08:00"

description="$(resourceString.description1)"

displayName="$(resourceString.displayName0)"

lastUpdateTimeStamp="2005-03-01T23:47:26.4788237-08:00"

manifestVersion="1.0"

owners="charfa"

supportInformation=""

testers=""

>

<assemblyIdentity

buildFilter=""

buildType="release"

language="*"

name="Microsoft-Windows-CertificateServices-MSCEP-DL"

processorArchitecture="*"

publicKeyToken=""

type=""

version="0.0.0.0"

versionScope="nonSxS"


GREAT NEWS

Now we can….

Use my fingerprint scanner with Net Motion.Fingerprint is indexed to my Public Key Token.Token is submitted for Windows Certificate.Windows Radius validates the Token.I get my certificate.I am good to go until my certificate expires.


EXCEPT FOR…..

• 2. Internet Protocol Security (IPSec) does not meet the 2011 requirements for advanced authentication; however, agencies that have funded/implemented IPSec in order to meet the AA requirements of CJIS Security Policy v.4.5 may continue to utilize IPSec for AA until 2013.

Examples:

a. A police officer is running a query for CJI from their laptop mounted in a police vehicle. The police officer leverages a cellular network as the transmission

medium; authenticates the device using IPSec key exchange; and tunnels across the cellular network using the IPSec virtual private network (VPN). IPSec was funded and installed in order to meet the AA requirements of CJIS Security Policy version 4.5. AA requirements are waived until 2013.

“I don’t know what this means. Windows Certificates use IPSec.”


THAT STATEMENT IS NOT THE REAL PROBLEM THOUGH…..

The 2nd Factor is being Authenticated at the Device and not to a Back End Server. 2nd Factor is being replaced by a PIN in the Certificate. Therefore…

1. If the laptop is stolen then the CJI Identity is unusable ….forever.

2. You cannot be made immediately aware of unsuccessful login attempts.

3. Reporting is difficult to say the least.

4. Management of Shift Fleets becomes an impossible task.

5. Now the Certificate is really validating the device.

“Our belief…Advanced Authentication can only be validated within the secure environment.”


RECOMMENDATIONS

1. Participate in a ride along with one of your officers.

2. Know your State Security Officer.

3. If changing or adding VPN services, test capability thoroughly before implementing.

4. Architect your network with the future in mind.

5. Just because they are a magic quadrant vendor doesn’t mean they get Public Safety.

6. Use technologies that are NIST Certified Cryptographic Modules as opposed to NIST Compliant.

7. Prepare yourself for the eventuality of the desktop requiring the same authentication standards.

8. Your Wi-Fi and Bluetooth has to be brought into compliance as well.

9. Keep in mind that your “Cloud” vendor/s may be required to meet CJIS mandates.

10. AAaaS is emerging. Some vendors are developing offerings.


RECOMMENDATIONS

10. Join the Discussion at http://www.digitalcommunities.com

Request membership in the “Law Enforcement Information Technology Task Force.”

http://www.digitalcommunities.com/

http://www.digitalcommunities.com/

813.375.1033 | [email protected]

HOUSTON THOMASPUBLIC SAFETY SOLUTION ARCHITECT

800.800.4239 | CDW.com/peoplewhogetit UNDERSTANDING 2 FACTOR AUTHENTICATION Houston Thomas Public...

Documents

Transcript of 800.800.4239 | CDW.com/peoplewhogetit UNDERSTANDING 2 FACTOR AUTHENTICATION Houston Thomas Public...