Thursday, January 31, 2013

Inside Look - SAML Federation with BIG-IP APM

I get an Inside Look at BIG-IP's new #SAML #Federation functionality in v11.3 with Sr Security Solution Architect, Gary Zaleski. We cover BIG-IP as a SAML Service Provider (SP) and as a SAML Identity Provider (IdP). Watch how users can easily connect to Salesforce, SharePoint, Office365 and Google. Solving Substantiation with SAML.

 

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, January 29, 2013

Solving Substantiation with SAML

Organizations are deploying distributed, hybrid architectures that can span multiple security domains. At any moment, a user could be accessing the corporate data center, the organization’s cloud infrastructure, or even a third party, #SaaS web application. #SAML can provide the identity information necessary to implement an enterprise-wide single sign-on solution.

Proving or asserting one’s identity in the physical world is often as simple as showing a driver’s license or state ID card. As long as the photo matches the face, that’s typically all that is needed to verify identity. This substantiation of identity is a physical form of authentication, and depending on the situation, the individual is then authorized either to receive something or to do something, for instance, enter a bar, complete a purchase, etc.

In the digital world, identity verification is not as easy as showing the computer monitor a driver’s license. To gain entry, you must provide information like a name, password, randomly generated token number—something you have, something you know, or something you are—to prove you are who you say you are.

Gaining access to corporate assets is no different. Many organizations have multiple different resource portals, however, each requiring digital proof of identity. Their users may also need to access partner portals, cloud based Software as a Service (SaaS) applications, or distributed, hybrid infrastructures that span multiple data centers, each requiring a unique user name and password. In addition, the average employee must maintain about 15 different passwords for both her private and corporate identities, with many of those passwords also being used for social media and other risky entities. Statistics show that 35 to 50 percent of help desk calls are related to password problems, with each call costing a company between $25 and $50 per request.

Security Assertion Markup Language (SAML) is an XML-based standard that allows secure web domains to exchange user authentication and authorization data. It directly addresses the problem of how to provide the users of web browsers with single sign-on (SSO) convenience. With SAML, an online service provider can contact a separate online identity provider to authenticate users who are attempting to access secure content. For example, a user might need to log in to Salesforce.com, but Salesforce (the service provider) has no mechanism to validate the user. Salesforce would then send a request to an identity provider, such as F5 BIG-IP Access Policy Manager (APM), to validate the requesting user’s identity. BIG-IP APM version 11.3 supports SAML federation, acting as either a service provider or an identity provider, enhancing the employee’s online experience and potentially reducing password-related tickets at the help desk.

BIG-IP APM version 11.3 can act as either a SAML service provider or a SAML identity provider, enabling both federation and SSO within an enterprise.

BIG-IP APM as a Service Provider

When a user initiates a request from a SAML IdP and the resources, such as an internal SharePoint site, are protected by BIG-IP APM, BIG-IP APM consumes that SAML assertion (claim) and validates its trustworthiness. This ultimately allows the user access to the resource. If the user goes directly to BIG-IP APM (as an SP) to access a resource (like SharePoint), then the user will be directed to the IdP to authenticate and get an assertion. Once a user is authenticated with a SAML IdP and accesses a resource behind BIG-IP APM, he or she will not need to authenticate again. 

BIG-IP APM as an Identity Provider

Provided there is an SP that accepts assertions, a user can authenticate with BIG-IP APM to create an assertion. BIG-IP APM authenticates the user and displays resources. When the user clicks on an application, BIG-IP APM generates an assertion. That assertion can be passed on to the SP, which allows access to the resource without further authentication. When the user visits the SP first, the process is SP initiated; when the user goes directly to the IdP (in this case, BIG-IP APM) first to authenticate, the process is IdP initiated.

BIG-IP APM in a SAML Federation

SAML can be used to federate autonomous BIG-IP APM systems. This allows a user to connect to one BIG-IP device, authenticate, and transparently move to other participating BIG-IPs devices. Session replication is not part of SAML, but administrators can populate session information on participating systems. This means that BIG-IP device federation does not enable the use of a single session within the federation; it only enables information exchange among multiple members of the federation.  Each participating BIG-IP device maintains its own independent session with the client, and each has its own access policy that executes separately and independently.
Participating federation members can exchange information with any other federation members outside of sessions where needed. A common configuration is to have a dedicated BIG-IP device as a primary member to which users are authenticated and that provides information to other members. This allows a number of other BIG-IP devices to work in conjunction with that primary member.  The primary member is dedicated as an IdP, while the other participating members operate as SPs

Benefits

The benefits of deploying BIG-IP APM as a SAML solution certainly include better password management, fewer help desk calls, and an improved user experience, but BIG-IP APM can also add additional context to requests. For instance, it can include endpoint inspection results as attributes to inform the application of the client’s security posture. In addition, IT administrators do not need to retrofit applications (e.g., .NET apps do not need a Kerberos claims plug-in). Another advantage is extensive session variable support, which allows organizations to
customize each user session. BIG-IP APM can bring SAML to resources and applications with minimal back-end changes—or none. These benefits all complement the values of BIG-IP APM to the overall traffic management of an organization’s IT infrastructure.

IT infrastructure has changed dramatically over the past few years, with many applications moving to cloud-based services. Corporate employees have also morphed into a mobile workforce that requires secure access to that infrastructure any time, from anywhere, and with any device. Bridging the identity gap between physically and logically separated services allows organizations to stay agile in this ever-changing environment and gives users the secure access they need around the clock.

BIG-IP APM version 11.3, in addition to delivering high availability and protecting organizations’ critical assets, provides a SAML 2.0 solution that offers the identity bridge needed to manage access across systems.

ps

Related:

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, January 22, 2013

Security Bloggers Network Voting

I'm listed in the preliminary round of nominees (to hopefully make it to the final nominees) in two categories for the 2013 Social Security Blogger Awards: Security Bloggers Network Voting

Please share and vote for your favorite through Friday, January 25, even if it's not me.  :-)

The Most Educational Security Blog

clip_image001Critical Watch: http://blog.criticalwatch.com/

clip_image001[1]psilvas blog: http://psilvas.wordpress.com/

clip_image001[2]MichaelPeters.org: http://michaelpeters.org/

The Most Entertaining Security Blog

clip_image001[3]psilvas blog: http://psilvas.wordpress.com/

From Alan Shimel's blog:

A little later then we wanted, but the preliminary round of voting for the 2013 Social Security Blogger Awards is open as of today.  As I wrote in an earlier post we are doing something a little different this year.  In addition to finalists nominated by our judges, we are also letting bloggers and podcasters nominate themselves for the preliminary round.  The top vote getters in each category of the preliminary rounds will be added to the finalists.

Voting for the preliminary round will continue for the rest of this week.  Then voting in the finals will commence.  We hope this will allow a new generation and some "fresh faces" into the award process.

Of course the winners will be announced at the Security Bloggers Meetup at RSA Conference this year.

Thanks!

ps

Related

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Monday, January 21, 2013

HELLO, My Name is Cloud_009...

 ...scrolls across the small 16:9 LCD protruding from my chest cavity. 

In case you missed it, I'm from the future, where we all have become our own personal cloud.  Some clouds you can actually see, like auras, but look somewhat like the classic Peanuts character Pigpen.  We've all become walking antennas, routers, hotspots and hubs for all the other personal clouds.  If auto-discovery is enabled, once you are in range of a 'friend' that you 'like,' a few beeps go off and they appear as an icon right in our own retina.  You remember those smart phones that allowed users to tap the phones to send a picture or file?  Now, all we have to do is crank up some digital audio and do a move called 'The Bump.'  It's based on some ancient 1970's fad dance where participants would lightly 'bump' hips to the beat of the music.  Today we use it to exchange data.  A bump or two and you've shared your music library.  A hip-check, your movie collection.  Passing gas is kinda like your old computer's recycle bin that you need to empty every so often.

All this works in conjunction with the IPv6 chip inserted into the freshly cut umbilical cord of every newborn, so it heals right into the system.  As you grow, the bellybutton also becomes a power source - you can interchange belly-ring connections and power almost any device with the solar plexus.  But we really do not carry 'mobile' devices anymore since their functionality is now mostly built in to our carcasses.  Our ear and earlobe have evolved to have the capability of answering calls or listening to audio just by pushing in the outer ear plug or as you used to call it, the tragus.  The earlobe itself is a highly sensitive bio-metric scanner that'll check your thumbprint and if authenticated, will unlock your car, home or any other item that you program. 

We each have a cloud identifier to distinguish our identity.  I'm Cloud_009.  I used to be Cloud_337528 but since I'm usually happy, have a strong security posture and graduated from ISO University, I was recently upgraded.  You're probably wondering if I know Cloud_007.  We've met a couple times but I try to stay away from the espionage cloud since you really don't know what you may catch in there.  Lots of infecting, crashing and drive-by Bumps. 

I'm also able to segment parts of my cloud for work and play.  Some clouds do top half/bottom half but I like to go right down the middle.  When enabled, my right side handles my work/corporate data and the left does my personal stuff.  Because I'm flexible, the percentages can adjust on the spot when the demand goes up.  From 9-5, I might use up to 80% of my cloud-body for work related computations with the other 20% reserved for bathroom breaks, eating, breathing, recharging and any other personal activities.  The data stays separate, secure and encrypted. 

Well, I got a hologram coming in that I need to watch but it was nice talking with you.  We don't do much of that anymore since most messages are sent telepathically these days.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, January 16, 2013

Inside Look - Enterprise Manager v3.1

I meet with Bruce Butterfield, Principal Software Engineer for Management Solutions, to get an inside look at the new Enterprise Manager v3.1 including the awesome LogIQ.  'Inside Look' takes a deeper dive into BIG-IP Technology.

 

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]