Security Basics mailing list archives
RE: Authentication question & problem
From: "Sheldon Malm" <smalm () ncircle com>
Date: Tue, 22 Apr 2008 14:18:07 -0700
There are pretty standard solutions out there to accomplish this with one or more of the following solutions in place (I would recommend combining some of these solutions if it's practical): 1. VPN between sites (pretty much as outlined below) - note that "their own authentication) mechanism" as stated below by Tremaine does not necessarily mean user logon prompt (see point #2 below). 2. Federated identity solutions (spanning authentication, authorization, and probably federated provisioning as well) - SSO is a key component of making this work 3. Trusted strong authentication, if necessary - Trusted RSA ACE/Token realms have been in place for ages - PKI/Cert solutions have similar value There is a tonne of information on the 'net about enabling Third Party trust relationships with a simplified user experience. The 3 outlined above should give you a starting point to look over your options. The bottom line is, this is a business need that is well understood and has lots of relatively mature options to address it. Sheldon Malm Director Security Research & Development nCircle Network Security Check out the VERT daily post http://blog.ncircle.com/vert -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tremaine Lea Sent: Tuesday, April 22, 2008 3:31 PM To: evilwon12 () yahoo com Cc: security-basics () securityfocus com Subject: Re: Authentication question & problem It may be relatively straightforward, if approached differently. Create a vpn tunnel between site B and site C. Allow users from site B to access the application on site C. Allow users to remote in to site B with credentials. There should be no need for site C to be involved in your ldap credentials. The fact they are authenticated on a domain that site C has chosen to trust should be sufficient. If it's not sufficient, they should be providing their own authentication mechanism. It's a bit difficult to provide specific suggestions without more information, but the above solution is definitely workable. --- Tremaine Lea Network Security Consultant Intrepid ACL "Paranoia for hire" On 22-Apr-08, at 10:41 AM, evilwon12 () yahoo com wrote:
Here is what my developers are wanting to do, and I cannot think of a secure way to do this. Have a user (at home) authenticate against our LDAP through a company portal/site and have that authentication information passed to an external vendor, allowing the user at home to utilize the application from home after being authenticated. So, it's user at site A, authenticating with site B, and the user at site A using the application (after authentiation) at site C. Sorry for being long winded, but everything there screams MITM to me.
I am probably missing something easy.
Current thread:
- Authentication question & problem evilwon12 (Apr 22)
- Re: Authentication question & proble Shreyas Zare (Apr 22)
- Re: Authentication question & problem Tremaine Lea (Apr 22)
- RE: Authentication question & problem Sheldon Malm (Apr 22)
- Re: Authentication question & proble Yousef Syed (Apr 23)
- Re: Authentication question & problem Nick Owen (Apr 25)