Re: Single SignOn

[BGrubin () SCIENT COM (Ben Grubin)]

> -----Original Message-----
> From: Vanna P. Rella [mailto:vamprella () chickmail com]
> Sent: Thursday, February 24, 2000 2:44 PM
> To: Ben Grubin
> Cc: VULN-DEV () SECURITYFOCUS COM
> Subject: RE: Single SignOn
>
> Wow, didn't realize it's using UDP. UDP is traditionally
> insecure. However, if they're using crypto APIs, wouldn't
> that solve the problem?

UDP in and of itself is not insecure, but since it's connectionless you have
less opportunity to be nice and stateful on the firewalls.  Additionally, I
don't know what type of environment you will be working with, but most major
financial house security policies prohibit passing UDP over firewalls.  This
may not be a big deal in your environment, but it was in ours.

> OK, let me see if I understand this correctly in really super
> easy basic terms. The client says "hey, I wanna sign on to
> your super cool site" GetAcecss sends a request going through
> ORB to the Client Implementation. A reply is made from the
> server behind the firewall (holding all types of Phun things)
> opening UDP ports to talk to the client in the Internet Cloud.
> Does multi-tier method mean that it

Somewhat.  The CORBA services and client services can coexist on a single
machine, or in the same layer as the clients are in (as in not separated by
a firewall), which is what we had to do to avoid the UDP issues.  This is
"not good" since you want your object repository not to be exposed to the
internet, since it presents a greated risk factor than say---someone owning
a web server.

What happens is you access a client plugin (i.e. through a netscape web
server), which then generates an authentication request to the CORBA
repository (hello VISIBROKER) this is the UDP request.  This request is
eventally passed to what enCommerce calls the "SMS" which is a service who's
responsibility it is to maintain session state.  This service generates the
cookie which is sent back to the client.  The cookies are implemented
properly.  Encrypted and stateless.  I have no security problem with that at
all.

> > More importantly though, they used CORBA without a real
> > need---it's overly complex.
>
> The only thing I know about CORBA is that it stands for
> Common Object Request Broker Architecture.
> My concerns were originally about using cookies for
> authentication. Although they'd be 'encrypted' there are
> still problems with cross-site scripting, stealing cookies,
> replacing cookies, etc. Best practices states that cookies
> are not a Good Thing(tm) when security is a concern. However,
> I don't really know any other alternative. But now with this
> whole Corba thing on top of it ...

CORBA is just a mess.  It's a huge overbuilt standard that theoretically
should support extreme scalability, but the visibroker crap is just poorly
implemented and broken.  In a perfect world, when you need to distribute SSO
services over a massive network, CORBA can be a boon, making it simple to
replicate and maintain authentication services over a wide area, but in most
implementations this is rarely required.  Because of the complexity of the
visibroker/CORBA services, they end up being more trouble than they are
worth 98.6% of the time (IMHO).  Of course, the functionality *may* be
useful in your environment.  Dunno.

> We did a major ecommerce financial
> > implementation, and found it's scalability *severely* lacking.  We're
> > probably 15 patchlevels ahead of the standard distribution,
> and even then
> > it's the most common component failure in the entire system.
>
> This is great information. In their presentation, they stated
> something about how UPS uses the service and they're getting
> massive hits and using only one box. They made it seem like
> scalability wasn't an issue. It was one of their selling points.

Marketing.

> > At it's core, it's simply an immature product, much like the
> rest of the
> > space, but it does have potential.  I do not have experience
> with the IBM
> > product to compare it.
>
> So, have you worked with any products that were good? Which
> product would you recommend?

Unfortunately, the entire space is mostly immature.  I tend to like the more
generalized directory services implementations over specialized SSO product.
I specifically like X.500 based services like NDS, and to a limited extent,
LDAP, but YMMV.

Cheers,
Ben


---
Benjamin P. Grubin                 / bgrubin () scient com - PGP key available
Infrastructure/Security Architect / mobile (617) 513-5978 fax (617) 585-3230
Scient -- Be Legendary           / http://www.scient.com/  ticker://SCNT