Link to home
Start Free TrialLog in
Avatar of ahoffmann
ahoffmannFlag for Germany

asked on

for kneH

just for the nice, humorous and helpfull conversation in http:/Q_21404074.html
ASKER CERTIFIED SOLUTION
Avatar of kneH
kneH

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kneH
kneH

Btw,.... got my appointment with the consultants we hired tomorrow.
Will ask em how they reckon hardware tokens will be usefull for us.

I'll report back here so at least it looks like I did something for my creds ;)
Avatar of ahoffmann

ASKER

> .. enjoy a good discussion though.
this discussion gave me some news too, henc I find it fair to give credits back
That's like EE works.
LOL well for some reason I suspect pity points as I am not really gaining on you...

ahoffmann  39059
kneH  30985

;)
GRRRR.

There wasn't sufficient time to discuss the tokens..
We got stuck with the follwing migration subjects
Novell NDS --> MicroSoft Active Directory
Novell Groupwise --> MS Exchange

Tokens will be in next time (a week)
If you like I can still report back then.

hehe, sounds good: homogenous environment and hence one point of failture: M$
SCNR
I know...

Just imagine the automatic update procedure being exploited.
bye bye security.....

But then again...
If we would use all SUSE stuff for instance... same problem.

We'll see..

And if all fails I can at least take a few nice servers home with me ;)
This thursday....

Are you excited yet?
LOL
thursday what?
Gonna talk to the consultant people which are experts on security.

Got me one reason to go for tokens though.

The fact the pass does change.
Encrypted ones do not.
But then again they do not have to be.

Keyloggers would be useless though when using an event dependant token
hmm, that improves stealing passwords, tokens etc. but it's still 1-factor (see original question http:/Q_21404074.html )
And about security of it see http:/Q_21404074.html#13893293 in particular

Read again to be prepaired for the talk, probably you get a bargain then ;-)
Yup you are absolutely right bout the one factor.
But the tokens would still offer additional value due to above mentioned arguements.

Though if them consultant blokes will try n push those tokens upon me because they are two factor which is safe I'll slap em ;)

If we are gonna go for tokens though I'm sure it'll be the safeword ones.
Easiest to use + more secure.
agreed that it is more secure.
But do you give a new token for any action/request following the initial authentication?
If not, are you used to session hijacking and session riding?
Well we could always be had by session riding or hijacking.
I know that.

But then again this could always be the case when you remotely log in.

After this initial authentication the user would still have to log into his citrix session. At least I'm gonna tell em I want that... just to be on the safe side.

So you would have to ride a session within a session really.
Still not indoable but harder.
*undoable

I want an edit button!!!
Here's the plan.

We have several devices devidable in two groups:
- device with local storage
- device without local storage

With local storage is gonna get an OTP token with an USB thingie which contains a certificate.
Without storage is gonna have a certificate placed on it + get an OTP token without USB (so they can't stick it in and forget it).

The authentication layers will be:
1. certificate
2. OTP
3. Pin

Also we are gonna devide the devices with passwords in two groups again.
- with internet
- without internet

With internet we might even consider them having to create a VPN session first as an extra layer of security.

Whaddayareckon?

Good idear?


(btw the USB thingie already means we are not gonna go for safeword.... they don't have one I think... gonna look that up in a sec)
http://www.redcannon.com/kp/index.htm

Look at that puppy!

Now that sounds like a nice one.
Not got to the part where they tell me how on earth they are gonna update that thing regularly.... but the idear is good.