ahoffmann
asked on
for kneH
just for the nice, humorous and helpfull conversation in http:/Q_21404074.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> .. enjoy a good discussion though.
this discussion gave me some news too, henc I find it fair to give credits back
That's like EE works.
this discussion gave me some news too, henc I find it fair to give credits back
That's like EE works.
LOL well for some reason I suspect pity points as I am not really gaining on you...
ahoffmann 39059
kneH 30985
;)
ahoffmann 39059
kneH 30985
;)
GRRRR.
There wasn't sufficient time to discuss the tokens..
We got stuck with the follwing migration subjects
Novell NDS --> MicroSoft Active Directory
Novell Groupwise --> MS Exchange
Tokens will be in next time (a week)
If you like I can still report back then.
There wasn't sufficient time to discuss the tokens..
We got stuck with the follwing migration subjects
Novell NDS --> MicroSoft Active Directory
Novell Groupwise --> MS Exchange
Tokens will be in next time (a week)
If you like I can still report back then.
ASKER
hehe, sounds good: homogenous environment and hence one point of failture: M$
SCNR
SCNR
I know...
Just imagine the automatic update procedure being exploited.
bye bye security.....
But then again...
If we would use all SUSE stuff for instance... same problem.
We'll see..
And if all fails I can at least take a few nice servers home with me ;)
Just imagine the automatic update procedure being exploited.
bye bye security.....
But then again...
If we would use all SUSE stuff for instance... same problem.
We'll see..
And if all fails I can at least take a few nice servers home with me ;)
This thursday....
Are you excited yet?
LOL
Are you excited yet?
LOL
ASKER
thursday what?
Gonna talk to the consultant people which are experts on security.
Got me one reason to go for tokens though.
The fact the pass does change.
Encrypted ones do not.
But then again they do not have to be.
Keyloggers would be useless though when using an event dependant token
Got me one reason to go for tokens though.
The fact the pass does change.
Encrypted ones do not.
But then again they do not have to be.
Keyloggers would be useless though when using an event dependant token
ASKER
hmm, that improves stealing passwords, tokens etc. but it's still 1-factor (see original question http:/Q_21404074.html )
And about security of it see http:/Q_21404074.html#13893293 in particular
Read again to be prepaired for the talk, probably you get a bargain then ;-)
And about security of it see http:/Q_21404074.html#13893293 in particular
Read again to be prepaired for the talk, probably you get a bargain then ;-)
Yup you are absolutely right bout the one factor.
But the tokens would still offer additional value due to above mentioned arguements.
Though if them consultant blokes will try n push those tokens upon me because they are two factor which is safe I'll slap em ;)
If we are gonna go for tokens though I'm sure it'll be the safeword ones.
Easiest to use + more secure.
But the tokens would still offer additional value due to above mentioned arguements.
Though if them consultant blokes will try n push those tokens upon me because they are two factor which is safe I'll slap em ;)
If we are gonna go for tokens though I'm sure it'll be the safeword ones.
Easiest to use + more secure.
ASKER
agreed that it is more secure.
But do you give a new token for any action/request following the initial authentication?
If not, are you used to session hijacking and session riding?
But do you give a new token for any action/request following the initial authentication?
If not, are you used to session hijacking and session riding?
Well we could always be had by session riding or hijacking.
I know that.
But then again this could always be the case when you remotely log in.
After this initial authentication the user would still have to log into his citrix session. At least I'm gonna tell em I want that... just to be on the safe side.
So you would have to ride a session within a session really.
Still not indoable but harder.
I know that.
But then again this could always be the case when you remotely log in.
After this initial authentication the user would still have to log into his citrix session. At least I'm gonna tell em I want that... just to be on the safe side.
So you would have to ride a session within a session really.
Still not indoable but harder.
*undoable
I want an edit button!!!
I want an edit button!!!
Here's the plan.
We have several devices devidable in two groups:
- device with local storage
- device without local storage
With local storage is gonna get an OTP token with an USB thingie which contains a certificate.
Without storage is gonna have a certificate placed on it + get an OTP token without USB (so they can't stick it in and forget it).
The authentication layers will be:
1. certificate
2. OTP
3. Pin
Also we are gonna devide the devices with passwords in two groups again.
- with internet
- without internet
With internet we might even consider them having to create a VPN session first as an extra layer of security.
Whaddayareckon?
Good idear?
(btw the USB thingie already means we are not gonna go for safeword.... they don't have one I think... gonna look that up in a sec)
We have several devices devidable in two groups:
- device with local storage
- device without local storage
With local storage is gonna get an OTP token with an USB thingie which contains a certificate.
Without storage is gonna have a certificate placed on it + get an OTP token without USB (so they can't stick it in and forget it).
The authentication layers will be:
1. certificate
2. OTP
3. Pin
Also we are gonna devide the devices with passwords in two groups again.
- with internet
- without internet
With internet we might even consider them having to create a VPN session first as an extra layer of security.
Whaddayareckon?
Good idear?
(btw the USB thingie already means we are not gonna go for safeword.... they don't have one I think... gonna look that up in a sec)
http://www.redcannon.com/kp/index.htm
Look at that puppy!
Now that sounds like a nice one.
Not got to the part where they tell me how on earth they are gonna update that thing regularly.... but the idear is good.
Look at that puppy!
Now that sounds like a nice one.
Not got to the part where they tell me how on earth they are gonna update that thing regularly.... but the idear is good.
Will ask em how they reckon hardware tokens will be usefull for us.
I'll report back here so at least it looks like I did something for my creds ;)