Technology Overview - Validation & ID Protection (VIP)
Download as PPTX, PDF3 likes2,443 views
The document provides an overview of Symantec's Validation and ID Protection (VIP) services, including features, architecture, and licensing details. It outlines the company's history, its cybersecurity solutions, and components of the VIP service, such as authentication methods and risk evaluation processes. The document also discusses the architecture of the VIP service, including intelligent authentication and various use cases for secure access management.
![VIP: CREDENTIALS (OUT-OF-BAND)
• Through SMS, Voice Call or Email
– VIP Service generates and delivers the security code
– SMS/Voice Call: Phone number registered with the service
– SMS/Voice Call: Per SMS and/or Call package
SYMANTEC: VIP
Your verification ID
is [123456].
Your verification ID
is [123456].
If you would like to
hear it again press
1, otherwise hang
up and see your
computer screen
for more details.](https://image.slidesharecdn.com/mwsymc-sos-vip-presentation-180202143647/85/Technology-Overview-Validation-ID-Protection-VIP-17-320.jpg)
Technology Overview - Validation & ID Protection (VIP)
- 1. SYMANTEC: SOLUTION OVERVIEW SERIES Symantec Validation & ID Protection Iftikhar Ali Iqbal https://www.linkedin.com/in/iftikhariqbal/ Valid till May 2016
- 2. Agenda Company Overview1 Solution Portfolio2 Features, Architecture, Design and Licensing4 SYMANTEC: VIP Look and Feel5 Symantec Validation & ID Protection Service3
- 4. OVERVIEW: SYMANTEC • Founded in 1982 • Headquartered in California, United States • Fortune 500 company • Provides Software and Services • Focus is on Consumer Security and Enterprise Security • 2014 Revenue: – $6.7 billion (ended March 28, 2014) – Information Security: $4.2 billion • 2014 Market Share: – Largest security software vendor by revenue and market share (17.2%) (Gartner) - http://www.gartner.com/newsroom/id/3062017 SYMANTEC: VIP
- 5. OVERVIEW: THE SPLIT • On 1st October 2015, Symantec’s Information Management business now operates as a separate privately held company Veritas Technologies Corporation • Solutions: – Backup and Recovery – Archiving – High-Availability – Disaster Recovery • Separate operations, partner programs, support, etc. SYMANTEC: VIP
- 6. OVERVIEW: AREAS OF FOCUS • Solutions to Protect against: – Malware and Spam – Advanced Persistent Threats and Cyber Attacks – Identity Theft and Loss of Confidential Information • Solutions to Manage: – Governance, Risk and Compliance – Client, Asset, Server and Mobility • Services: – Product Support – Cyber Security – Education SYMANTEC: VIP
- 8. PORTFOLIO: NUTSHELL Cyber Security Services • Monitoring , Incident Response, Simulation, Adversary Threat Intelligence Threat Protection ENDPOINTS DATA CENTER GATEWAY • Threat Prevention, Detection, Forensics & Resolution • Device, Email, Server, Virtual & Cloud Workloads • Available On-premise and Cloud Unified Security Analytics Platform • Big data security analytics; available to customers in self-service mode Telemetry Incident Management Protection Engines Global Intelligence Threat Analytics Information Protection DATA ACCESS • Identity and Data Loss Protection • Cloud-based Key Management • Cloud Security Broker Users Data Apps Cloud Devices Network Data Center SYMANTEC: VIP
- 9. SYMANTEC: VIP SYMANTEC: VALIDATION & ID PROTECTION SERVICE Introduction, Components and Features
- 11. VIP: COMPONENTS • Cloud-based Components – VIP Validation Service – VIP Manager – VIP Self Service Portal • On-premise Components – VIP Web Service APIs (if applicable) – VIP Enterprise Gateway – VIP OTP, Out-of-Band and Tokenless Credentials SYMANTEC: VIP
- 12. VIP: CREDENTIALS SYMANTEC: VIP Symantec™ VIP Standalone OTP Credentials Hardware Token Mobile, Desktop Software Embedded Out-of- Band SMS VoiceCall Email Tokenless Device Fingerprint Registered Computer Intelligent Authentication VIPAccess Push
- 13. VIP: CREDENTIALS (HARDWARE) • VIP Security Card – Event-Based – NagraID – 3-years Warranty • VIP Security Token – Vasco (Time-Base) – AI (Event-Based) – AI is waterproof – 5-years Warranty SYMANTEC: VIP
- 14. VIP: CREDENTIALS (SOFTWARE) • VIP Access for Mobile – FREE – Download from Apple iTunes App Store, Android Market, BlackBerry AppWorld – 900+ popular handsets supported including iPhone/iPad, Android, Windows Phone, BlackBerry, J2ME – Push Notifications (iOS and Android) SYMANTEC: VIP
- 15. VIP: CREDENTIALS (SOFTWARE) • VIP Access for Mobile (Push Notifications) – iOS and Android – Apple Watch SYMANTEC: VIP
- 16. VIP: CREDENTIALS (SOFTWARE) • VIP Access Desktop – Desktop Client – Copy/Paste OTP – Auto-fill forms – Microsoft Windows and Apple MacOS SYMANTEC: VIP
- 17. VIP: CREDENTIALS (OUT-OF-BAND) • Through SMS, Voice Call or Email – VIP Service generates and delivers the security code – SMS/Voice Call: Phone number registered with the service – SMS/Voice Call: Per SMS and/or Call package SYMANTEC: VIP Your verification ID is [123456]. Your verification ID is [123456]. If you would like to hear it again press 1, otherwise hang up and see your computer screen for more details.
- 18. VIP: CREDENTIALS (TOKENLESS) • VIP Registered Computer or Mobile – Device certificate used as the device identifier – Browser plugin performs login using device certificate – Mobile: VIP SDK can be integrated with application – Users only type username and password SYMANTEC: VIP
- 19. VIP: CREDENTIALS (TOKENLESS) • VIP Intelligent Authentication SYMANTEC: VIP
- 20. VIP: CREDENTIALS (TOKENLESS – VIP INTELLIGENT AUTHENTICATION) SYMANTEC: VIP Gatehouse • User ID • Password Roadway Scanner • Symantec Global Intelligence Network • Device ID • Fingerprint • Symantec Endpoint Protection • User Behaviour Enter Validation Code Correct Code grants Access Send Code by SMS, email or voice
- 21. VIP: ENTERPRISE GATEWAY • A light-weight proxy service that acts as a bridge between your application/local infrastructure and the Symantec VIP Service. • Deployed on premise and integrates with your LDAP or Active Directory • Requirements: – Microsoft Windows Server 2003 (SP1) to 2012 R2 – RHEL 5.9 to 5.11, 6.4 to 6.6 and 7.0 to 7.1 – User Stores: Active Directory, Novel eDirectory 8.8 (SP 8), Open LDAP 2.4.40 and Oracle Directory Server Enterprise Edition 11.1 • VIP Enterprise Gateway provides *RADIUS-based authentication server SYMANTEC: VIP *Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.
- 22. VIP: ENTERPRISE GATEWAY • Features/Functions: – Configuration Console – enables administration, configuration and management of the Enterprise Gateway. – Validation Server – validates RADIUS authentication requests from applications such as a VPN gateway against user store, Active Directory and inform VPN gateway through a RADIUS response. – Identity Providers (IdPs) – authenticates users for the VIP Manager and VIP Self Service Portal – Self Service Portal Proxy – reverse proxy for VIP Self Service (use case: remote users) – Tunnel Forwarder and Receiver – provides a RADIUS package relay service over a TCP connection if any UDP traffic is prevented due to firewall policy – LDAP Synchronization – synchronize with Active Director or LDAP – Logging SYMANTEC: VIP
- 23. VIP: WEB SERVICES APIs • For developers integrating Symantec VIP credentials into local applications • Interface b/w applications and VIP is SOAP Web Services SYMANTEC: VIP
- 26. VIP: VALIDATION SERVICE SYMANTEC: VIP • Secure, reliable cloud-based authentication service. • Validates one-time-passwords generated by registered VIP credentials. • Provides programmatic access to validation services through VIP API.
- 27. SYMANTEC: VIP SYMANTEC: VALIDATION & ID PROTECTION SERVICE Architecture, Intelligent Authentication and Use Cases
- 28. VIP: ARCHITECTURE SYMANTEC: VIP HTTPS RADIUS LDAP VPN, VDI, SSO, Webmail, etc. User Symantec VIP Service VIP Enterprise Gateway Internal Resource Enterprise Directory Mobile Push HTTPS
- 29. VIP: ARCHITECTURE (NETWORK TOPOLOGY) SYMANTEC: VIP
- 30. VIP: INTELLIGENT AUTHENTICATION (FLOW) SYMANTEC: VIP VPN User 1 Login 2 3 First Factor Authentication 4 Step-up Authentication 5 Allow /Deny User Access Symantec VIP IA Risk Evaluation Enterprise Gateway & VIP SSP IDP VPN
- 31. VIP: INTELLIGENT AUTHENTICATION (RISK ANALYSIS) SYMANTEC: VIP Evaluate… • Do we know this device? • Is it still the same device? • Is this device trustworthy? • Is it acting as expected? Device ID Device Reputation User Behavior Actionable Risk Score …and respond • Low Risk: Grant access without an additional challenge • High Risk: Challenge user via Out- Of-Band authentication process
- 32. VIP: INTELLIGENT AUTHENTICATION (RULES) SYMANTEC: VIP Device Identification & Fingerprint Device Engine: Uniquely identifies a device and remember it Registered Computer: Strengthens device identity using a device certificate Norton/SEP Presence: Confirms if Symantec antivirus protection is available Blacklisted IP: Identifies if the user/device is a known malicious actor Restricted Country: Identifies if the login originates in a forbidden country Device Reputation Behavioral Engine: Spots anomalous behavior using IP, location, browser, OS Difficult Travel: Identifies impossible travel via distance, time since last login Failed Previous Login: Prevents access until challenge completed successfully User Behavior
- 33. VIP: INTELLIGENT AUTHENTICATION (WEIGHTS) • All rules are not same! – Relative weights are assigned to each rule – For e.g. if the last challenged log-in for a user failed, risk score generated will be weighted relatively high – On the other hand, if a difficult travel is detected, risk score generated will be weighted relatively lower • Rule combination also evaluated – Rules evaluated in distinctive combination – if a difficult travel is detected and if user behavior seems anomalous, risk score will be higher – if user behavior seems anomalous and if IP is in black list, risk score will be higher SYMANTEC: VIP
- 34. VIP: USE CASES SYMANTEC: VIP - Array AccessDirect Remote Access SSL VPN - Barracuda SSL VPN - F5 BIG-IP Access Policy Manager - Check Point VPN - Cisco VPN 5500 - Citrix Access Gateway - Citrix NetScaler - F5 FirePass VPN - Juniper SA VPN - Palo Alto Networks GlobalProtect VPN - SonicWALL Aventail SSL VPN - Citrix Web Interface for XenApp - Citrix Web Interface for XenDesktop - Citrix StoreFront for XenDesktop - Citrix GoToMyPC - SAP NetWeaver - Microsoft SharePoint Server 2007 - Microsoft SharePoint Server 2010 - Microsoft SharePoint Server 2013 - Microsoft Outlook Web Access 2003 - Microsoft Outlook Web Access 2007 - Microsoft Outlook Web Access 2010 - Microsoft Outlook Web Access 2013 - VMWare View - Symantec Access Manager - CA SiteMinder - IBM Tivoli Access Manager - Okta Identity Management - Oracle OpenSSO - Oracle Access Manager 11g - Oracle Access Manager 10g - PingIdentity - Microsoft Active Directory Federation Services v. 3 - Microsoft Active Directory Federation Services v. 2 - Apache HTTP Server - Internet Information Services 7 - Internet Information Services 8
- 35. SYMANTEC: VIP SYMANTEC: VALIDATION AND ID PROTECTION SERVICES Licensing and Packaging
- 36. VIP: LICENSING • VIP is available for business-to-business(B2B) and business-to- consumer(B2C) cases. • For B2C – pricing is provided directly by Symantec as SKUs are unpublished for Distributors and Partners. • For Symantec VIP and MPKI orders, Symantec requires a Customer Profile Form. This is a mandatory requirement during order processing, along with the Proof of Purchase (POP). • When a customer purchases Symantec VIP, a unique account identifier is created, called Jurisdiction Hash (JHASH). For add- ons and/or renewals, this is mandatory, along with the Proof of Purchase (POP). SYMANTEC: VIP
- 37. VIP: LICENSING SYMANTEC: VIP COMPONENT METER NOTES VIP Account Setup N/A One-time fee VIP Authentication Service User With Gold Support, Software Tokens, IA, Enterprise Gateway, SDK, APIs VIP Authentication Service Enterprise Platinum User With Platinum Support VIP Hardware Tokens Token Minimum buy is 10 VIP SMS Package SMS Per year “use it or lose it” VIP Voice Call Package Call Per year “use it or lose it” Opportunity Type •New, renewal or add-on? Service Length •1, 2 or 3 years? Number of Users •How many credentials? Support Type •Gold included. •Add Platinum? Credential Type •Hardware, card or mobile token?
- 38. SYMANTEC: VIP SYMANTEC: VALIDATION AND ID PROTECTION SERVICES Look and Feel
- 39. Thank you! Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank you! Iftikhar Ali Iqbal https://www.linkedin.com/in/iftikhariqbal/ SYMANTEC: VIP
- 40. SYMANTEC: VIP SYMANTEC: VALIDATION & ID PROTECTION SERVICES Appendix
- 41. Identifying Risky Authentication Events SYMANTEC: VIP User Logs In From Home Using Work Laptop Sunnyvale, United States IP: 66.135.192.123 OS: Windows 7 Browser: Firefox 5.0 Known device ID Location agrees with history Unchanged device profile Low Risk, No Challenge
- 42. Guangzhou, Guandong IP: 61.145.127.128 OS: Windows 7 Browser: Firefox 5.0 Unknown device, no device ID Difficult travel from prior login Unchanged device profile High Risk, Challenge User Identifying Risky Authentication Events SYMANTEC: VIP Hacker #1: Attacking from China
- 43. Identifying Risky Authentication Events SYMANTEC: VIP Hacker #2: Attacking from Cuba Havana, Cuba IP: 61.145.127.128 OS: Windows 7 Browser: Firefox 5.0 Unknown device, no device ID Forbidden origin country Unchanged device profile High Risk, Challenge User
- 44. IP: 202.138.101.165 OS: Windows 7 Browser: Firefox 5.0 Mumbai, Maharashtra Known device, valid device ID Unexpected behavior Unchanged device profile Medium Risk, Challenge User Identifying Risky Authentication Events SYMANTEC: VIP User Travels to India with Same Laptop
- 45. IP: 202.138.101.165 OS: Windows 7 Browser: Firefox 4.0.1 Mumbai, Maharashtra Known IP address and location Downgrade of browser version Unknown device, no device ID High Risk, Challenge User Identifying Risky Authentication Events SYMANTEC: VIP Hacker #3: Attacking from the User’s Hotel in India
- 46. Identifying Risky Authentication Events SYMANTEC: VIP User Upgrades Firefox While at Hotel in India Mumbai, Maharashtra IP: 202.138.101.165 OS: Windows 7 Browser: Firefox 6.0a2 Known device, valid device ID Known IP address and location Profile change, Firefox update Low Risk, No Challenge
- 47. Identifying Risky Authentication Events SYMANTEC: VIP User Travels to Cuba, Using Registered Computer Havana, Cuba IP: 61.145.127.128 OS: Windows 7 Browser: Firefox 5.0 Registered Computer succeeds Forbidden origin country Unchanged device profile High Risk, Challenge User
- 48. Identifying Risky Authentication Events SYMANTEC: VIP Hacker #4: Co-worker Attacking to Use User’s Machine Sunnyvale, United States IP: 66.145.127.128 OS: Windows 7 Browser: Firefox 5.0 Known device, device ID Registered Computer check Unchanged device profile High Risk, Challenge User
- 49. IA Rules • Behavior Engine - Identify anomalous user behavior by analyzing IP, Geo-location, Browser, OS • If the transaction is anomalous, the risk score will be increased. Most anomalies singularly may not result in user being challenged at a default threshold. • Restricted Country - Identify if the user comes from Restricted Country • This is for compliance requirements, for example - if a transaction comes from Cuba, North Korea, Iran, etc. it should be challenged. • If a user logs in from a restricted country, the transaction will get challenged at a default threshold • Black listed IP - Identify if the user logs from a black listed IP and increase the risk score • User login from a blacklisted IP will not result in user being challenged by itself at a default threshold SYMANTEC: VIP
- 50. IA Rules • Difficult Travel- Identify if a logical travel based on distance and time is possible for the user • By itself, difficult travel will not result in user being challenged, at a default threshold. • Failed Previous Event - Identify if the last challenged log-in was successfully answered • If the last challenged log-in failed, the transaction will always get challenged till a successful response is received, regardless of the set risk threshold. • IA +RC - Registered Computer validation result is provided to IA for a combined evaluation of risk • IA will never overturn a failed Registered Computer. • IA may override a good Registered Computer to be risky, when multiple alerts are detected. • If a RC fails, the transaction will always be flagged as risky, independent of the risk threshold SYMANTEC: VIP
- 51. Enterprise SSL VPN Flow SYMANTEC: VIP RADIUS LDAP Enterprise Directory Enterprise Network LDAP VIP SSP IDP Read-Only Enterprise VPN VPN User with VIP Credential 1. User login VIP Service with IA Service 2. IA Services to evaluate risk, Requests OOB authentication 5. OOB authentication options 8. UID & PWD and the ticket are submitted VIP Self- Service 3. Authenticate User, PWD for OOB 4.SAML Assertion 1a. Java Script redirects the log in to the VIP User Service to get a ticket 6. User enters the security code 7. Return Ticket 9. EG validates the credential and verifies risk VIP Enterprise Gateway 10. User logs in or gets denied
- 52. About Registered Computer • Registered Computer validation result is as input to Rules Engine • Rules Engine will never overturn a failed Registered Computer. • Rules Engine may still trigger secondary authentication even if the Registered Computer authentication succeeds • If a Registered Computer check fails, the transaction will always be flagged as risky, independent of the risk threshold SYMANTEC: VIP Device-Specific Certificate Delivers Strong Identity