Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI

•

1 recomendación•2,228 vistas

This slides show a more complex rollout real world scenario in combination of usb-based crypto keys used in parallel under linux and windows and cross-browser on windows too! Good thing is - no passwords must be stored on any of the authentication systems - no passwords can be stolen! ;-) Slides just give an overview over the overall architecture but was really working - see pictures on last slides - where the same certificate from the usb key is shown under linux and windows - still neat. Somehow not much seems to have changed since 2004 if one looks around - could still be applied in todays environments - the basics and it's still not wide spread nowadays. Note: Slides are historical versions from 2004, so not all shown hardware, protocols and/or drivers/software may be available or recommended for usage anymore. Today I would prefere OpenXPKI which forked of OpenCA and is an fully independent version by now close to 1.0 release this or next year! Check it out!

Tecnología

Fraunhofer-Institut für Digitale Medientechnologie IDMT
IDMT VPN Remote Access
Ives Steglich
Munich, 12. Oct 2004

Seite 2
Overview
Current Situation and Architecture
Goals and Requirements for Improvement
Proposed Soft- and Hardware
Proposed Architecture
How does the USB-Token work?
Usageprocess
Conclusions

Seite 3
Current Situation and Network Architecture
Architecture
Remote User
CISCO VPN Client
Firewall and VPN Gateway
CISCO PIX
Steps to establish an connection
1. VPN Tunnel initialization
authenticated by shared secret
2. Access to internal Network
authenticated by XAUTH trough tacacs+
Internet
Internal LAN
Remote
User
VPN
Tunnel
Firewall and
VPN-Gateway
Tacacs+
Server

Seite 4
Goals and Requirements for new Solution
Main Goals
1. remove the shared secret for remote users
2. keep the available infrastructure
3. use smartcards
4. be open for other usages
5. integration into the local LDAP
6. use open source whenever possible
Requirements from Goals and Architecture
- introduce certificates and administration
- setup an in-house pki
- pki must speak SCEP
- smartcards must be operable with
linux and windows

Seite 5
Proposed Soft- and Hardware
Software for PKI
OpenCA
Reasons:
- understands SCEP
- can publish certs in LDAP
- open source
- good cooperation with development team
Hardware for Smartcards
Aladdin eToken Pro
Reasons:
- works with Microsoft Crypto API
- PKCS#11 library for linux available
(but hard to get, not offically distributed)
- enables OpenCA administration from Linux
and Windows (Mozilla, IE)

Seite 6
Proposed Architecture
Remote
User
OpenCA-Setup
One Server with RA, PUB and SCEP Interfaces
One Server with the CA (offline)
Access to RA-Interface certificatebased
stored at Smartcards
PIX-Setup
Remote Users Authentication with RSA Certs
Client Setup
VPN-Gateway identification with Certs
Own Authentication with RSA Certs
Internet
Internal LAN
Firewall and
VPN-Gateway
In-house PKI
VPN
Tunnel
Tacacs+
Server
RA/SCEP/PUB
Interfaces
Offline
CA

Seite 7
How does the USB-Token work?
General
- uses proprietary format from Aladdin
- therefore needs specific drivers
- not PKCS#15 compatible
(but can be used parallel if space is left on token
PKCS#15 doesn’t works with Microsoft Crypto API)
Linux
- based on PC/SC-Lite
- works with Mozilla through PKCS#11
- doesn’t work right now with OpenSSL engine
- hotplugable
Windows
- works with Mozilla through PKCS#11
- works with Microsoft Crypto API
- hotplugable
PKCS#11
PC/SC Lite
Mozilla
Aladdin RTE
OpenSSL ?
Linux
Linux USB-Hotplugsystem
Windows
CSP PKCS#11
MozillaIE VPN Client
Aladdin RTE
Windows USB-Subsystem

Seite 8
Usageprocess
Token Initialization
- has to be done at Linux
- key generation with Linux+Windows
- certificate Iistallation with Linux+Windows
- only one Login for User and Admin possible
Process
- Two Options:
- batch-orientied serverside-key-generation
(p12 files import through Mozilla or Win-System)
- token-based-key-generation
(through users themselves)
- Administration:
- requests initiated through users
- granted at RA through ‘Groupleaders’
- certs issued through CA-Operator

Seite 9
Conclusions
• Authentication for Remote-VPN-Access
• Option to skip one step during VPN-Login
• Transparent usage with Linux and Windows
• Encrypt, Decrypt and Sign E-Mails
• Authentication for webbased services
(PKI-Access and Administration)
• Dezentralized Management
• LDAP Storage and Access to Certificates
• Still not perfect
• Overview about smartcards providing PKCS#11 libs:
http://jce.iaik.tugraz.at/products/14_PKCS11_Wrapper/
tested_products/index.php

Seite 12
Thanks for your attention!
Questions?

Más contenido relacionado

Similar a Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI

Kubernetes is trendy. There are tons of presentations on how companies saved lots of money by migrating to Kubernetes. Kubernetes is mostly advertised as a cloud service, but there are companies that can't or don't want to migrate their services to the cloud. For them there are solutions to set up Kubernetes on premise. Before you decide to visit that land, I must warn you: there are demons waiting for you, demons that nobody speaks about in public...

JDO 2019: What you should be aware of before setting up kubernetes on premise...

PROIDEA

presentation_4102_1493726768.pdf

ssuserf0e32f

VPN

Swarup Kumar Mall

Vp ns

Swarup Kumar Mall

NCS: NEtwork Control System Hands-on Labs

Cisco Canada

WebRTC transforms a Web browser into a fully fledged client for Real Time Communications (audio, video, IM, screensharing). Google and Mozilla have contributed to this Open Source project, creating a variety of business opportunities unthinkable just a few years ago. During this seminar we’ll see the technology aspects and potential, why this attracts Web developers and what the role of VoIP developers has become.

[workshop] The Revolutionary WebRTC

Giacomo Vacca

LlinuxKit security, Security Scanning and Notary

Docker, Inc.

Hack the System_Fluence workshop 2

Vanessa Lošić

The new version of the .NET Framework called vNext brings a lots of news, which are believed to be able to return to the popularity of Microsoft tools and products. Principles that guided the development team when developing new versions of frameworks are: • Speed, Runtime performance, • Modularity, • Cross-Platform, • Open-source, • Faster development cycle, • Custom code editors and tools.

The next step from Microsoft - Vnext (Srdjan Poznic)

Geekstone

Hackerworkshop exercises

Henrik Kramshøj

Docker and IBM Integration Bus

Geza Geleji

RemoteAdmin.pptx

hoangdinhhanh88

DevOPS training - Day 1/2

Vincent Mercier

26.1.7 lab snort and firewall rules

Freddy Buenaño

Feedback on Big Compute & HPC on Windows Azure

ANEO

Abstract: Network bandwidth is precious and milliseconds matter for many user-mode applications and virtual appliances running on both Linux and Windows. In order to get the best network throughput to process and forward packets, developers need direct access to the NIC without going through the host networking stack. Until now, only developers on Linux and FreeBSD platforms were able to use DPDK to obtain these performance benefits but, we are happy to announce that we have an implementation of DPDK for the Windows platform! Intel, with consultation from Microsoft, created a UIO driver for the Windows kernel to enable DPDK-linked applications running in user-mode to have direct access to NIC hardware resources through a Poll Mode Driver (PMD). We will demonstrate a test application with the same packets per second processing capabilities as Linux. Lastly, we will talk about the evolution of Microsoft Packet Direct and the differences we see between kernel-mediated IO and fast packet processing for user-mode applications with custom protocol stacks. Speaker Bios: Omar Cardona is a Software Engineering Lead at Microsoft. He drives the design and architecture of Windows Virtual Networking/SDN and accelerations. He’s currently focused on Server and Container solutions for Private and Public Cloud. Prior to Microsoft, he was an Engineering Lead at IBM focusing on Ethernet/RDMA, Virtualization, and Performance, and L0 at the US Air Force. Omar holds over 50 patents and publications in Core Systems and IO design. In his free time, you can find him doing nothing; because he doesn’t have any hobbies. You can reach him at ocardona[at]microsoft.com. Ranjit Menon is a Network Software Engineer at Intel Corporation who has dabbled in various networking technologies for the past 10 years. He is a big proponent of fast network packet processing and is presently looking to evangelize Windows support for DPDK.

Making Networking Apps Scream on Windows with DPDK

Michelle Holley

2014/09/02 Cisco UCS HPC @ ANL

dgoodell

Generating Signatures for cyberattacks.

Shyamsundar Das

Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux

Samsung Open Source Group

Eclipse Kura Shoot a-pi

Eclipse Kura

Similar a Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI (20)

JDO 2019: What you should be aware of before setting up kubernetes on premise...

presentation_4102_1493726768.pdf

VPN

Vp ns

NCS: NEtwork Control System Hands-on Labs

[workshop] The Revolutionary WebRTC

LlinuxKit security, Security Scanning and Notary

Hack the System_Fluence workshop 2

The next step from Microsoft - Vnext (Srdjan Poznic)

Hackerworkshop exercises

Docker and IBM Integration Bus

RemoteAdmin.pptx

DevOPS training - Day 1/2

26.1.7 lab snort and firewall rules

Feedback on Big Compute & HPC on Windows Azure

Making Networking Apps Scream on Windows with DPDK

2014/09/02 Cisco UCS HPC @ ANL

Generating Signatures for cyberattacks.

Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux

Eclipse Kura Shoot a-pi

Último

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Real Time Object Detection Using Open CV

Khem

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Manulife - Insurer Innovation Award 2024

The Digital Insurer

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI

1. Fraunhofer-Institut für Digitale Medientechnologie IDMT IDMT VPN Remote Access Ives Steglich Munich, 12. Oct 2004

2. Seite 2 Overview Current Situation and Architecture Goals and Requirements for Improvement Proposed Soft- and Hardware Proposed Architecture How does the USB-Token work? Usageprocess Conclusions

3. Seite 3 Current Situation and Network Architecture Architecture Remote User CISCO VPN Client Firewall and VPN Gateway CISCO PIX Steps to establish an connection 1. VPN Tunnel initialization authenticated by shared secret 2. Access to internal Network authenticated by XAUTH trough tacacs+ Internet Internal LAN Remote User VPN Tunnel Firewall and VPN-Gateway Tacacs+ Server

4. Seite 4 Goals and Requirements for new Solution Main Goals 1. remove the shared secret for remote users 2. keep the available infrastructure 3. use smartcards 4. be open for other usages 5. integration into the local LDAP 6. use open source whenever possible Requirements from Goals and Architecture - introduce certificates and administration - setup an in-house pki - pki must speak SCEP - smartcards must be operable with linux and windows

5. Seite 5 Proposed Soft- and Hardware Software for PKI OpenCA Reasons: - understands SCEP - can publish certs in LDAP - open source - good cooperation with development team Hardware for Smartcards Aladdin eToken Pro Reasons: - works with Microsoft Crypto API - PKCS#11 library for linux available (but hard to get, not offically distributed) - enables OpenCA administration from Linux and Windows (Mozilla, IE)

6. Seite 6 Proposed Architecture Remote User OpenCA-Setup One Server with RA, PUB and SCEP Interfaces One Server with the CA (offline) Access to RA-Interface certificatebased stored at Smartcards PIX-Setup Remote Users Authentication with RSA Certs Client Setup VPN-Gateway identification with Certs Own Authentication with RSA Certs Internet Internal LAN Firewall and VPN-Gateway In-house PKI VPN Tunnel Tacacs+ Server RA/SCEP/PUB Interfaces Offline CA

7. Seite 7 How does the USB-Token work? General - uses proprietary format from Aladdin - therefore needs specific drivers - not PKCS#15 compatible (but can be used parallel if space is left on token PKCS#15 doesn’t works with Microsoft Crypto API) Linux - based on PC/SC-Lite - works with Mozilla through PKCS#11 - doesn’t work right now with OpenSSL engine - hotplugable Windows - works with Mozilla through PKCS#11 - works with Microsoft Crypto API - hotplugable PKCS#11 PC/SC Lite Mozilla Aladdin RTE OpenSSL ? Linux Linux USB-Hotplugsystem Windows CSP PKCS#11 MozillaIE VPN Client Aladdin RTE Windows USB-Subsystem

8. Seite 8 Usageprocess Token Initialization - has to be done at Linux - key generation with Linux+Windows - certificate Iistallation with Linux+Windows - only one Login for User and Admin possible Process - Two Options: - batch-orientied serverside-key-generation (p12 files import through Mozilla or Win-System) - token-based-key-generation (through users themselves) - Administration: - requests initiated through users - granted at RA through ‘Groupleaders’ - certs issued through CA-Operator

9. Seite 9 Conclusions • Authentication for Remote-VPN-Access • Option to skip one step during VPN-Login • Transparent usage with Linux and Windows • Encrypt, Decrypt and Sign E-Mails • Authentication for webbased services (PKI-Access and Administration) • Dezentralized Management • LDAP Storage and Access to Certificates • Still not perfect • Overview about smartcards providing PKCS#11 libs: http://jce.iaik.tugraz.at/products/14_PKCS11_Wrapper/ tested_products/index.php

10. Seite 10 Usage Examples

11. Seite 11

12. Seite 12 Thanks for your attention! Questions?

Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI

Recomendados

Recomendados

Más contenido relacionado

Similar a Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI

Similar a Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI (20)

Último

Último (20)

Certificate Based VPN Remote Access - 1. OpenCA Workshop 2004 / OpenXPKI