eDirectory AuthenticationAuthentication provides the doorway for access to network resources. Without a strong authentication mechanism, sensitive network resources are essentially laid bare for anyone to access. The primary authentication method currently used with eDirectory is the username/password combination. Novell Modular Authentication Service (NMAS) makes it possible to integrate more advanced authentication and authorization techniques into your OES environment. Furthermore, NMAS offers Universal Passwords , which improve the traditional password-based authentication method. Novell Modular Authentication ServiceNMAS is designed to help you protect information on your network. NMAS offers a more robust framework for protecting your OES Linux environment. If youre not familiar with the different components of NMAS, you should get to know the following concepts. More information about each of these is provided in the OES Linux online documentation. PHASES OF OPERATIONThere are specific times when NMAS can be useful in helping to secure your network environment: User identification occurs prior to the actual authentication process. It provides a way to automatically gather a users authentication information and use it to populate the Novell Login dialog in the Novell Client. Authentication is the opportunity for users to prove they are who they claim to be. NMAS supports multiple authentication methods. Device removal detection is the capability to lock down a workstation after authentication when it becomes clear that the user is no longer present. Each of these phases of operation is completely independent. You can choose to use the same, or completely different, identification techniques for each phase. To provide this functionality, NMAS introduces a few additional concepts to eDirectory authentication: Login factors Login methods and sequences Graded authentication LOGIN FACTORSNMAS uses three approaches to logging in to the network, known as login factors . These login factors describe different items or qualities a user can use to authenticate to the network: Password authentication Also referred to as "something you know," password authentication is the traditional network authentication method. It is still responsible for the lions share of network authentication that goes on, including LDAP authentication, browser-based authentication, and most other directories. Device authentication Also referred to as "something you have," device authentication uses third-party tokens or smart cards to deliver the secret with which you authenticate to the network. Biometric authentication Also referred to as "something you are," biometric authentication uses some sort of scanning device that converts some physical characteristic into a digital pattern that can be stored in eDirectory. When users attempt to authenticate, their biometric patterns are compared against the stored version to see if they match. Common biometric authentication methods include fingerprint readers, facial recognition, and retinal scans. LOGIN METHODS AND SEQUENCESA login method is a specific implementation of a login factor. Novell has partnered with several third parties to create a variety of options for each of the login factors described earlier in this chapter. A post-login method is a security process that is executed after a user has authenticated to eDirectory. One such post-login method is the workstation access method, which requires the user to provide credentials in order to unlock the workstation after a period of inactivity. NOTEWith OES Linux, NMAS provides only the Challenge Response and NDS login methods. Additional methods can be downloaded from http://support.novell.com. Search the Knowledge Base for "NMAS Methods" for a link to the downloadable methods.When you have decided upon and installed a method, you need to assign it to a login sequence in order for it to be used. A login sequence is an ordered set of one or more methods. Users log in to the network using these defined login sequences. If the sequence contains more than one method, the methods are presented to the user in the order specified. Login methods are presented first, followed by post-login methods.GRADED AUTHENTICATIONAnother important feature in NMAS is graded authentication , which allows you to grade, or control, access to the network based on the login methods used to authenticate to the network. Graded authentication operates in conjunction with standard eDirectory and file-system rights to provide very robust control over data access in an OES Linux environment. There are three main elements to graded authentication: Categories NMAS categories represent different levels of sensitivity and trust. You use categories to define security labels. There are three secrecy categories and three integrity categories by defaultbiometric, token, and password. Security labels Security labels are combinations of categories that assign access requirements to NCP and NSS volumes and eDirectory objects and properties. NMAS provides the following eight security labels: Biometric and password and token Biometric and password Biometric and token Password and token Biometric Password Token Logged in NOTEThe security labels visible in iManager are directly dependent on the login methods installed on the server. To see all possible labels, ensure that all login methods have been downloaded from http://support.novell.com and installed on the local server. ClearancesClearances are assigned to users to represent the amount of trust you have in them. In the clearance, a read label specifies what a user can read and a write label specifies locations to which a user can write. Clearances are compared to security labels to determine whether a user has access. If a users read clearance is equal to or greater than the security label assigned to the requested data, the user will be able to view the data. By configuring these elements of graded authentication, you can greatly increase the security of your network data, and apply different types of security to data of different levels of sensitivity. UNIVERSAL PASSWORDThe final NMAS component that merits discussion is Universal Password. One of the many strong points of OES Linux is the ability to integrate user accounts for multiple services into one centralized eDirectory account. Although this sounds straightforward enough, there are several behind-the-scenes components used in making these services integrate well. Perhaps the best example of this is the situation surrounding user passwords. Most network services have some native method of storing user accounts and authenticating users before providing access. Often these services are created with specific password requirements and encryption methods in mind. With OES Linux, user accounts in eDirectory must be configured in such a way as to provide account authentication using whatever method the specific service requires. In the past this has meant a specific password for each type of password encryption method used by these services. Although this does work, the obvious problem is how to keep all passwords in sync, should one of the stored passwords be modified. OES Linux resolves this concern through Universal Password.Universal Password was created to address two general needs: Unified password for eDirectory access Universal Password provides for a single, centralized password store for each user. If additional access methods requiring older-style passwords are in use, Universal Password synchronizes those password stores to ensure that a single password is used for each user. Increased password security Universal Password brings advanced Password Policies to eDirectory. These policies provide password structure requirements to eDirectory. Possible requirements include such things as a minimum and maximum number of numeric and special characters, required password length, and blocking of specific words for passwords. In addressing those needs, Universal Password has become the ideal method of providing authentication services to multiple network services. With OES Linux, Universal Password is required in order to ensure that users have a single password across all possible access methods. One example of where this requirement is particularly useful is with the Samba integration components. Universal Password is managed via iManager. Although its fully functional with default installations of OES Linux, you may want to alter its configuration to suit your specific password requirements. The following steps describe the process used to create new password policies or modify the default Universal Password configuration, as shown in Figure 8.3. Figure 8.3. Advanced Password Rules page in iManager.[View full size image]  NOTEMore information on Universal Password is available through the online documentation for NMAS.Installing NMASNMAS requires both server- and client-side software in order to perform its authentication services. Installation of the NMAS client happens during the installation of the Novell Client, and is described in Chapter 4, "OES Linux Clients." On the server, NMAS is one of the default services and will be installed automatically with Novell eDirectory. In order to use NMAS, several configuration options must be set, depending on your specific environment and needs. Server-side configuration is available through iManager. When the NMAS server options are configured, you can then configure the NMAS client to leverage NMAS capabilities. Generally, the process involves the following: Create a login sequence This process identifies the specific login methods that will be used for login and post-login operations, and the order in which they will be applied if multiple login methods are specified. Assign a login sequence to a user After a login sequence has been created, it is available for use by a user. A default login sequence can be defined, and users can be forced to use a specific login sequence, if desired. Graded authentication With the login environment configured, you can now define those network resources that are available with each login method. Graded authentication lets you label network resources and require certain levels of authentication in order to access those resources. Customize the user login The Novell Client supports several customization options based on the type of authentication that is being used. For more information on the Novell Client, see Chapter 4. For more detailed information on each of these NMAS configuration steps, see the Novell online documentation. eDirectory Login ControlsIn addition to the actual login process, eDirectory provides a variety of login controls designed to help secure the network. Those controls are found in the properties of each User object. The various types of restrictions offered by eDirectory include Password restrictions Login restrictions Time restrictions Address restrictions Intruder lockout NOTEYou will also see an Account Balance tab. This is a leftover from a NetWare server accounting feature that is not supported in OES Linux. You can manage the various login controls from iManager or ConsoleOne. Login controls can be set on individual User objects, or they can be defined at the container level, where they will be automatically applied to all users in that container. To get to the login restrictions pages available through eDirectory, complete the following steps:
Each of the login control pages is described in more detail in the following sections. PASSWORD RESTRICTIONSThe Password Restrictions page allows you to set password characteristics for eDirectory users. As mentioned previously, OES Linux uses Universal Password for password management. Universal Password configuration options include password settings available on this screen and additional features more advanced than the traditional eDirectory options available here. Because of this, the Password Restrictions screen should not be used to enforce password requirements with OES Linux. NOTEMore information on configuring Universal Password is available in the "Novell Modular Authentication Service" section of this chapter.LOGIN RESTRICTIONSThe Login Restrictions page allows you to control the capability of a user to log in to the network, as shown in Figure 8.4. Account Disabled Checking this box disables the user account and prevents future login attempts. However, this will not affect a user who is currently logged in. Account Has Expiration Date Checking this box allows you to set a date when the user account will be automatically disabled. This option might be used for contract employees or consultants who will be working for a predefined period of time. Limit Concurrent Connections Check this box to define how many times the same account can be used to log in from different workstations simultaneously. If this option is enabled, the default is 1, but any value between 1 and 32,000 can be selected. Figure 8.4. Login Restrictions page in iManager.[View full size image]  TIME RESTRICTIONSThe Time Restrictions page enables you to limit the time(s) of day when a user can access the network, as shown in Figure 8.5. By default, there are no restrictions. Figure 8.5. The Time Restrictions page in iManager.[View full size image]  NOTEOne important caveat to time restrictions is that they are governed by the users home time and not his current time. For example, if a user in New York takes a trip to Los Angeles, and is going to dial in to his home network, the time in New York rather than the time in Los Angeles will determine the time restriction. A time restriction of 6:00 p.m. EST would shut the user down at 3:00 p.m. PST. Although that might give your employee time to get in a round of golf, it might not be what you intended when configuring the time restriction in the first place.ADDRESS RESTRICTIONSThe Address Restrictions page can be used to tie a user account to a specific workstation, thereby forcing users to log in from that hardware location, or network address only. Selecting to add a network address restriction invokes the dialog box shown in Figure 8.6. From this dialog box, specific address types (IP, TCP, UDP, and so on) can be selected, and then address information must be entered to configure the restriction. Figure 8.6. Address Restrictions page in iManager. INTRUDER LOCKOUTThe Intruder Lockout page is useful only after a user account has been disabled. Intruder lockout refers to the disabling of a user account after a certain number of unsuccessful login attempts have been made. To re-enable a locked-out account, the administrator unchecks the Account Locked box on this page. The other three entries simply provide information about the status of the locked account. The actual intruder detection system is configured at the container level rather than at the user level. In order to configure your intruder detection environment, complete the following steps:
After the intrusion detection features have been configured, intruder lockout makes it much more difficult for would-be hackers to perform dictionary or other brute force attacks against one of your network accounts. |
لطفا منتظر باشید ...
