RSA Authentication Manager 6.1 Administrator's Guide - The Ether ...

More documents

Recommendations

Info

RSA Authentication Manager 6.1 Administrator’s Guide• Primary and Replica machines should be set up for RSA Authentication Managerfunctions only. Avoid using these computers as web servers, file servers, firewalls,or for any other application.• RSA Authentication Manager Primary and Replica machines must be keptphysically secure.Important: RSA Security recommends that administrators direct users to follow thedirections in the “User Responsibilities” section of their authentication instructions.Evasion-of-Attack FeaturesIf an unauthorized user with a stolen PIN eventually succeeds in guessing a validtokencode, this person is still not granted access because the Authentication Managerprompts for a second tokencode after a series of failed logon attempts. If the persondoes not correctly enter the next tokencode generated by the token, he or she is deniedaccess. Additionally, after a certain number of consecutive failed logon attempts, thetoken used in these attempts is disabled automatically. For more information, see“Summary of Evasion-of-Attack Features” on page 130.The number of incorrect passcodes allowed is configurable using the ConfigurationManagement application (Windows) or the ACEPROG/sdsetup -config command(UNIX). For more information, see Chapter 12, “Configuring the RSA AuthenticationManager (Windows)” or Chapter 14, “Configuring the RSA Authentication Manager(UNIX).”The Lock ManagerThe Lock Manager defends the RSA Authentication Manager against replay attacks inwhich an intruder attempts to reuse an old passcode or acquires the current passcodefor a token. The Lock Manager service name is sdlockmgr, and the default serviceport is 5560.The Lock Manager coordinates data that was previously maintained in anRSA Authentication Manager work queue. The work queue is used to detect twosimultaneous authentications occurring for the same authenticator (RSA SecurIDtoken) within a time period referred to as the “Response Delay.” In addition, theRSA Authentication Manager uses a token “high water mark” to prevent the replay ofpast tokencodes that fall within the authentication window and would therefore beaccepted by the RSA Authentication Manager. When RSA Authentication Managerprocesses are replicated, you need a mechanism to coordinate the work queue datafrom all RSA Authentication Managers within a realm. The Lock Manager fills thisrole by:• Locking a user's Default logon name when an RSA Authentication Agent sends aname lock request to the RSA Authentication Manager. If the AuthenticationManager receives a second request, the request is denied.18 1: Overview
RSA Authentication Manager 6.1 Administrator’s Guide• Tracking the “high water mark.” The high water mark is a record of the last goodpasscode used for the token. The Authentication Manager accepts passcodes thatoccur after the last good passcode. The token record can still store the high watermark (as in previous releases), but you now have the option of leaving this taskentirely to the Lock Manager. To configure your Authentication Manager not torecord the high water mark in the token record, click System > Edit SystemParameters and clear Store time of last login in token records.Detecting a Replay AttackIn a replay attack, an intruder attempts to gain access with a captured passcode bysetting the server system clock back, then reusing the passcode at the appropriatesystem time. The RSA Authentication Manager software warns you of any change insystem time that may indicate a replay attack.When the RSA Authentication Manager software detects that the server system clockhas been set back, it puts the following warning message in the log database:“*** System clock setback detected”. This message can be viewed through DatabaseAdministration application Activity or Exception reports. This message is also addedby default to the Event log and can be tracked and identified with a commercialnetwork management tool.Note: Because this message may indicate a serious security breach, RSA Securityrecommends that it not be removed from the list of message types sent to the Event log.Data EncryptionRSA Authentication Manager 6.1 uses data encryption in several ways to ensure thesecurity of your system:• All messages and data exchanged between the Primary and Replica are encryptedduring transmission—the more sensitive data with the secure RC5 block cipherand the less sensitive data with a DES encryption key that changes every tenminutes.• Communications between any Agent and a Primary or Replica are encryptedusing a unique key (the “node secret”) known only to the specific Agent and to theAuthentication Manager. This prevents an unauthorized machine from passing foran Agent, a Primary, or Replica. For more information, see “Node Secret File” onpage 228.• Communications between separate RSA Authentication Manager systems(realms) are encrypted using a unique “realm secret” known only to the twoAuthentication Managers participating in the exchange. For more informationabout the realm secret, see “Creating and Modifying Realms” on page 85.• Sensitive token data, for example, a user’s PIN, is encrypted so that no one,including system administrators, can view it. Token serial numbers, which are notencrypted, enable administrators to specify tokens for administrative purposes.1: Overview 19
Page 1 and 2: RSA Authentication Manager 6.1Admin
Page 3: RSA Authentication Manager 6.1 Admi
Page 6 and 7: RSA Authentication Manager 6.1 Admi
Page 69 and 70:
RSA Authentication Manager 6.1 Admi
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 233 and 234:
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
Page 245:
Page 248 and 249:
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
Page 261:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317 and 318:
Page 319 and 320:
Page 321 and 322:
Page 323 and 324:
Page 325 and 326:
Page 327 and 328:
Page 329 and 330:
Page 331 and 332:
Page 333 and 334:
Page 335 and 336:
Page 337 and 338:
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Page 357 and 358:
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
Page 369 and 370:
Page 371 and 372:
Page 373 and 374:
Page 375 and 376:
Page 377 and 378:
Page 379 and 380:
Page 381 and 382:
Page 383 and 384:
Page 385 and 386:
Page 387 and 388:
Page 389 and 390:
Page 391 and 392:
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
Page 399 and 400:
Page 401 and 402:
Page 403 and 404:
Page 405 and 406:
Page 407 and 408:
Page 409 and 410:
Page 411 and 412:
Page 413 and 414:
Page 415 and 416:
Page 417 and 418:
Page 419 and 420:
Page 421 and 422:
Page 423 and 424:
Page 425 and 426:
Page 427 and 428:
Page 429 and 430:
Page 431:
Page 434 and 435:
Page 437 and 438:
Page 439 and 440:
Page 441 and 442:
Page 443 and 444:
Page 445 and 446:
show all

RSA Authentication Manager 6.1 Administrator's Guide - The Ether ...

Create successful ePaper yourself

Delete template?

Save as template?