I recommend this resource to anyone who would like to learn about Identity Management. It is particularly geared towards those who want to learn about the basics of Identity Management. The Identity 101 series is particularly insightful. The various aspects of Identity Management (provisioning, single sign on etc) are covered and use cases are given to help illustrate the need for finding solutions.

Ash asked for Idm one-liners so here’s one for you: Your Manual processes are as good as the errors they produce. Recently I was working with a client that had various rules in place concerning employee Identities. The problem was they were relying on manual processes to enforce them thus opening themselves up to human error. One example would be their username naming convention which consisted of a combination of characters from the first name, middle name and last name. There are also special cases involving exceptions (if a username was already taken). While working on the IdentityMap for this client they decided they wanted to do some data cleansing as well. So I starting writing rules for excluding problem records. Hundreds of records were out of compliance with their various rules.

So the lesson to learn here is:

automation, automation, automation. Clients ought to automate as many business processes as possible to prevent human errors. The next best thing is checking for compliance at key points to prevent bad data from becoming widespread and irreversible.

Image via Wikipedia

I found this LDAP browser/editor to be really good! If you use this on a client and have write privileges be careful about not overwriting anything. Another cross platform browser suggested by Eric is LDAPSoft’s browser.

The popular softerra ldap browser is not so great in my view. It has failed me before, and I will never use it again. How about you? What is your favorite LDAP browser?

Image via Wikipedia

Gartner puts out its Magic Quadrant for User Provisioning report Annually. This report identifies the leading players in the Market and provides alot of data on the adoption of Provisioning Identity Products.

the usual suspects: Sun, Novell, Microsoft, IBM are mentioned. Although there areothers major players as well i.e. Courion. The company I work for Identropy gets a mention, in relation to being an innovating force with as a Courion partner.  Understanding these products may give you a practical feel for what role Identity is playng at this point in time.

Read the full report here:
http://mediaproducts.gartner.com/reprints/novell/159740.html

Related articles by Zemanta

• Notes on Presenting to Gartner…and That Magic Quadrant Thing
• Connect Pro a “Leader” Once Again In Gartner’s Magic Quadrant

Image via CrunchBase

I was at a client doing some Identity mapping. They have TIM Tivoli, which had to be mapped against their people soft data. I needed to pull their usernames (eruid), employeeIDs (eradEmployeeID) from objectclass eradaccount (AD stuff), I also had to get their email accounts (which are under a custom objectClass (did not come from AD originally). I was trying to write a VBScript to pull everything. But Unfortunately all the code that’s out there on the web is very AD specific (AD Provider, adspath etc) and was not able to properly run a query from a VBscript to hit LDAP.

So I emailed Charles Ahart a blogger who blogs about his Tivoli experiences. And I tell him about my problem. I mentioned I was trying to pull this data into SSIS to map against their PeopleSoft Employee ID. So VBScript or Vb.net code would work. I was also given access to their DB2 database. That thing is crazy I could connect from SSIS to it, but the data is just all over the place. While I needed just 3 attributes It was so difficult to track them down. Even the Client’s TIM dba couldn’t figure it out. So I thought if I can’t do this with a script, I will have to do it through running a query against the DB2. I think the script would be an easier route to take.

Charles Responded:

Yes TIM is quite a “bear” when you try to dig into it.  It’s not usually a good idea to interact with TIM at the DB2 layer except for maybe doing some historical reporting against the transaction database.  Talking to the LDAP DB2 directly is dangerous.  If you are looking to read data you could make LDAP calls to get what it is you need or you can write a web service to talk to TIM via the Tivoli API’s.  All the Tivoli Java Docs are available on the TIM server under /opt/itim/extensions/examples.

If you need to just read some attributes then LDAP calls would be easier.Also, TIM comes with TDI which is a very powerful tool for moving data around.  You could leverage that as well.  Chances are if they are running TIM then they have licenses for TDI and this is a very easy tool to run from your desktop or server.  It has many connectors already built for LDAP, JDBC, file system connectors with built-in parsers, and much more.  You can code JavaScript in that tool to pull data very easily from one system to another.BTW, TIM comes with connectors to Peoplesoft, so you could integrate Peoplesoft directly with TIM or you could be using TDI to connect the two.  I’m not sure what data your trying to move from where to where.

To see what’s under the hood in TIM, you will need access to login to the TIM LDAP and point an LDAP Client at the TIM Box.  There are TIM Identities (TIM Profiles) which are the Persons in the TIM System.  These reside in a subtree like the following:

ou=people,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com

There will be another entry for each person’s accounts under the following subtree:

ou=0,ou=accounts,erglobalid=00000000000000000000,ou=Largecorp,dc=largecorp,dc=com

In this subtree you will find all the user accounts which are linked to the account owner.  So the owner attribute for each account references the DN value for the TIM Person who owns that account.  All the attributes for an AD user would be contained in the AD account entry for that use.

Image via Wikipedia

If you want to understand identity Management, you have to first be able to analyze the problems surrounding coorporate identities today. Courion, an identity software vendor (I recently completed training on their product), held an event where they presented their product. An attendee wrote:

Observations from Converge:

- The main industry vertical customers attending were financial and health care.   User provisioning is a key issue and it is very expensive to do manually

- RoleCourier is gaining traction as customers are using it to avoid complexity, excessive roles, and political situations that arise when doing role-based provisioning

- ComplianceCourier is getting a lot of interest for its capability to enable business managers to periodically review and verify employee access rights

- There was a great customer presentation from Goodyear Tire and Rubber Corporation, where they discussed a previous failed attempt at implementing IAM, followed by their project with Courion, which is rolling out very smoothly.  One interesting note: a focus on educating and motivating users to appreciate the new system really pays off.

So from this persons take, and from the Courion products spectrum we see that some of the major IT security needs are: Provisioning/De-provisioning, Role Management, Compliance (government regulation etc), and there is also Password management (which the writer left out).

In subsequent posts, I will explore each one of these  areas of Identity. I will also be sharing more details about Courion’s product,  how it works, as well as what some of the technical challenges await Identity integrators.

Image by FHKE via Flickr

When doing Identity Management integrations its very important to properly train consultants/integrators. While shadowing is a good way to get someone aquainted, its even more important to provide hands on training. Dedicating an entire machine for each employees testing purposes becomes difficult quickly.

Virtualization helps eliminate the resource intensive requirements of having all that hardware. Plus it allows you to deal with multiple environments and makes reusing an entire insallation as easy as copy and paste.

In an earlier post I had mentioned that you can setup a VMWare test server using VMWare on Linux as a Development Sever for multiple users.

I followed this link to recently install VMWare 1.0.7 on OpenSUSE 11. Before doing anything update your linux installation from Yast or run the following command in terminal: apt-get update . Run all updates (and do this frequently). Then grab the latest version of VMWare Server from Vmware.com. After unzipping the file these are the commands you should run in terminal and these are the results you should get. The trick is getting your dependencies right. If you get an error along the way just search for that library in yast, or do a google search on the library that is missing and find out how to install it from the terminal. After installing the libraries start the process again. I had to install the latest version of gcc to make this work.

linux-d49o:~ # rpm -qa | grep -i vmware

VMware-server-1.0.7-108231

linux-d49o:~ #  /usr/bin/vmware-config.pl

Making sure services for VMware Server are stopped.

Stopping VMware services:

Virtual machine monitor                                             done

You must read and accept the End User License Agreement to continue.

Press enter to display it.

Do you accept? (yes/no) yes

Thank you.

Configuring fallback GTK+ 2.4 libraries.

In which directory do you want to install the mime type icons?

[/usr/share/icons] /usr/share/icons

What directory contains your desktop menu entry files? These files have a

.desktop file extension. [/usr/share/applications] /usr/share/applications

In which directory do you want to install the application’s icon?

[/usr/share/pixmaps] /usr/share/pixmaps

/usr/share/applications/vmware-server.desktop: warning: value “vmware-server.png” for key “Icon” in group “Desktop Entry” is an icon name with an extension, but there should be no extension as described in the Icon Theme Specification if the value is not an absolute path

/usr/share/applications/vmware-console-uri-handler.desktop: warning: value “vmware-server.png” for key “Icon” in group “Desktop Entry” is an icon name with an extension, but there should be no extension as described in the Icon Theme Specification if the value is not an absolute path

Trying to find a suitable vmmon module for your running kernel.

None of the pre-built vmmon modules for VMware Server is suitable for your

running kernel.  Do you want this program to try to build the vmmon module for

your system (you need to have a C compiler installed on your system)? [yes] yes

Using compiler “/usr/bin/gcc”. Use environment variable CC to override.

Your kernel was built with “gcc” version “4.3.1″, while you are trying to use

“/usr/bin/gcc” version “4.3″. This configuration is not recommended and VMware

Server may crash if you’ll continue. Please try to use exactly same compiler as

one used for building your kernel. Do you want to go with compiler

“/usr/bin/gcc” version “4.3″ anyway? [no] yes

What is the location of the directory of C header files that match your running

kernel? [/lib/modules/2.6.25.11-0.1-pae/build/include]

Extracting the sources of the vmmon module.

Building the vmmon module.

Using 2.6.x kernel build system.

make: Entering directory `/tmp/vmware-config0/vmmon-only’

make -C /lib/modules/2.6.25.11-0.1-pae/build/include/.. SUBDIRS=$PWD SRCROOT=$PWD/. modules

make[1]: Entering directory `/usr/src/linux-2.6.25.11-0.1-obj/i386/pae’

make -C /usr/src/linux-2.6.25.11-0.1 O=/usr/src/linux-2.6.25.11-0.1-obj/i386/pae/. modules

CC [M]  /tmp/vmware-config0/vmmon-only/linux/driver.o

CC [M]  /tmp/vmware-config0/vmmon-only/linux/hostif.o

CC [M]  /tmp/vmware-config0/vmmon-only/common/cpuid.o

CC [M]  /tmp/vmware-config0/vmmon-only/common/hash.o

CC [M]  /tmp/vmware-config0/vmmon-only/common/memtrack.o

CC [M]  /tmp/vmware-config0/vmmon-only/common/phystrack.o

CC [M]  /tmp/vmware-config0/vmmon-only/common/task.o

CC [M]  /tmp/vmware-config0/vmmon-only/common/vmx86.o

/tmp/vmware-config0/vmmon-only/common/vmx86.c: In function ‘Vmx86_GetkHzEstimate’:

/tmp/vmware-config0/vmmon-only/common/vmx86.c:1899: warning: passing argument 4 of ‘Div643264′ from incompatible pointer type

/tmp/vmware-config0/vmmon-only/common/vmx86.c:1908: warning: passing argument 4 of ‘Div643232′ from incompatible pointer type

CC [M]  /tmp/vmware-config0/vmmon-only/vmcore/moduleloop.o

LD [M]  /tmp/vmware-config0/vmmon-only/vmmon.o

Building modules, stage 2.

MODPOST 1 modules

WARNING: modpost: module vmmon.ko uses symbol ‘init_mm’ marked UNUSED

CC      /tmp/vmware-config0/vmmon-only/vmmon.mod.o

LD [M]  /tmp/vmware-config0/vmmon-only/vmmon.ko

make[1]: Leaving directory `/usr/src/linux-2.6.25.11-0.1-obj/i386/pae’

cp -f vmmon.ko ./../vmmon.o

make: Leaving directory `/tmp/vmware-config0/vmmon-only’

The module loads perfectly in the running kernel.

Do you want networking for your virtual machines? (yes/no/help) [yes]

Configuring a bridged network for vmnet0.

The following bridged networks have been defined:

All your ethernet interfaces are already bridged.

Do you want to be able to use NAT networking in your virtual machines? (yes/no)

[yes]

Configuring a NAT network for vmnet8.

Do you want this program to probe for an unused private subnet? (yes/no/help)

[yes]

Probing for an unused private subnet (this can take some time)…

The subnet 192.168.141.0/255.255.255.0 appears to be unused.

This system appears to have a DHCP server configured for normal use.  Beware

that you should teach it how not to interfere with VMware Server’s DHCP server.

There are two ways to do this:

1) Modify the file /etc/dhcpd.conf to add something like:

subnet 192.168.141.0 netmask 255.255.255.0 {

# Note: No range is given, vmnet-dhcpd will deal with this subnet.

}

2) Start your DHCP server with an explicit list of network interfaces to deal

with (leaving out vmnet8). e.g.:

dhcpd eth0

Consult the dhcpd(8) and dhcpd.conf(5) manual pages for details.

Hit enter to continue.

The following NAT networks have been defined:

Do you wish to configure another NAT network? (yes/no) [no]

Do you want to be able to use host-only networking in your virtual machines?

[yes]

Configuring a host-only network for vmnet1.

Do you want this program to probe for an unused private subnet? (yes/no/help)

[yes]

Probing for an unused private subnet (this can take some time)…

The subnet 172.16.56.0/255.255.255.0 appears to be unused.

This system appears to have a DHCP server configured for normal use.  Beware

that you should teach it how not to interfere with VMware Server’s DHCP server.

There are two ways to do this:

1) Modify the file /etc/dhcpd.conf to add something like:

subnet 172.16.56.0 netmask 255.255.255.0 {

# Note: No range is given, vmnet-dhcpd will deal with this subnet.

}

2) Start your DHCP server with an explicit list of network interfaces to deal

with (leaving out vmnet1). e.g.:

dhcpd eth0

Consult the dhcpd(8) and dhcpd.conf(5) manual pages for details.

Hit enter to continue.

The following host-only networks have been defined:

Do you wish to configure another host-only network? (yes/no) [no]

Extracting the sources of the vmnet module.

Building the vmnet module.

Using 2.6.x kernel build system.

make: Entering directory `/tmp/vmware-config0/vmnet-only’

make -C /lib/modules/2.6.25.11-0.1-pae/build/include/.. SUBDIRS=$PWD SRCROOT=$PWD/. modules

make[1]: Entering directory `/usr/src/linux-2.6.25.11-0.1-obj/i386/pae’

make -C /usr/src/linux-2.6.25.11-0.1 O=/usr/src/linux-2.6.25.11-0.1-obj/i386/pae/. modules

CC [M]  /tmp/vmware-config0/vmnet-only/driver.o

CC [M]  /tmp/vmware-config0/vmnet-only/hub.o

CC [M]  /tmp/vmware-config0/vmnet-only/userif.o

CC [M]  /tmp/vmware-config0/vmnet-only/netif.o

CC [M]  /tmp/vmware-config0/vmnet-only/bridge.o

CC [M]  /tmp/vmware-config0/vmnet-only/procfs.o

CC [M]  /tmp/vmware-config0/vmnet-only/smac_compat.o

SHIPPED /tmp/vmware-config0/vmnet-only/smac_linux.x386.o

LD [M]  /tmp/vmware-config0/vmnet-only/vmnet.o

Building modules, stage 2.

MODPOST 1 modules

WARNING: could not find /tmp/vmware-config0/vmnet-only/.smac_linux.x386.o.cmd for /tmp/vmware-config0/vmnet-only/smac_linux.x386.o

CC      /tmp/vmware-config0/vmnet-only/vmnet.mod.o

LD [M]  /tmp/vmware-config0/vmnet-only/vmnet.ko

make[1]: Leaving directory `/usr/src/linux-2.6.25.11-0.1-obj/i386/pae’

cp -f vmnet.ko ./../vmnet.o

make: Leaving directory `/tmp/vmware-config0/vmnet-only’

The module loads perfectly in the running kernel.

The default port : 902 is not free. We have selected a suitable alternative

port for VMware Server use. You may override this value now.

Remember to use this port when connecting to this server.

Please specify a port for remote console connections to use [904]

WARNING: VMware Server has been configured to run on a port different from the

default port. Remember to use this port when connecting to this server.

Shutting down xinetd:                                                done

Starting INET services. (xinetd)                                     done

Configuring the VMware VmPerl Scripting API.

Building the VMware VmPerl Scripting API.

Using compiler “/usr/bin/gcc”. Use environment variable CC to override.

Installing the VMware VmPerl Scripting API.

The installation of the VMware VmPerl Scripting API succeeded.

Generating SSL Server Certificate

In which directory do you want to keep your virtual machine files?

[/var/lib/vmware/Virtual Machines]

The path “/var/lib/vmware/Virtual Machines” does not exist currently. This

program is going to create it, including needed parent directories. Is this

what you want? [yes]

Please enter your 20-character serial number.

Type XXXXX-XXXXX-XXXXX-XXXXX or ‘Enter’ to cancel:

You cannot power on any virtual machines until you enter a valid serial number.

To enter the serial number, run this configuration program again, or choose

‘Help > Enter Serial Number’ in the virtual machine console.

Starting VMware services:

Virtual machine monitor                                             done

Virtual ethernet                                                    done

Bridged networking on /dev/vmnet0                                   done

Host-only networking on /dev/vmnet1 (background)                    done

Host-only networking on /dev/vmnet8 (background)                    done

NAT service on /dev/vmnet8                                          done

The configuration of VMware Server 1.0.7 build-108231 for Linux for this

running kernel completed successfully.

linux-d49o:~ #

Related articles by Zemanta

• Novell patches Suse Linux kernel for VMware efficiency
• VMWare offers free training videos on YouTube
  

To sum up, the way Sentinel works is:

1. Logs are pulled into Sentinel and each line is seperated into events with severity levels ranging from 1 to 5
2. You define filters to look for events of interest. For example a filter might look like:
   filter(((e.DeviceCategory = “IDS”) and (e.Severity >= 4)))
3. Multiple Events can be groups together and marked as incidents. Each incident can be assigned a category and can be assigned to a person for further investigation
4. Utilizing Filters a correlated event can kick of an action (or trigger) such as sending an e-mail, appending a list, appending an ldap attribute or kicking off a javascript file (for further flexibility)
5. ProcessWork Flows can be designed to dictate the logic behind how an event is handled. The chain of command can be worked into the work flow. I.e. when a correlated event takes place ad Analyst can be prompted to check out the incident. Once the analyst attempts to rectify the problem and closes it out. It then can go to an Administrator who can further investigate or close out the incident.

This is the process in a nutshell, if you follow the screens after reading the explanation it might make more sense.

I mentioned the learning curve before. Where does that come in? Definitely when it comes to writing filters. attempting to fully leverage this product will take a concerted effort of Administrators who must keep evaluating the data coming in, to come up with new filters and rules to look for. This will take out of the box thinking. If Sentinel could become smarter over time and share its own suggestions for filters that would be great. When I shared this idea with someone they said that would be Sentinel for Sentinel. Til that point comes where Artificial Intelligence is worked into apps like this Admins will have to play close attention and help make their companies investment worthwhile.

Sentinel is beast and can do a whole lot. The challenge is getting people trained and involving those with the security background that can help them identify what attacks to look for. The filtering language can be very powerful if an Admin can logically think about what sequence of events might take place during an attack. There is a “window” feature where a current attack can be compared to an attack that took place earlier where a set range of time can be specified. For example a usecase can be if someone attempts to login as administrator 5 times within 24 hours you might want to have a filter and event setup to disable that account temporarily and kick off a workflow to reenable that account once its been approved.

For those firms this product may be overkill and they may want to look into Novell’s new identity Audit application which was formerly known as Novell Scout. PS that is a totally different application. Sentinel was aquired in the purchase of a company called esecurity. Scout was an application that Novell developed and is not a light version of Sentinel.

This training was pretty well laid out. The labs were pretty good. The environment was great. There were about 25 integrators (Novell partners) representing companies from all over the US. They had a few give aways (i.e. blu ray player and external drive). They even took us out to dinner  one night, paid for our hotel rooms, and provided lunch every day. So Thanks to Novell for treating us right and getting us aquainted with Sentinel.

Image via Wikipedia

Alright Day 3 of Sentinel training was pretty good. We reviewed performing actions when a correlation rule is met on an event filter.  We also learned about “solution packs”.  A little bit about how they are structured, but mainly how to import, edit and redeloy them. We were shown the PCI DSS solution pack. I must say it was pretty comprehensive, which is sold for $30K by itself. We also were given a sales presentation breaking down the scope of Novell’s ISM (Identity and Security Management) products. It was explained to us that ISM is now one of Novell’s 3 focuses. Any supported products will fall under their main areas of focus. They also mentioned that they did very well this final quarter which is about to end for them. That’s really good news for Identity Management, especially at a time when the economy is not doing well. We also heard from some attendees in the training course that IBM is also doing very well. And of course IBM has its own Identity Management suite. So even more good news for Identity Management. The sales rep explained that Identity Management was initially seen as a sub-area of focus for IT departments and was not seen as being under security. But now Identity Management is seen more as being under security rather than traditional IT because of the specialization that goes into it.

Back to Sentinel…  the Actions that can be performed when a correlation rule is met are: configure Correlation Event, Create Incident (to be assigned and resolved), Execute Command (custom batch file), remove Dynamic list, Send Email, Set LDAP attribute (i.e. in E-directory), and the latest addition giving much flexibility is executing Javascript. We also learned how to import collectors and connectors. The Higherarchy seems to be Collector->connectors.  Also there has been quite a bit of changes from 6.0 to 6.1.  We also learned that Collectors and Connectors can be bundled and deployed with solution packs. A base install of Sentinel does not include any collectors or connectors. You have to download them from the Novell Site. Some are free i.e. the Collector for Active Directory. I am still looking for a comprehensive list of whats free and whats for purchase.

The Salesperson also broke down the CMP (Compliance Management Platform) product line (which is really a bundle) a little bit.  The first product that is pushed is Analyzer which does some data sanatizing/analytics to help show how more resources can be used. Identity Manager and Sentinel are the 2 major components of CMP.  Aside from there being some collectors and connectors to integrate Identity Manager with Sentinel I did not hear a whole lot else about how they integrate. The only example I have heard is being able to pull data from Identity Manager when a user is involved in an incident. Imagine if someone tries to access something they should not access. Not only can their account be disabled if they try repeatedly over a certain window of time, but their profile can be pulled from Identity Manager which would even show their picture. We were also told that an action from a correlated event in Sentinel could kick off an Identity Manager workflow. I guess that would be done through the SOAP connector? (not sure) Aside from this I haven’t heard too much more about how these products integrate. The rights to Sentinel were brought from E-security when Novell purchaed them. Eric noted that the UI must have been changed from the original version because it now looks similar to Novell’s Identity manager. Another confusing thing that came up is how roles are managed. Identity Manager apparently has its own role based system, but there is another Novell product called Access manager which does nothing but roles. There is another program called Identity Audit which is supposed to help with compliancy but does nothing but reports. So there is some redundancy in the offering of some ot these products. Crystal reports (a little lincse comes with CMS).

In my next post on the final day of Sentinel training, I will include screenshots from my training image.

Related articles by Zemanta

• PCI DSS hits Web 2.0

Today we spent alot of time on writing correlation rules, learning the syntax (expressions and other things) which are unique to the sentinel product. We also spent a large ammount of time learning the administrative tools.

Due to my headache, Ill be more detailed in the next post.