|
Friday, May 25, 2007
Windows CardSpace
This is also made to replace usernames and passwords and the registration forms that need to be filled on every website. When a digital identity is sent over the network, it uses some kind of a security token. A security token is made of a collection of claims about that identity. A claim can be a username or first name, last name, address, e-mail, phone no, etc. Now to prove that all these claims belong to the user, a password is sent with the claims or some parts or all parts of the claims are digitally signed using a private key.
 |
The information card can contain various things such as an image files which can be a photograph of the user, data and time of when was that information card created. So, what if you are using infocard on your laptop and it gets stolen? In that case your infocards are stolen along with their identity provider. According to Microsoft, all information stored in cards is encrypted and you also protect it with a password. Also the user will have the choice to manually inform organizations about the loss of the card and cancel accounts at every relying party.
CardSpace is built in Windows Vista and add-ons for Windows XP and Windows 2003 server are available. To use CardSpace you will require IE7.0 and .net framework 3.0. In vista using Cardspace is simple, just go to the control panel and open Windows CardSpace.
Now click on Add card, a wizard will appear, just follow the wizard and your infocard is ready. Now when you go to a website which accepts information through CardSpace, you can choose to upload your infocard instead while filling up the form. Windows Vista will issue a pop-up telling that particular website is trying to get your infocard, once you allow it, you will be signed-in using your infocard.
Similar to infocard is Sxipper, which is more like a form filler but lets you multiple identities. Whenever you go to a website, it pops up asking you which identity you would like to use to fill up the form. It will then automatically fill the form and submit it. Here also you, you are the identity provider. Sxipper's firefox extension can be downloaded from Sxip's website.
 |
Using Cyberoam for identity based access control
Let's say that you have deployed identity management solutions in your organization and have enabled features such as SSO, access control, user provisioning. Now one very important thing which you require here are granular policies based on users for your security devices. For instance, how do you make it possible for your HR team to access job sites from your organization but at the same time disallow the same job sites to normal users. Or let's say if you are a school or a college, how to make sure that, students below 18 years should not be allowed to visit certain websites.
The traditional method requires you to set machine level or IP level policies defined at your level of content filter or bandwidth shaper. But now we have more options. Take for instance the UTM device from Cyberoam which can do user level filtering. It provides policy-based filtering that allows defining of individual filtering plans for various users in the organization. It lets you assign individual policies to users (identified by IP address), or a single policy to a number of users (Group). User level authentication can be performed using the local user database on Cyberoam, or it can be integrated with ADS and LDAP. It is well known that stronger the policies implemented, the better is the performance given by the device and also harder is the device to bypass. By default, Cyberoam has plenty of policies for bandwidth management. It has at least one policy for every situation. Surfing Quota policy lets you define the duration of Internet surfing time for particular users or a group of users. Internet policy lets you specify which user has access to which sites or applications, ie, you can deny access to messengers and offensive websites. All these policies are pretty easy to configure and manage. All configuration and reporting is done through a Web console.
|
