The presentation provides the following:
- Symantec Corporate Overview
- Solution Portfolio of Symantec
- Symantec Validation & ID Protection - Introduction
- Symantec Validation & ID Protection - Components
- Symantec Validation & ID Protection - Architecture
- Symantec Validation & ID Protection - Use Cases
- Symantec Validation & ID Protection - Licensing & Packaging
- Symantec Validation & ID Protection - Appendix (extra information)
This provides a brief overview of Symantec Validation & ID Protection (VIP). Please note all the information is based prior to May 2016 and the full integration of Blue Coat Systems's set of solutions.
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Technology Overview - Validation & ID Protection (VIP)
1. SYMANTEC: SOLUTION OVERVIEW SERIES
Symantec Validation & ID Protection
Iftikhar Ali Iqbal
https://www.linkedin.com/in/iftikhariqbal/
Valid till May 2016
4. OVERVIEW: SYMANTEC
• Founded in 1982
• Headquartered in California, United States
• Fortune 500 company
• Provides Software and Services
• Focus is on Consumer Security and Enterprise Security
• 2014 Revenue:
– $6.7 billion (ended March 28, 2014)
– Information Security: $4.2 billion
• 2014 Market Share:
– Largest security software vendor by revenue and market share (17.2%)
(Gartner) - http://www.gartner.com/newsroom/id/3062017
SYMANTEC: VIP
5. OVERVIEW: THE SPLIT
• On 1st October 2015, Symantec’s Information Management
business now operates as a separate privately held company
Veritas Technologies Corporation
• Solutions:
– Backup and Recovery
– Archiving
– High-Availability
– Disaster Recovery
• Separate operations, partner programs, support, etc.
SYMANTEC: VIP
6. OVERVIEW: AREAS OF FOCUS
• Solutions to Protect against:
– Malware and Spam
– Advanced Persistent Threats and Cyber Attacks
– Identity Theft and Loss of Confidential Information
• Solutions to Manage:
– Governance, Risk and Compliance
– Client, Asset, Server and Mobility
• Services:
– Product Support
– Cyber Security
– Education
SYMANTEC: VIP
14. VIP: CREDENTIALS (SOFTWARE)
• VIP Access for Mobile
– FREE
– Download from Apple iTunes App Store, Android Market, BlackBerry
AppWorld
– 900+ popular handsets supported including iPhone/iPad, Android,
Windows Phone, BlackBerry, J2ME
– Push Notifications (iOS and Android)
SYMANTEC: VIP
15. VIP: CREDENTIALS (SOFTWARE)
• VIP Access for Mobile (Push Notifications)
– iOS and Android
– Apple Watch
SYMANTEC: VIP
16. VIP: CREDENTIALS (SOFTWARE)
• VIP Access Desktop
– Desktop Client
– Copy/Paste OTP
– Auto-fill forms
– Microsoft Windows and Apple MacOS
SYMANTEC: VIP
17. VIP: CREDENTIALS (OUT-OF-BAND)
• Through SMS, Voice Call or Email
– VIP Service generates and delivers the security code
– SMS/Voice Call: Phone number registered with the service
– SMS/Voice Call: Per SMS and/or Call package
SYMANTEC: VIP
Your verification ID
is [123456].
Your verification ID
is [123456].
If you would like to
hear it again press
1, otherwise hang
up and see your
computer screen
for more details.
18. VIP: CREDENTIALS (TOKENLESS)
• VIP Registered Computer or Mobile
– Device certificate used as the device identifier
– Browser plugin performs login using device certificate
– Mobile: VIP SDK can be integrated with application
– Users only type username and password
SYMANTEC: VIP
20. VIP: CREDENTIALS (TOKENLESS – VIP INTELLIGENT AUTHENTICATION)
SYMANTEC: VIP
Gatehouse
• User ID
• Password
Roadway Scanner
• Symantec Global Intelligence Network
• Device ID
• Fingerprint
• Symantec Endpoint Protection
• User Behaviour
Enter Validation Code
Correct Code
grants Access
Send Code by
SMS, email or voice
21. VIP: ENTERPRISE GATEWAY
• A light-weight proxy service that acts as a bridge between your
application/local infrastructure and the Symantec VIP Service.
• Deployed on premise and integrates with your LDAP or Active
Directory
• Requirements:
– Microsoft Windows Server 2003 (SP1) to 2012 R2
– RHEL 5.9 to 5.11, 6.4 to 6.6 and 7.0 to 7.1
– User Stores: Active Directory, Novel eDirectory 8.8 (SP 8), Open LDAP
2.4.40 and Oracle Directory Server Enterprise Edition 11.1
• VIP Enterprise Gateway provides *RADIUS-based authentication
server
SYMANTEC: VIP
*Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized
Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and
use a network service.
22. VIP: ENTERPRISE GATEWAY
• Features/Functions:
– Configuration Console – enables administration, configuration and
management of the Enterprise Gateway.
– Validation Server – validates RADIUS authentication requests from
applications such as a VPN gateway against user store, Active Directory and
inform VPN gateway through a RADIUS response.
– Identity Providers (IdPs) – authenticates users for the VIP Manager and VIP
Self Service Portal
– Self Service Portal Proxy – reverse proxy for VIP Self Service (use case: remote
users)
– Tunnel Forwarder and Receiver – provides a RADIUS package relay service
over a TCP connection if any UDP traffic is prevented due to firewall policy
– LDAP Synchronization – synchronize with Active Director or LDAP
– Logging
SYMANTEC: VIP
23. VIP: WEB SERVICES APIs
• For developers integrating Symantec VIP credentials into local
applications
• Interface b/w applications and VIP is SOAP Web Services
SYMANTEC: VIP
30. VIP: INTELLIGENT AUTHENTICATION (FLOW)
SYMANTEC: VIP
VPN User
1 Login
2
3
First Factor
Authentication
4 Step-up Authentication
5
Allow /Deny
User Access
Symantec VIP IA
Risk Evaluation
Enterprise
Gateway
&
VIP SSP IDP
VPN
31. VIP: INTELLIGENT AUTHENTICATION (RISK ANALYSIS)
SYMANTEC: VIP
Evaluate…
• Do we know this device?
• Is it still the same device?
• Is this device trustworthy?
• Is it acting as expected?
Device ID
Device Reputation
User Behavior
Actionable Risk Score
…and respond
• Low Risk: Grant access without an
additional challenge
• High Risk: Challenge user via Out-
Of-Band authentication process
32. VIP: INTELLIGENT AUTHENTICATION (RULES)
SYMANTEC: VIP
Device Identification & Fingerprint
Device Engine: Uniquely identifies a device and remember it
Registered Computer: Strengthens device identity using a device certificate
Norton/SEP Presence: Confirms if Symantec antivirus protection is available
Blacklisted IP: Identifies if the user/device is a known malicious actor
Restricted Country: Identifies if the login originates in a forbidden country
Device Reputation
Behavioral Engine: Spots anomalous behavior using IP, location, browser, OS
Difficult Travel: Identifies impossible travel via distance, time since last login
Failed Previous Login: Prevents access until challenge completed successfully
User Behavior
33. VIP: INTELLIGENT AUTHENTICATION (WEIGHTS)
• All rules are not same!
– Relative weights are assigned to each rule
– For e.g. if the last challenged log-in for a user failed, risk score generated
will be weighted relatively high
– On the other hand, if a difficult travel is detected, risk score generated
will be weighted relatively lower
• Rule combination also evaluated
– Rules evaluated in distinctive combination
– if a difficult travel is detected and if user behavior seems anomalous, risk
score will be higher
– if user behavior seems anomalous and if IP is in black list, risk score will be
higher
SYMANTEC: VIP
34. VIP: USE CASES
SYMANTEC: VIP
- Array AccessDirect Remote Access SSL VPN
- Barracuda SSL VPN
- F5 BIG-IP Access Policy Manager
- Check Point VPN
- Cisco VPN 5500
- Citrix Access Gateway
- Citrix NetScaler
- F5 FirePass VPN
- Juniper SA VPN
- Palo Alto Networks GlobalProtect VPN
- SonicWALL Aventail SSL VPN
- Citrix Web Interface for XenApp
- Citrix Web Interface for XenDesktop
- Citrix StoreFront for XenDesktop
- Citrix GoToMyPC
- SAP NetWeaver
- Microsoft SharePoint Server 2007
- Microsoft SharePoint Server 2010
- Microsoft SharePoint Server 2013
- Microsoft Outlook Web Access 2003
- Microsoft Outlook Web Access 2007
- Microsoft Outlook Web Access 2010
- Microsoft Outlook Web Access 2013
- VMWare View
- Symantec Access Manager
- CA SiteMinder
- IBM Tivoli Access Manager
- Okta Identity Management
- Oracle OpenSSO
- Oracle Access Manager 11g
- Oracle Access Manager 10g
- PingIdentity
- Microsoft Active Directory Federation Services v. 3
- Microsoft Active Directory Federation Services v. 2
- Apache HTTP Server
- Internet Information Services 7
- Internet Information Services 8
36. VIP: LICENSING
• VIP is available for business-to-business(B2B) and business-to-
consumer(B2C) cases.
• For B2C – pricing is provided directly by Symantec as SKUs are
unpublished for Distributors and Partners.
• For Symantec VIP and MPKI orders, Symantec requires a
Customer Profile Form. This is a mandatory requirement during
order processing, along with the Proof of Purchase (POP).
• When a customer purchases Symantec VIP, a unique account
identifier is created, called Jurisdiction Hash (JHASH). For add-
ons and/or renewals, this is mandatory, along with the Proof of
Purchase (POP).
SYMANTEC: VIP
37. VIP: LICENSING
SYMANTEC: VIP
COMPONENT METER NOTES
VIP Account Setup N/A One-time fee
VIP Authentication Service User With Gold Support,
Software Tokens, IA,
Enterprise Gateway, SDK,
APIs
VIP Authentication Service Enterprise Platinum User With Platinum Support
VIP Hardware Tokens Token Minimum buy is 10
VIP SMS Package SMS Per year “use it or lose it”
VIP Voice Call Package Call Per year “use it or lose it”
Opportunity
Type
•New, renewal or add-on?
Service
Length
•1, 2 or 3 years?
Number of
Users
•How many credentials?
Support
Type
•Gold included.
•Add Platinum?
Credential
Type
•Hardware, card or mobile
token?
41. Identifying Risky Authentication Events
SYMANTEC: VIP
User Logs In From Home Using Work Laptop
Sunnyvale, United States
IP: 66.135.192.123
OS: Windows 7
Browser: Firefox 5.0
Known device ID
Location agrees with history
Unchanged device profile
Low Risk, No Challenge
42. Guangzhou, Guandong
IP: 61.145.127.128
OS: Windows 7
Browser: Firefox 5.0
Unknown device, no device ID
Difficult travel from prior login
Unchanged device profile
High Risk, Challenge User
Identifying Risky Authentication Events
SYMANTEC: VIP
Hacker #1: Attacking from China
43. Identifying Risky Authentication Events
SYMANTEC: VIP
Hacker #2: Attacking from Cuba
Havana, Cuba
IP: 61.145.127.128
OS: Windows 7
Browser: Firefox 5.0
Unknown device, no device ID
Forbidden origin country
Unchanged device profile
High Risk, Challenge User
44. IP: 202.138.101.165
OS: Windows 7
Browser: Firefox 5.0
Mumbai, Maharashtra
Known device, valid device ID
Unexpected behavior
Unchanged device profile
Medium Risk, Challenge User
Identifying Risky Authentication Events
SYMANTEC: VIP
User Travels to India with Same Laptop
45. IP: 202.138.101.165
OS: Windows 7
Browser: Firefox 4.0.1
Mumbai, Maharashtra
Known IP address and location
Downgrade of browser version
Unknown device, no device ID
High Risk, Challenge User
Identifying Risky Authentication Events
SYMANTEC: VIP
Hacker #3: Attacking from the User’s Hotel in India
46. Identifying Risky Authentication Events
SYMANTEC: VIP
User Upgrades Firefox While at Hotel in India
Mumbai, Maharashtra
IP: 202.138.101.165
OS: Windows 7
Browser: Firefox 6.0a2
Known device, valid device ID
Known IP address and location
Profile change, Firefox update
Low Risk, No Challenge
47. Identifying Risky Authentication Events
SYMANTEC: VIP
User Travels to Cuba, Using Registered Computer
Havana, Cuba
IP: 61.145.127.128
OS: Windows 7
Browser: Firefox 5.0
Registered Computer succeeds
Forbidden origin country
Unchanged device profile
High Risk, Challenge User
48. Identifying Risky Authentication Events
SYMANTEC: VIP
Hacker #4: Co-worker Attacking to Use User’s Machine
Sunnyvale, United States
IP: 66.145.127.128
OS: Windows 7
Browser: Firefox 5.0
Known device, device ID
Registered Computer check
Unchanged device profile
High Risk, Challenge User
49. IA Rules
• Behavior Engine - Identify anomalous user behavior by analyzing IP,
Geo-location, Browser, OS
• If the transaction is anomalous, the risk score will be increased. Most
anomalies singularly may not result in user being challenged at a default
threshold.
• Restricted Country - Identify if the user comes from Restricted
Country
• This is for compliance requirements, for example - if a transaction comes
from Cuba, North Korea, Iran, etc. it should be challenged.
• If a user logs in from a restricted country, the transaction will get challenged
at a default threshold
• Black listed IP - Identify if the user logs from a black listed IP and
increase the risk score
• User login from a blacklisted IP will not result in user being challenged by itself at a
default threshold
SYMANTEC: VIP
50. IA Rules
• Difficult Travel- Identify if a logical travel based on distance and time
is possible for the user
• By itself, difficult travel will not result in user being challenged, at a default
threshold.
• Failed Previous Event - Identify if the last challenged log-in was
successfully answered
• If the last challenged log-in failed, the transaction will always get challenged
till a successful response is received, regardless of the set risk threshold.
• IA +RC - Registered Computer validation result is provided to IA for a
combined evaluation of risk
• IA will never overturn a failed Registered Computer.
• IA may override a good Registered Computer to be risky, when multiple alerts are
detected.
• If a RC fails, the transaction will always be flagged as risky, independent of the risk
threshold
SYMANTEC: VIP
51. Enterprise SSL VPN Flow
SYMANTEC: VIP
RADIUS LDAP
Enterprise Directory
Enterprise Network
LDAP
VIP SSP
IDP
Read-Only
Enterprise VPN
VPN User with VIP
Credential
1. User login
VIP Service
with IA
Service
2. IA Services to evaluate risk,
Requests OOB authentication
5. OOB authentication options
8. UID & PWD
and the ticket
are submitted
VIP Self-
Service
3. Authenticate User, PWD
for OOB
4.SAML Assertion
1a. Java Script redirects
the log in to the VIP User
Service to get a ticket
6. User enters the security code
7. Return Ticket
9. EG validates
the credential
and verifies risk
VIP Enterprise
Gateway
10. User logs in
or gets denied
52. About Registered Computer
• Registered Computer validation
result is as input to Rules Engine
• Rules Engine will never overturn
a failed Registered Computer.
• Rules Engine may still trigger
secondary authentication even if
the Registered Computer
authentication succeeds
• If a Registered Computer check
fails, the transaction will always
be flagged as risky, independent
of the risk threshold
SYMANTEC: VIP
Device-Specific Certificate Delivers Strong Identity