|
|
Browse by Tags
All Tags » Security (RSS)
-
For a couple of years now, I've been giving talks about "claims-based identity", and "claims-aware applications". The most concrete example of a claims-based identity architecture that I've been able to show so far is Active Directory Federation Services v1 (ADFS) and Windows CardSpace. And the claims programming model I've been using is the one that shipped with WCF in the System.IdentityModel assembly. But today I'm happy to announce that there's a new path forward in the claims world. Zermatt is the "identity framework" that I've been itching to talk about, but until today, hasn't been announced publicly. Well, Vittorio just made the announcement just a moment ago, and now you can get your hands on this new framework. With it, you can build web applications and services that rely on claims to discover identity details about users. And you can easily build a security token service (STS) that supplies those claims. Zermatt makes this possible by supplying all of the plumbing that implements WS-Trust (for web services) and WS-Federation (for browser-based web applications). All you have to do is figure out what claims you want to issue based on what you know about the user and what you know about the application (aka relying party). I was fortunate to be asked by the team to write the white paper introducing Zermatt to developers. You can download it here. The paper introduces the ideas behind claims-based identity, and talks about how you can use Zermatt to centralize authentication (and to some degree, authorization) in an STS, thus making it easy to achieve single sign on in your applications, and even be ready to federate with other organizations or platforms should that need arise. Here are some highlights of what you'll find in Zermatt: Zermatt includes a new claims programming model, with IClaimsPrincipal and IClaimsIdentity, two new interfaces that extend the existing IPrincipal and IIdentity that you already know and love from the .NET Framework. IClaimsIdentity adds a collection of claims. Zermatt's claims programming model is in many ways simpler than that in WCF - the Claim class exposes the value of claims as strings (always) and calls the value of a claim "Value", instead of "Resource" as WCF did. But the model is also more sophisticated - multi-hop delegation is supported, so one user can "Act As" another user, and the relying party will see the entire Read More...
|
-
Finally there's a home on the Internet for information cards . I've been waiting for this for a long time - a place to point consumers, executives, and developers to learn more about information cards. And it's not just a Microsoft thing. Founding members include Google, PayPal, Novell, and the Liberty Alliance. While the adoption of information cards has been happening at a snail's pace, this collaboration might just change that. And that would be very good for consumers. Read More...
|
-
Here is my usual post-conference post with updated code samples related to the topics I presented on. I did 2 full day tutorials, and 4 sessions...enjoy! Many of the demos come from my book, Learning WCF. Since there is setup required for most of the samples that illustrate security or rely on a database, it is best you download the entire package of samples and follow the setup instructions provided in the appendix. Here's the link: http://www.thatindigogirl.com/LearningWCFCode.aspx TUTORIAL: Improve Your SOA: Designing a Secure, Reliable and Scalable System with WCF Samples from my book (see above) illustrate exception handling, MTOM, streaming, MSMQ, pub-sub, transactions, security for intranet/Internet/mutual certificate/claims-based/federated, multithreading, and throttling Get my latest routing samples here: http://www.dasblonde.net/downloads/Routers.zip Additional error handler code here: http://www.dasblonde.net/downloads/ErrorHandlers.zip I have additional samples related to proxies here, including a proxy wrapper to address timeouts and uncaught exceptions that fault the channel: http://www.dasblonde.net/downloads/Proxies.zip The chunking channel is in the SDK extensibility samples. TUTORIAL: .NET Roadmap The following link has instructions for machine setup used for the demos, and numerous references to resources, and code samples demonstrated: http://www.dasblonde.net/downloads/TechnologyRoadmap0308.zip SESSION: ADFS and ASP.NET: Supporting Single Sign-On in your Web Applications The code I demonstrated in this session is based on the Tech Net tutorial for setting up VPCs for WIndows Server 2008 and ADFS.here: http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c221033.mspx?mfr=true As it is published today, the lab has just a few issues that can get in the way of your success with the setup. The following blog post summarizes those issues if you have comments, but I also have a PDF that has a few screenshots here: http://www.dasblonde.net/downloads/ADFSServer2008LabErrata.pdf SESSION: Building a Router for your Applications I wrote two MSDN articles on this subject, the first is already published here: http://msdn2.microsoft.com/en-us/magazine/cc500646.aspx Get the routing samples for both parts here: http://www.dasblonde.net/downloads/Routers.zip The second part should be up within another month. SESSION: Going Federated with WCF Most of the samples for this session come from my book code (see above). An Read More...
|
-
I recently spent a painful 30-40 hours setting up VPCs according to the Tech Net lab "Step-By-Step Guide for AD FS in Windows Server 2008. The lab is located online here: http://technet2.microsoft.com/windowsserver2008/en/library/87e1a178-4d8a-4e89-98b0-d125f9c84c221033.mspx?mfr=true In fact, the process didn't have to be so painful except that there are just a few instructions that are less than clear, incomplete or incorrect. Of course, when things don't work as expected I automatically assume that I missed a step, executed a step incorrectly, or just plain didn't know something that the lab instructions assumed everyone knows. So, my natural instinct was to repeat the steps, which I did several times spending many hours since there are 4 VPCs and lengthy installation steps involved for each. As it turns out, just a few fixes to the lab instructions could have avoided all that. A document summarizing the issues can be downloaded from here, with additional screenshots beyond what is discuss below: http://www.dasblonde.net/downloads/ADFSServer2008LabErrata.pdf . I hope you find this helpful if you are trying to follow the lab. If you encounter different problems, please do let me know so I can post updates here. Step 1: Preinstallation Tasks Section: Configure computer operating systems and network settings Before you get started, make sure to turn off the firewall settings on all VPCs. The firewall gets in the way of DNS resolution between machines which causes problems with adding computers/users to domains, problems browsing to sites later on in the lab, and similar problems with redirections that take place when you run the lab. During network setup, you don’t need to select server roles yet even though the chart lists them. Just set up the IP addresses at this time. The table listing is just a little misleading as it might lead you to think you need to set up the web server, federation server or domain controller at this point, but there are separate steps for this later. Set IP addresses according to the table for IPv4 and disable IPv6. If you don’t disable IPV6, the AD DS setup will try to enable dynamic DNS and then your static IPs will be blown away. Section: Install and configure AD DS The firewall on the adfsaccount machine must be off for this to work. After installing AD DS, check your network IP settings again just to make sure the DNS settings are as you set them in the previous step. I found that sometimes the preferred DNS settings were reset. Read More...
|
-
P&P is putting together guidance for WCF security and is looking for feedback from the community. Now is the time to influence the results from your own practical experience so get in there and review the whole thing or the areas of your greatest interest over the next few weeks! The feedback will be really useful! J.D. Meier's blog has a link here: http://blogs.msdn.com/jmeier/archive/2008/03/27/patterns-and-practices-wcf-security-guidance-now-available.aspx Or, go direct to the CodePlex site: http://www.codeplex.com/WCFSecurity/ Technorati Tags: WCF , Security Read More...
|
-
Apparently, I'm drawing enough of an audience through this blog that various folks have started to send me press releases and notifications and requests for... well, I dunno exactly, but I'm assuming some blogging love of some kind. I'm always a little leery about that particular subject, because it always has this dangerous potential to turn the blog into a less-credible marketing device, but people at conferences have suggested that they really are interested in what I think about various products and tools, so perhaps it's time to amend my stance on this. With that in mind, if you are a vendor and have a product that you'd like me to take a look at and (possibly) offer up a review here, here's the basic rules: No guarantees. Sending me something will in no way guarantee that I will review your product, for several reasons, two of which being (a) I get really busy sometimes, and (b) I may have no interest whatsoever in your product and I refuse to pretend to do so. (Readers can usually tell when the reviewer isn't all that excited about the subject, I've found.) If you're not going to send me a "real" version (meaning not the time-locked or feature-crippled demo), don't bother. I have no idea when I will get around to a review, and I have no desire to review something that isn't "the real deal". I will in turn promise that the licensed version you send me (if necessary) will not be used for any purpose other than my own research and exploration (signing contract if necessary to give you that "fresh-from-the-lawyer's-office" warm and fuzzy feeling). I say what I think, pro and con. I will not edit my review to suit your marketing purpose, and if you ask me to do so I will simply note in the review that you have asked me to do so. I retain full editorial control over what I say about your product. Having established #1, I will try to be as fair as I can about your product, and point out things that I liked and things that I didn't. (Of course, if I hated it from top to bottom, I may end up with the only positive thing being "It didn't set the atmosphere on fire when I started the app", but hey, that's something positive, right?) Also in the spirit of #1, if you send me mail answering questions or complaints in my review, I will of course amend the review with your comments. You are always welcome to post comments to the blog entry itself, too. Unless you insult my grandmother, then I will have to get all DELETE-key on you. The reason I'm posting this here is Read More...
|
-
A couple of people have asked me over the last few weeks, so it's probably worth saying out loud: No, I don't work for a large company, so yes, I'm available for consulting and research projects. If you've got one of those burning questions like, "How would our company/project/department/whatever make use of JRuby-and-Rails, and what would the impact to the rest of the system be", or "Could using F# help us write applications faster", or "How would we best integrate Groovy into our application", or "How does the new Adobe Flex/AIR move help us build richer client apps", or "How do we improve the performance of our Java/.NET app", or other questions along those lines, drop me a line and let's talk. Not only will I cook up a prototype describing the answer, but I'll meet with your management and explain the consequences of the research, both pro and con, for them to evaluate. Shameless call for consulting complete, now back to the regularly-scheduled programming. Enterprise consulting, mentoring or instruction. Java, C++, .NET or XML services. 1-day or multi-day workshops available. Contact me for details . Read More...
|
-
Just recently, I got this bit in an email from the Redmond Developer News ezine: TWO IF BY SEA In the course of just over a week starting on Jan. 30, a total of five undersea data cables linking Europe, Africa and the Middle East were damaged or disrupted. The first two cables to be lost link Europe with Egypt and terminate near the Port of Alexandria. http://reddevnews.com/columns/article.aspx?editorialsid=2502 Early speculation placed the blame on ship anchors that might have dragged across the sea floor during heavy weather. But the subsequent loss of cables in the Persian Gulf and the Mediterranean has produced a chilling numbers game. Someone, it seems, may be trying to sabotage the global network. It's a conclusion that came up at a recent International Telecommunication Union (ITU) press conference. According to an Associated Press report, ITU head of development Sami al-Murshed isn't ready to "rule out that a deliberate act of sabotage caused the damage to the undersea cables over two weeks ago." http://tinyurl.com/3bjtdg You think? In just seven or eight days, five undersea cables were disrupted. Five. All of them serving or connecting to the Middle East. And thus far, only one cable cut -- linking Oman and the United Arab Emirates -- has been identified as accidental, caused by a dragging ship anchor. So what does it mean for developers? A lot, actually. Because it means that the coming wave of service-enabled applications needs to take into account the fact that the cloud is, literally, under attack. This isn't new. For as long as the Internet has been around, concerns about attacks on the network have centered on threats posed by things like distributed denial of service (DDOS) and other network-borne attacks. Twice -- once in 2002 and again in 2007 -- DDOS attacks have targeted the 13 DNS root servers, threatening to disrupt the Internet. But assaults on the remote physical infrastructure of the global network are especially concerning. These cables lie hundreds or even thousands of feet beneath the surface. This wasn't a script-kiddie kicking off an ill-advised DOS attack on a server. This was almost certainly a sophisticated, well-planned, well-financed and well-thought-out effort to cut off an entire section of the world from the global Internet. Clearly, efforts need to be made to ensure that the intercontinental cable infrastructure of the Internet is hardened. Redundant, geographically dispersed links, with plenty of excess bandwidth, are Read More...
|
-
People visiting my house have commented from time to time on the fact that at my house, there's no WEP key or WPA password to get on the network; in fact, if you were to park your car in my driveway and open up your notebook, you can jump onto the network and start browsing away. For years, I've always shrugged and said, "If I can't spot you sitting in my driveway, you deserve the opportunity to attack my network." Fortunately, Bruce Schneier, author of the insanely-good-reading Crypto-Gram newsletter , is in the same camp as I: My Open Wireless Network Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet. To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous. I'm told that uninvited strangers may sit in their cars in front of my house, and use my network to send spam, eavesdrop on my passwords, and upload and download everything from pirated movies to child pornography. As a result, I risk all sorts of bad things happening to me, from seeing my IP address blacklisted to having the police crash through my door. While this is technically true, I don't think it's much of a risk. I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence. This is not to say that the new wireless security protocol, WPA, isn't very good. It is. But there are going to be security flaws in it; there always are. I spoke to several lawyers about this, and in their lawyerly way they outlined several other risks with leaving your network open. While none thought you could be successfully prosecuted just because someone else used your network to commit a crime, any investigation could be time-consuming and expensive. You might have your computer equipment seized, Read More...
|
-
Thank you very much for attending the presentation last night, I enjoyed all the great questions and discussion, and as promised here is a link to the slides, and resources for the presentation. Get the slides here. Get the code samples from my .NET Roadshow presentations on security, and this includes the federation samples, here: http://www.dasblonde.net/2007/09/15/NET35RoadshowSampleCode.aspx Enjoy! Technorati Tags: WCF , Security Read More...
|
-
I have working with, writing about and presenting on CardSpace for over 2.5 years now...and in the process refining how I describe to people the benefits of information cards for improving security for end-users. In particular, end-users that are not like us developers...every day people that don't know how to choose which sites are unsafe, which links to click in email, and so on. Consider the following malicious PayPal email: You can see that the "Click here to verify your information" link is not really sending you to the PayPal site. I see this because I hover over the link to verify the destination...but most non-developers won't know to do this. For those unsuspecting users the story might play like this: They go to the destination site, which might look just like the PayPal site. They try to log in, it fails repeatedly. In the meantime, they enter every combination of username and password they use in various sites...perhaps including their online banking site. The malicious site collects these combinations of username and password. The user gives up logging in. The malicious sites now tries to log in to the real PayPal account, or worse, to some of the major well-known online banking sites. If they are lucky, and the user is unlucky, one of those username and password combinations will work at the online banking site, and they can write themselves a check, or otherwise play havoc on the user's bank account. It is that easy to lift a username and password combination. So, how do information cards issued by CardSpace (or, any other identity selector) help? Let's assume that the user has associated a personal card with their PayPal account...if PayPal supported information cards. The same scenario might go like this: The user get's the evil email. They click the link and head to the malicious site that looks just like PayPal. If the site doesn't support information cards, the user will be suspicious because they always log in with a card. If the site shows support for information cards, the user may fall for it and click on the "log in with personal card" link which takes them to CardSpace. CardSpace will ask you to confirm the site by reviewing its privacy statement and site identity. This should trigger an indication to the user that this is not the site they think it is, since they would normally only get this the first time they hit the site. If they have logged in to PayPal before with a card, they wouldn't see this screen: Assuming this isn't enough Read More...
|
-
As some of you may know, several of us at IDesign (Juval, Brian and myself) are in the midst of a two-week .NET 3.5 Roadshow - six cities in two weeks where we collectively cover WCF, WF, WPF, CardSpace, federated and claims-based security concepts, and some key aspects of .NET 3.5 such as new C# 3.0 language features and ADO.NET 3.5 including LINQ and the Entity Framework. I'm personally covering WCF security, federated and claims-based security, C# 3.0 and ADO.NET 3.5. For those of you attending (or, not) here are links to the code samples I'm presenting: VS 2005 samples WCF Security Fundamentals - these samples come from the \Security directory from my book code Federated and Claims-Based Security in WCF - these samples come from the \Security\ClaimsBased directory from my book code CardSpace Samples Download VS 2008 Samples This download includes all samples referenced above, in addition to .NET 3.5 samples for C# 3.0 and LINQ, and IDesign's declarative security model including a recent version of our ServiceModelEx library. Other relevant resources discussed: My WCF webcast series CardSpace controls for ASP.NET IDesign articles Any questions? Email me. -Michele Technorati Tags: CardSpace , WCF , LINQ , C# 3.0 Read More...
|
-
I could get used to this rolling out of bed into my office thing BizTalk Server The highly anticipated R2 release (the one with WCF Adapters) of BizTalk Server 2006 is coming real soon! Worldwide launches take place in September and October . WCF/WF Dr, Nick announces the WCF/WF/Cardspace Beta 2 samples , again, this time not pointing to the Beta 1 samples :) Sharepoint/MOSS Just Published: Major Update to the MOSS and WSS Downloadable SDKs CLR My friend Lutz updates the #1 tool in the .NET world, Reflector, for Orcas Beta 2! Stop what you're doing and get it! Along with that, one of the best add-ins, Reflector.Emit has been updated Another mastereful post from Joe Duffy: Thread interrupts are (almost) as evil as thread aborts Read More...
|
-
In a post on January 25th , I said, "I posted yesterday that we had shipped our Enterprise Collateral Management solution based on our new architecture. As I said, we still have a lot more to do ." I provided a concise list of the methodologies, technologies and tools that we used in our 14 month cycle. To update where we are now, it will be necessary for me to give a little more context. First, when I mention "our company", we are actually a Division exclusively devoted to Collateral Management. This division, in turn is part of a much larger worldwide company that has at least 6 more financial sector products dealing with other aspects of managing risk. That company then, in turn is part of a huge Ratings company. The rest of the products are (mostly) integrated into one suite that we sell. Ours is not. One reason is that the various products have been organized into self-contained product groups. That means that we had our own development, marketing, sales, product and management for just Collateral Management. Five or six weeks ago, our company went through a rather large reorganization that aligned things by a global R&D, global Marketing, etc. I think this is an extremely good thing. Our product is now "owned" by R&D which also owns all the other products that are part of the suite and otherwise and we are detached from product so we can focus on development. We can also look at integrating into the suite and bi-directional learning. One consequence of this is now instead of my boss reporting to a VP of Collateral Management, he reports to a Senior Director in R&D who owns a product out of our large offices in Manhattan. The cool thing is that Josh Madden is a 20 year+ veteran developer/architect like me who has done great things in the Financial area for companies like Reuters. He gets development. The other cool thing is that his other product group also uses a lot of Agile techniques and greatly appreciates our total XP environment. One more thing: Read More...
|
-
Architecture More competition! No, I am very glad to see my good friend and Architect Harry start a series like mine and Mike's with his Morning Coffee 10 . I'm going to have to quicken the pace-) Software Development/Tools JetBrains has released their 1 .2 version of their new CI and build solution, Team City . This is very intersting from three perspectives. The first is that Jet Brains arguabally makes the best Java IDE on the planet, IntelliJ . The second is the Extreme Programming/Agile angle in that Jet Brains has always understood thsi community much better than Microsoft/VSTS and this has been reflected in IntelliJ and now Team City's support of NAnt, NUnit, and many others. The third is (much needed) competition for VS.NET/VSTS/TFS so that they can get better as well. As Scott said very well, if Microsoft is going to ignore us (Hugo the Agilist), people will look more and more to IDEs and tools that directly support the way they do work. WCF/Security A new series starts on CardSpace [via Mike ] Other Two new papers from Ralf Lämmel, who is the man behind LINQ to XSD , on Function OO Programming and the second is on XML Steaming [via Steve ] Technorati Tags: .NET , Windows Communication Foundation , WCF , Agile Development , Extreme Programming , IDE , Team City , Software Architecture , Microsoft Share this post: Email it! | bookmark it! | digg it! | reddit! | kick it! Read More...
|
|
|
|