Re: Single SignOn

[egeirnaert () REFERENCE BE (Erwin Geirnaert)]

Just talked to some people of SnareWorks (a Single SignOn product of Vasco)
at CeBIT and it looks very promising:
you can combine a statis password with a digipass; it runs on NT, Solaris,
HP, AIX and soon on Linux. It uses hierarchic groups, can block objects on
webpages depending on your rights, can block pages, you can manage multiple
webservers or sites, .......
Anyone has experience with this?

Erwin
> There are several other products that claim to implement a
> decent single
> sign on. They are:
> EnCommerce - getAccess
> Gradient- NetCrusader
> Netegrity Site Minder
> CyberSafe TrustBroker
> Dascom / Intraverse WebSEAL
> HP DomainGuard
>
> Do you happen to have any comparative information on just how
> well they are
> designed to protect against the scenario described below and
> whether any of
> them truly scaled well?
>
> Regards Zev Lavon
>
> -----Original Message-----
> From: Ben Grubin [SMTP:BGrubin () SCIENT COM]
> Sent: Thursday, February 24, 2000 1:21 PM
> To:   VULN-DEV () SECURITYFOCUS COM
> Subject:      Re: Single SignOn
>
> Good lord, I hope this saves you a lot of trouble.
>
> The enCommerce application is unbelievably shaky.  Security
> wise, since it
> utilizes CORBA services in a multi-tier method, it becomes hellishly
> unhappy
> to firewall between the CORBA service providers and the
> clients (such as
> the
> Netscape Enterprise Server plugin), it's use of UDP also makes this
> challenging.  More importantly though, they used CORBA without a real
> need---it's overly complex.  We did a major ecommerce financial
> implementation, and found it's scalability *severely* lacking.  We're
> probably 15 patchlevels ahead of the standard distribution,
> and even then
> it's the most common component failure in the entire system.
>
> At it's core, it's simply an immature product, much like the
> rest of the
> space, but it does have potential.  I do not have experience
> with the IBM
> product to compare it.
>
> Hope it helps,
> Cheers,
> Ben
>
> ---
> Benjamin P. Grubin                 / bgrubin () scient com - PGP
> key available
> Infrastructure/Security Architect / mobile (617) 513-5978 fax (617)
> 585-3230
> Scient -- Be Legendary           / http://www.scient.com/
> ticker://SCNT
>
>
> > -----Original Message-----
> > From: Vanna P. Rella [mailto:vamprella () CHICKMAIL COM]
> > Sent: Wednesday, February 23, 2000 2:22 PM
> > To: VULN-DEV () SECURITYFOCUS COM
> > Subject: Single SignOn
> >
> >
> > BlueBoar and Friends,
> > I am evaluating 2 products for securing e-commerce
> > applications. These are GetAccess by EnCommerce and Secure
> > Net by IBM. Please break both of these products and let me
> > know which one is more secure. Ok, just kidding. Have any of
> > your heard of any gotchas or security holes with either of
> > these products? I've already checked out the major
> > vulnerability sites cve.mitre.org, securityfocus.com,
> > attrition.org, ntbugtraq.com, etc. I've also checked the
> > usenet. And I can't believe that there aren't any holes. What
> > is the most popular e-commerce single sign-on out there, anyway?
> >
> > Thanks!
> > ---
> > Your Best Friend,
> > Vamprella
> > ---
> > http://www.vamprella.com -- 1998 SN&R Award  -- 1999 Losers Award
> > http://www.TheGirlBox.com -- Get TheGirlBox and give her one
> > less thing to complain about.
> > "Worship Me and Await Instructions"
> >
> >
> >
> >
> >
> > ***********************************
> > chickclick.com
> > http://www.chickclick.com
> > girl sites that don't fake it.
> > http://www.chickmail.com
> > sign up for your free email.
> > http://www.chickshops.com
> > boutique shopping from chickclick.com
> > ***********************************