Steve Lodin <[EMAIL PROTECTED]> wrote:
>Given that an organization is running the Tivoli framework and has
>implemented Tivoli User Administration, it seems to make sense to integrate
>firewall user management and hardware token user administration into the
>picture. I have some basic questions:
Hi Steve,
Within the ACE/SecurID user community, Tivoli User Admin is
typically managed by a different corporate organization than security
mangement. For that, among other reasons, RSA Security (the renamed SDTI)
has apparently concentrated on developing a middleware integration strategy,
focusing on industry-standard interfaces such as LDAP and SNMP, rather than
do custom integration to the leading EMS: Tivoli, OpenView, etc. Those
are coming; but even as an RSA consultant, I don't know the time-frame.
>Do any firewalls provide support (in terms of an API similar to CCI API I
>suppose) for distributed/remote/centralized user administration? Does
>anyone have any specific experience with Tivoli User Admin and firewalls?
>Was the integration easy using templates or more difficult requiring custom
>scripting?
Most leading firewalls, as I'm sure you know, ship with ACE/Agent
code embedded within their binaries. Integrating user and account
management for the firewall and the token authentication system should be a
snap.
>Since we use hardware token also, the same questions apply? I know, for
>example, the Security Dynamics ACE/Server runs on Progress and can
>accessed with custom code. Does anyone have any specific experience with
>Tivoli User Admin and managing ACE/Server users? Was the integration
>easy using templates or more difficult requiring custom scripting?
I don't know anyone who has paid RSA Professional Services for a
consulting gig to integrate the ACE/Server and Tivoli User Admin, but you
should check with them, because it is a likely custom project.
The ACE/Server API has been vastly expanded (see the 60-odd
published API commands listed for the new ACE/Server 4.0.) Now, anything
that a sophisticated user can do from the ACE/Server console, he can also do
through the API.
I don't know Tivoli well enough to gage what would be involved in
matching Firewall and SecurID user records with the Tivoli matrix, but the
ACE/Server end of the problem is more accessible and more managable than
ever before. (It is also four times as fast, which may or may not be
relevant to your Tivoli concerns.)
I hope you report back to the list with your results. Probably like
others here, I vividly recall the Gartner study about a year back, which
reported that 3 years after purchase of major ERS software packages, no more
than 30 percent of the purchasers they surveyed claimed to have successfully
implemented it.
Integrating the security end may be the least of your challenges,
but I'd still like to know how it turns out;-)
Suerte,
_Vin
--------
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for good
and ill... yet basically an intellectual construct, an idea, which by its
nature will resist efforts to restrict it to bureaucrats and others who deem
only themselves worthy of such Privilege."
_A Thinking Man's Creed for Crypto _vbm
* Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> *
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
