Securing NCP Access

1 Likes

It is necessary for an administrator in any organization to provide a secure environment for their users to collaborate on data. Securing data transfer is important not only on public networks but also in private networks.

Secure NCP access provides end-to-end encryption of NCP data between the client for OES on Windows and the NCP server. Also, by integrating with Advanced Authentication, you can protect sensitive data by using a more advanced way of authentication on top of the typical username and password authentication.

In this article, let’s understand:

  • NCP Encryption and
  • NCP Multi-factor authentication

NCP Encryption

NCP encryption can be configured at both client and server side. When encryption enabled (or enforced), client and server negotiate for acceptable encryption settings. The negotiation happens through a JSON encapsulated secure protocol (called Public Key based Secure Verb). Upon successful negotiation a secure TLS channel gets established for NCP data transmission. In addition to the encryption settings, client identifies itself through a secure client ID verb. It helps NCP server enforce (if set by administrator) encryption for connections originating from the Client for OES on Windows.

NCP encryption for connections from non-Windows clients is not supported.

 

girishks_0-1601110097789.png

Figure 1. Encryption workflow

NCP Multi-factor Authentication

Support for multi-factor authentication in NCP begins by deploying NetIQ Advanced Authentication server. The Advanced Authentication server configuration lets you provision your existing users and groups in eDirectory and configure additional factors of authentication such as Card, OTP, and PIN.

Client for OES on Windows honour above configuration and guide users through the additional factors of authentication with the help of Advanced Authentication server before granting access to the NCP resources. The optional Offline Login capability help authenticate users against the locally cached credentials to aid in scenarios where the network is slow or unstable.

During the initial negotiation, the Client for OES informs NCP server of multi-factor authentication status through a secure MFA verb. It allows NCP server to enforce multi-factor authentication based on administrator’s configuration. In addition to the multi-factor authentication settings, client identifies itself through a secure client ID verb. It helps NCP server enforce (if set by administrator) multi-factor authentication for connections originating from the Client for OES on Windows.

Multi-factor authentication for connections from non-Windows clients is not supported.

 

girishks_1-1601110097793.png

Figure 2. Multi-factor authentication workflow

Configuration

The security sub command in ncpcon command allows administrators to configure encryption and multi-factor authentication settings at the NCP server side. For e.g.

# ncpcon help security

# ncpcon security view

# ncpcon security encrypt [enable/disable/enforce]

# ncpcon security cipher-strength [low/medium/high]

# ncpcon security Enforce-MFA [yes/no]

In order to configure the client-side settings, please follow the documentation here.

The Advanced Authentication installation and configuration documentation is here.

 

All OES customer current on maintenance are entitled to Advanced Authentication Limited Edition

 

The client-server configuration matrix for encryption and multi-factor authentication are as described in the following two tables.

Client

Server

Effect on Connection

Disabled

Disabled

Not Encrypted

Disabled

Enabled

Not Encrypted

Enabled

Disabled

Not Encrypted

Enabled

Enabled

Encrypted

Disabled

Enforced

Connection Terminated

Enabled

Enforced

Encrypted

Old Clients

Disabled

Not Encrypted

Old Clients

Enabled

Not Encrypted

Old Clients

Enforced

Connection Terminated

Jclient/Linux Client

ALL

Not Encrypted

Table 1. Client-Server Encryption Matrix

 

Client

Server

Connection

Disabled

Disabled

No MFA

Enabled

Disabled

No MFA

Disabled

Enforced

Connection Terminated

Enabled

Enforced

MFA

Old Win Clients

Disabled

No MFA

Old Win Clients

Enforced

Connection Terminated

Jclient/Linux Client

ALL

No MFA

Table 2. Client-Server Multi-factor Authentication Matrix

Some of the capabilities mentioned above are available only when you upgrade to  OES 2018 SP2 or above

All configuration described above are per server. However, you can configure additional factors of authentication per user or group. Would it help if you had more granular control? Please let me know in the comments below..

 

Thank you for taking time to read this article till the end.

Labels:

Education-Training
New Release-Feature
Comment List
Related
Recommended