Brksec 2748
Brksec 2748
Brksec 2748
BRKSEC-2748
Session Objectives
We are all looking for a secure and easy way to authenticate users
when accessing applications. This session is about how Duo makes
this process convenient and inherently secure. We will have a closer
look at how Duo Passwordless works, explore new product
enhancements like OIDC (OpenID Connect) and risk-based
authentication to name just a few. This intermediate session is
targeted at Security Architects and Security Admins that want to get a
deeper understanding of various AuthN flows supported by Duo
Security.
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• Authentication methods
• FIDO2
• OpenID Connect & Duo CloudSSO
Agenda • Recent, major Duo enhancements
• Risk-based Authentication
• User Attribute Transformation
• Wrap Up
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2748
Questions?
Use Cisco Webex App to chat Stefan Dürnberger
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
About me
• Stefan Dürnberger –
[email protected]
• 23 years in IT, 18 years in IT Security
• 15+ years at Cisco
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction
Graphic: https://danielmiessler.com
MFA Methods
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Graphic: https://danielmiessler.com
MFA Methods
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Graphic: https://danielmiessler.com
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
FIDO2 & Duo
Fast IDentity Online (FIDO2)
Overview
• FIDO2 provides secure, phishing resistant and convenient way of
authentication to web services supporting the standard.
• CISA urges to implement phishing resistant authentication like FIDO2:
https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-
resistant-mfa-508c.pdf
CTAP2 WebAuthn
Authenticator Client Relying party
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Fast IDentity Online (FIDO2)
Registration Ceremony (simplified) Relying Party
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Fast IDentity Online (FIDO2)
Authentication Ceremony (simplified) Relying Party
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Fast IDentity Online (FIDO2)
• Duo supports FIDO2 authentication for Passwordless
and 2FA
• Platform & Roaming authenticators
• No Attestation Certificate validation, nor Enterprise Attestation
validation
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
FIDO2 authentication –
use cases
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Risk-Based
Authentication
User Attributes, Device Attributes
Offline Risk Detection Risk Attributes
Risk-Based Authentication
• Detects known attack patterns
Data
Engine
• Push harassment, Push fatigue, Push spray as well as high risk
login location
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Risk-Based Authentication
Push Harassment
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Risk-Based Authentication
Country code mismatch detection
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Risk-Based Authentication
Country code mismatch detection
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
HASH, SALT, SSID, BSSID
Risk-Based Authentication
Wi-Fi Fingerprint
• Anonymized Wi-Fi network data provides
a strong signal of novel location. Takes
advantage of Duo Device Health During testing, I
Application (DHA) was certainly at a
different place ☺
• Client-side hashing
• Unique key eliminates reply-attacks
• OIDC uses access tokens and ID tokens (JSON web token, JWT)
• OIDC flows support a variety of use cases
• Identifies users from mobile applications, SPA. Support for Machine to Machine
Authentication & Authorization. Duo supports Authorization Code flow & Client
Credentials in Early Access Mode
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
OIDC
Roles
• Resource Owner
• That´s you!
• Client/Relying Party
• Application i.e., Browser, App
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Actors in an OIDC dance
Authorization Code Flow
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
OIDC Demo
Postman
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
User Attribute
Transformation
User Attribute Transformation
• User Attribute Transformation is a Duo CloudSSO feature
• Available for Generic SAML SP applications
• Performs attribute modification before SAML assertion gets send out
• Using an expression language
• $RULE_NAME $OPTION="$OPTION_VALUE"
• Processing a list of rules from top to bottom
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
User Attribute Transformation
Use-Cases
• Appending/Prepending a suffix to a username, mapping it to a SAML SP role
• Character transformation
• Uppercase, Lowercase
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Cisco Anyconnect & User Attribute Transformation
Group-Policies & Dynamic Access Policies (DAP)
• A group policy is a set of user-oriented attribute/value pairs for
RAVPN connections
• Group policies let you apply whole sets of attributes to a user or a group of users, rather than
having to specify each attribute individually for each user
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Reference:
BRKSEC-2287
User Attribute
Transformation
happens at this
stage!
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
FP2120# show running-config dynamic-access-policy-
SAML AuthZ
record Frontend-Access
dynamic-access-policy-record Frontend-Access
user-message "Access to Frontend granted"
network-acl FrontendACL
A practical use-case Duo CloudSSO
FP2120# more disk0:/dap.xml
<dapRecordList>
<dapRecord>
<dapName>
<value>Frontend-Access</value>
</dapName>
<dapViewsRelation>
<value>and</value>
</dapViewsRelation>
<dapBasicView>
<dapSelection>
<dapPolicy>
aaa["saml"]["memberOf"][“1"]="Sales“ <value>match-all</value>
</dapPolicy>
aaa["saml"]["memberOf"][“2"]="GlobalEmployees“ <attr>
<name>aaa.saml.cisco_group_policy</name>
aaa["saml"]["cisco_group_policy"]="GlobalEmployees“ <operation>EQ</operation>
<value>GlobalEmployees</value>
aaa["saml"]["_cisco_saml_uid_"][email protected] </attr>
[email protected], dap_concat_fcn: [Access to Frontend granted] 26 490 <attr>
Classifying FrontendACL: priority=0, sense=0(White), Denies=0, Permits=1 <name>aaa.saml.memberOf</name>
<operation>EQ</operation>
<value>Sales</value>
</attr>
FP2120# show vpn-sessiondb anyconnect
Username : [email protected]
Group Policy : GlobalEmployees
Tunnel Group : SAML_SingleCert_CloudSSO
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Duo CloudSSO FP2120# show running-config dynamic-access-policy-
SAML AuthZ
record Backend-Access
dynamic-access-policy-record Backend-Access
user-message "Access to Backend granted"
network-acl BackendACL
A practical use-case priority 10
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Hidden slide – only
visible in handout
version
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Hidden slide – only
visible in handout
version
Role attributes
Use-Case
• Dynamic assignment of RAVPN group-
policy w/o processing directory attributes
• Independent of Attribute Transformation!
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SAML Authentication
Anyconnect & Duo CloudSSO
• SAML authentication happens at an early stage
• In case of Duo CloudSSO (IdP), this is where Duo policies gets
processed, as well as where user attribute transformation happens
Note: Extraction
of Duo´s Policy
attributes but
not limited to
Device Compliancy (Posture, managed
vs unmanaged)
Device Cookie
Step-up Authentication
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
When processing high-value data, we have
to have best in class security products for
protection, a high-level assurance of who is
accessing the data, continuously verifying
the risk, and being able to control a session
whenever a contextual change happens
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-
catalog.html
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Continue Your Education
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
A bit too early for beverages,
but in case they serve later
today in the World of
Solutions, you can find me
there!
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
BRKSEC-2748 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Thank you