Posts Tagged ‘Security’

Whitepaper: DotNetNuke Multi-Factor Authentication

Friday, August 28th, 2009

I am pleased to make available a whitepaper detailing the high-level motivation and approach involved in the creation of the recently-released DotNetNuke Multi-Factor Authentication Provider, along with a discussion of the unique characteristics of a DotNetNuke installation that render the approaches of other vendors (e.g. RSA SecurID) incomplete or unsatisfactory. Additionally, each out-of-the-box factor is described in general detail in a format that is digestible by an audience of varying technical sophistication.

This paper is intended for all audiences who might have an interest in overall DotNetNuke installation security, and is designed to assist management in identifying an appropriate level of authentication-related risk.

Tags:, , , , , , , ,
Posted in DotNetNuke (DNN) Content Management System, Security, Technology | 4 Comments »

Beta Release: DotNetNuke Amazon S3 Folder Integration Providers

Monday, June 22nd, 2009

I am pleased to announce a beta release of my Amazon S3 integration authorization and data providers.  It may be downloaded via CodePlex on its project homepage.  As is all of my DotNetNuke work, this project is fully open-source and available under a liberal BSD license.

The DotNetNuke web application framework offers multiple file persistence options out-of-the-box, including file-system storage (both unsecured and secured by ACL), along with ACL-secured database storage. When creating a link to a resource, the DotNetNuke UI provides a convenient list of these files, and also allows direct input of arbitrary URI.

However, there exists no ready method by which an administrator might link to a known set of files persisted external to the installation. While direct URI input might be used here, it requires knowledge of these data, and does not allow for enumeration and management of the external objects themselves.

This project attempts to bridge that gap by integrating resources persisted on the Amazon S3 into the DotNetNuke framework. Resources stored there are enumerable via the File Manager and selectable via the URL control. Throughout the core framework, these external resources are treated identically to database-secured resources, including observance of Amazon S3 ACL, automatic synchronization, and (reasonably friendly) 301 Redirects to the Amazon S3 when accessed via LinkClick.aspx.

This is effectuated via customization of two providers: authorization and data. The authorization provider integrates Amazon S3 ACLs for external resources, and the data provider allows enumeration of and details about the external resources themselves.

(more…)

Tags:, , , , , , , , ,
Posted in DotNetNuke (DNN) Content Management System, Security, Technology | 17 Comments »

Presentation Materials: Advanced Authorization in DotNetNuke 5.1

Tuesday, June 16th, 2009

I recently had the privilege of presenting at the DoDNN conference on the topic of authorization theory and the new extension points available in DotNetNuke version 5.1. This was an enjoyable session with great attendees and some interesting conversation afterwards.
(more…)

Tags:, , , , ,
Posted in DotNetNuke (DNN) Content Management System, Technology | 2 Comments »

Preview: Amazon S3 Integration @ the DoDNN Conference

Monday, June 8th, 2009

As many are aware, I will be presenting a session at the upcoming Day of DotNetNuke conference in Orlando, Florida.  The session is entitled “The Cutting Edge: Advanced Authorization in DotNetNuke 5.1.”  The abstract for this session reads:

Among the many improvements present in DotNetNuke version 5.1, this latest release includes authorization as a first-class extension point.  This allows customization previously impossible without core modification.  Additionally, the permission model (and the internal use thereof) has been significantly streamlined and centralized, allowing for great flexibility across myriad use scenarios.

In this session, we explore the new permission provider in detail.  This includes a discussion of how (and why) authorization services were centralized and abstracted, the overall design and structure of the provider, and available points of access control.  Finally, we examine some concrete ways in which the provider might be extended to meet real-world policy requirements.

When presenting architectural or theoretical material, I always strive to include a demonstration of how the material might be applied to a real-world scenario.  In this case, I will be demonstrating how a custom authorization provider can be used to enable full DotNetNuke integration with cloud-based Amazon S3 webservices.  A screenshot of the file manager in an Amazon S3-enabled installation is displayed below.

A screenshot demonstrating Amazon S3 cloud-based integration on the DotNetNuke platform

This session should appeal to a wide audience; I cover enough theoretical background for individuals new to security theory, and delve deep enough into the 5.1 authorization architecture to satisfy those that have high familiarity with the platform.  If you are interested in learning more about the internals of the framework — and how 5.1 authorization might be utilized — be sure to stop by!

Epilogue: The presentation materials are now available here, and the Amazon S3 Integration providers may be found here.

Tags:, , , , , ,
Posted in DotNetNuke (DNN) Content Management System, Security | 6 Comments »

DotNetNuke Multi-Factor Authentication Provider

Friday, May 1st, 2009
DotNetNuke Multifactor Authentication Requiring Password, One-Time SMS PIN, and X.509 Certificate

DotNetNuke Multifactor Authentication Requiring Password, One-Time SMS PIN, and X.509 Certificate

I am pleased to announce an initial release of a multi-factor provider for the DotNetNuke content management system.

This authentication provider allows a host to configure enhanced authentication (including SMS, SMTP, YubiKey, and X.509 certificates) for any number and combination of portal roles. Each factor must be fulfilled prior to authentication being granted, increasing overall security.

This package may be downloaded from it’s project site, located at http://dnnmultifactor.codeplex.com.

Goals

  • A robust, extensible multi-factor authentication framework for the DotNetNuke content management system.
  • Complete integration into the framework using existing extension points, with no core modifications or recompilation required.
  • Support for host-, administrator-, and user-level configuration, with the ability to vary required factors across an arbitrary set of roles.
  • A robust set of included factor providers, including SMS, secure SMTP, YubiKey (www.yubico.com), and X.509 certificate.
  • Extension points in the authentication system allowing for development of custom factors by third parties.
  • Reliance on the existing ASP.NET membership subsystem for existing (first-factor) authentication.
  • Minimization of “custom security” risk by relying, insofar as is possible, upon existing security infrastructure (ASP.NET membership, DotNetNuke portal security, password generation, et cetera.
  • As small an overall surface area as is possible, and an absolute reliance upon the existing ASP.NET membership system as a first-factor fallback, should any unforeseen vulnerability exist.

(more…)

Tags:, , , ,
Posted in DotNetNuke (DNN) Content Management System, Technology | 16 Comments »