Kevin S. Pickard

Experience

Defining Achievements

• TACACS Daemon DoS
• Load Balancer Bugs
• RSA ACE/Server Development

Skills

• Linux Administration
• Solaris Administration
• Windows NT, 2000, 2003
• Systems Security
• Penetration Testing
• Security Analysis - Logical, Physical
• Python, PHP, Shell, MS Powershell
• HTTP - Apache 1.x, 2.x, MS IIS
• DNS - BIND 8.x, 9.x
• SMTP - Sendmail, Postfix
• MySQL, MSSQL, Oracle
• RSA SecurID, RSA ACE/Server, RSA Authentication Manager
• Cisco Layer 2 Switches
• Foundry Networks Layer 2/3 Switches
• Nortel/Alteon Load Balancers
• Subnetting, Switching, Load Balancing

Defining Achievement

RSA ACE/Server Development

"Doing the same thing 100 times is a waste of resources."

Two-factor authentication is a powerful tool to protect a company's resources from unauthorized access. One of the most popular providers of this solution is RSA's SecurID platform. SecurID is RSA's marketing name for the front end authentication agents and the hardware tokens it commonly employs. On the back end authentication is managed by a piece of software called ACE/Server. The ACE/Server suite provides authentication via RADIUS, TACACS, the proprietary SecurID protocol, and allows the administrator to manage users, groups, hardware and software tokens, and devices to be authenticated against. While ACE/Server provides both Windows and UNIX GUI management consoles, neither option is suitable for performing batch operations such as adding a large number of users, devices, groups, etc. The result is a lot of time spent doing the same thing over and over, (and over).

No one likes to do the same thing too many times, not to mention that repeating the same task leads to the introduction of user errors. It's clear that RSA figured this would be a problem, but didn't want to spend too many resources of their own solving the problem. Instead they provided an API toolkit with libraries in C and TCL. In this toolkit a large number of administrative actions are exposed through well documented library functions. They must have assumed that if a customer had a device or user base large enough to need batch management, they'd likely have a programming team capable of developing their own solution using the toolkit.

Unfortunately for my employer, developers were in short supply. With no one else to do the job, I decided to see what I could do. Instead of hacking some gigantic C program together, or learning TCL, I decided to do neither. My favorite programming language, Python, can make use of C functions. With only a little extra effort, RSA's C toolkit could easily be turned into a module for use directly within a Python program.

-ksp