The Purpose of Security

   

At its most basic level, the purpose of security is to protect the information in your directory so that you can access it with confidence. The obvious next question is, Protect it from what? In the following section, we give an overview of the kinds of threats you should guard against. For now, it's enough to think of these threats as being unauthorized access to or tampering with directory information, or causing users of the directory to be denied service.

If security is breached, often it is important to know exactly what was breached and how. Auditing provides this capability. Auditing also can be useful in determining why the system is not performing as it should, what the directory is being used for, and other interesting and useful bits of information.

Auditing information is invaluable in determining how to secure your system after a break-in. If you don't know what went wrong, it's difficult to know how to fix it. Maintaining an adequate audit trail provides information such as who accessed the server, what operations were performed, when those operations were performed, how long they took, and other information about errors and unusual conditions. Analyzing these logs can give you insight into many problems, including the following:

  • Break-in attempts . For example, many repeated authentication failures in the logs might alert you to a break-in attempt. This information could help you track down the attacker or take preventive measures.

  • Trawling attempts . Trawling is any technique used to perform unauthorized bulk downloads of directory data. Look for repeated searches that download successive portions of the database in an attempt to defeat the administrative limits you have imposed. This auditing information could help you track down the trawler or take preventive measures.

  • Misconfigured applications . For example, you might notice an application performing searches that make no sense or aren't optimal, placing unnecessary load on the directory. In extreme cases, by consuming all available directory resources, a misconfigured application can cause others to be denied service. Auditing information can help you identify and fix the misbehaving application or configure your directory to handle the searches better.

There are also nontechnical reasons for securing your directory. It's important for the users of your directory to be confident that the information they consider private is being safeguarded in an adequate manner. Users often have concerns that go well beyond what you may consider a security or privacy threat. For example, you may consider a user 's name or gender to be public information, but the user may have legitimate reasons for wanting this information kept private (for example, having a fear of stalking, or being a member of a witness protection program). Such perceived threats are as real as any others as far as your users are concerned , and they should be dealt with accordingly .

Another nontechnical reason to secure your directory is public relations. In some situations this can be the most important reason. A break-in reported in the newspaper or on TV can be devastating to your company's business. The popular press seldom digs deep enough to discover the real consequences of a break-in. If your business is banking or securities trading, or a similar business in which trust plays a vital role, a security breach can be fatal. Your customers (not to mention your competitors ) usually won't distinguish between a break-in of your publicly available corporate phone book directory and the bank vault itself. The damage from this kind of a security problem can take a long time to repair.

   


Understanding and Deploying LDAP Directory Services
Understanding and Deploying LDAP Directory Services (2nd Edition)
ISBN: 0672323168
EAN: 2147483647
Year: 2002
Pages: 242

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net