Conclusion

Understanding and Deploying LDAP Directory Services > 11. Privacy and Security Design > Security Threats

<  BACK CONTINUE  >
153021169001182127177100019128036004029190136140232051053054012006212255086203123116091

Security Threats

There are many potential threats to security, and an entire science and industry have grown up around this important area. Several good books on the subject provide excellent coverage of security in general and treat the subject in a more complete and formal manner than we will here. Because the subject of this book is directories, not security, we will take a more pragmatic and focused approach toward describing the range of security threats. This section provides an example-driven overview of the most typical threats to directory security. We've broken up the threats into three categories: unauthorized access, tampering with information, and denial-of-service.

It's important to understand that an attacker does not necessarily have to be particularly clever to use one of these attacks. With the popularity of the Internet and the growth of the bad guy community along with it, the advantages of shrink-wrapped software have come to computer security attacks. For most of the threats we describe in this chapter, you can find ready-made software that will exploit it. People trying to compromise your security are often just running shell scripts and programs they downloaded off the Internet. They may have less of an idea how the programs operate than you do! Of course, there are exceptions, too: Wily hackers who discover security holes and write the programs that exploit them are still in abundance .

A commonly held security myth is that most attacks are made by hackers operating out of their basement computing lairs. In reality, most attacks, especially successful ones, are made by your own employees , administrators, and users. In practice, the "inside job" poses by far the greatest threat to your directory's security in most environments. When designing your security solution, be sure to consider threats both inside and outside your organization.

Unauthorized Access

The unauthorized access threat may seem simple to protect against. You should authenticate clients accessing your directory and provide access control restricting the information that these clients can access. Problem solved , right? Unfortunately, it's not quite that easy.

Think about the way directory information is delivered to authorized clients. There are several opportunities along this path for an unauthorized client to gain access to the data. Here are several breaches that can occur:

  • Credential forging .   If a client's credentials can be forged, an unauthorized client can fool the directory into thinking it is authorized. For example, suppose your directory's authentication scheme is based on plain text passwords, and no other steps are taken to protect the password as it is transmitted to the server. An attacker who is able to watch a legitimate client in an authentication exchange may be able to replay the exchange later, successfully masquerading as the legitimate client. One-time password schemes can help guard against this, as can authentication methods that do not allow replay of credentials. Connection protection mechanisms can also help reduce this risk.

  • Credential stealing.   This threat is closely related to creden tial forging but more low tech in nature. If your users write down their passwords on notes stuck to their computers, anyone who walks by can steal them. If you use token-based security that requires the user to present some physical token to access the directory, this token can be stolen. The same is true for schemes based on public key cryptography. If a user 's private key is stolen, the thief can impersonate the user. There are a variety of ways that credentials can be stolen ”many of them not technology-based.

  • Connection hijacking.   Is it possible for an unauthorized client to hijack an authorized client's connection when the authorized client has authenticated itself? Yes, barring any connection-level protection that prevents it. For this to happen, the hijacker usually has to have access to the same physical network that the victim is on. Methods of attack vary somewhat, but they all involve the hijacker responding to requests meant for the authorized client and preventing it from responding. General connection protection mechanisms, such as secure sockets layer (SSL) or its successor, transport layer security (TLS), can prevent this, as can other methods that require directory operations to be digitally signed. Digital signatures are discussed in more detail in the next section.

  • Network sniffing.   If it is possible for an attacker to eavesdrop on the information exchanged between a legitimate client and the server, the attacker can learn things he or she is not authorized to know. To guard against this, steps must be taken either to physically protect the network between clients and servers so that no one can listen in, or to protect the information exchanged so that an eavesdropper who does listen in cannot get useful information. SSL provides these benefits by encrypting the information transferred. Other schemes have this property, but SSL is by far the most widely used.

  • Trojan horses.   Remember that there can be a lot of software between an authorized directory user (or other agent) and the network that conveys that information. A "trojan horse" is software that masquerades as a legitimate program but, when run, performs some illicit functions compromising security. A popular kind of trojan horse program is a keystroke sniffer, which disguises itself as a legitimate login program. This nasty piece of software hooks into the low-level routines taking input from your keyboard, recording all keystrokes you make. These keystrokes can be analyzed later to determine, for example, what your password is. This threat is very difficult to protect against. The best approach is probably to employ administrative methods and antivirus software and to regularly back up and reinstall your machines.

  • Backdoor access.   Is it possible that there are other ways to access the data you want to protect, ways not subject to your directory's authentication and access control safeguards? The answer to this question is almost certainly yes. Directory data lives on one or more server machines, probably residing in some kind of database or file system. If an intruder gains unauthorized access to the directory server machine, he or she has a wide variety of opportunities to access the data. If your directory data comes to your server in a feed from the human resources relational database, the information in your directory is only as secure as the source database. Many other avenues of access to your data are possible, in addition to the directory access methods you are designing. Some systems are even designed for this from the ground up. The Microsoft Windows NT Active Directory, for example, is designed to make your directory data accessible over LDAP, HTTP, the file system, and other network protocols.

  • Physical access.   Obvious, perhaps, but worth mentioning is that if an attacker has physical access to the directory server machine, a whole host of problems can occur. These range from gaining increased privileges by logging in via a console or other trusted terminal, to just being able to unplug the disk drive containing the directory data and walk out the door with it! Keeping your server machines in locked rooms with limited access is a good guard against this. Encrypting directory data as it lives on the server is another good approach, although this can be expensive. Performance suffers because of the time it takes to encrypt and decrypt data. Extra hardware may be required to make performance acceptable.

  • Software bugs .   This category is a bit of a catch-all, representing one of today's most commonly exploited security problems. Bugs in the directory server software, the operating system, shared libraries, and even unrelated systems can often be exploited by an attacker to gain unauthorized privileges. There is probably not much you can do to minimize the number of bugs in your vendor's software, but you can take preventive measures. For example, avoid running any noncritical services on your directory machines to reduce the possible avenues of attack. Stay current with operating system and other software patches that may fix security bugs.

Unauthorized Tampering

Access to directory data is one thing, but if an attacker can actually change directory data ”either as it resides in the service itself or en route between client and server ”a new set of problems arises. If that were to happen, clients could no longer trust the information they receive from the directory, servers could no longer trust the modifications and queries they receive from clients ”and the directory service would soon become useless.

Many of the attacks described in the previous section could result in data tampering, as could other new attacks. Following are the attack methods you need to be concerned about:

  • Man in the middle.   A common attack of this kind occurs when an attacker is able to insert him or herself between the directory client and server. Without any means to detect tampering, the man in the middle could change the client's requests to the server (or not forward them at all) and change the server's responses to the client (see Figure 11.1). SSL and similar technologies can solve this problem by signing information at either end of the connection. If the signature is invalid when the data arrives, the data has been tampered with.

    Figure 11.1 The "man in the middle" security attack.
  • Trojan horse.   As with unauthorized access to data, a trojan horse attack on a directory client (or server) can easily facilitate unauthorized tampering. The same countermeasures apply, as do the same difficulties in applying them.

  • Masquerading.   In the section on unauthorized access, we described several ways a client can fool a server into thinking the client is someone else. The same problems apply here, both for client and server. A client that can masquerade as somebody else can insert false information into the directory. An evil server that can masquerade as a legitimate server can send back incorrect information to clients and prevent legitimate client modifications from being made.

Denial-of-service Attacks

Another kind of security threat to your directory does not involve stealing or changing data at all. Instead, the attacker's goal is to prevent the directory from providing service to its clients. Such an attack is called a denial-of-service attack . Denial-of-service can be one of the hardest security problems to guard against and detect. There are two main types of denial-of-service attacks:

  • Direct resource consumption.   This is a general kind of attack in which the attacker simply uses the system's resources to prevent them from being used by someone else. For example, someone could write a directory client that continuously performs expensive directory operations, tying up the resources and making them unavailable to other users. Someone could also write a directory client that stores large amounts of information in the directory in an attempt to exhaust available disk space. There are many other forms of this attack.

    Placing limits on the number of directory resources any single client or user can use is a good way to guard against this. Keeping good audit records for the directory is also a good idea. Although an audit record does not prevent the attack, it does allow you to determine when it is happening, and perhaps who is perpetrating the attack and how to stop it. Monitoring can also help fight this problem. If you know the normal level of resource consumption by your directory, monitoring can alert you to any unusual events. Hopefully, you will be able to take action before the problem gets out of hand. Monitoring is discussed in more detail in Chapter 18, "Monitoring."

  • Indirect resource consumption.   This attack is similar to the direct attacks just described, but it is often more difficult to detect and guard against. This attack involves using resources that the directory server or directory clients need, thus denying those resources to the legitimate users. The difference from the direct attack is that the directory service itself is not involved, so directory auditing capabilities often don't help in detection and prevention.

    For example, an attacker could write a program that uses inordinate amounts of bandwidth. Another attacker with access to the directory machine could write a program to consume CPU, disk bandwidth, memory, or other resources. Much more clever and insidious attacks are possible, too, such as initiating many half-opened connections to the directory machine until the machine runs out of system resources. The list of possibilities goes on ”and can get quite nasty.

    This kind of attack is very difficult to defend against, but there are some precautions you can take. Isolating your directory machines as much as possible is a good start. Reducing the number of nondirectory processes and users on the directory server machines (or, ideally , eliminating them) is another good idea. Employing firewall filters and other network-level safeguards is also possible. No amount of prevention can eliminate the threat, but it can be reduced.

There are several reasons someone might conduct a denial-of-service attack on your directory. The first and probably most likely is simply by mistake. Bugs in directory client software, misconfigured software, or simply a lack of awareness of the consequences of certain actions can all lead to denial-of-service. Your best guards against this kind of attacker are education, monitoring, and auditing.

The second reason someone might conduct a denial-of-service attack on your directory is simple maliciousness. The attacker might be out to ruin your day or the days of your users. The attacker might have a specific problem with you or your service, or your service might simply provide a convenient target for wreaking general havoc. Either way, you would do well to guard against this kind of attacker.

The final and most insidious reason someone might conduct a denial-of-service attack on your directory is to help them compromise another system that depends on the directory. For example, if your Web server depends on the directory to authenticate users, attacking the directory can effectively disable the Web service. This kind of attack can be difficult to defend against because the real motivation behind the attack may never be known.



Understanding and Deploying LDAP Directory Services,  2002 New Riders Publishing
<  BACK CONTINUE  >

Index terms contained in this section

access
          unauthorized
                    backdoors
                    connection hijacking
                    credential forging
                    credential stealing
                    network sniffing 2nd
                    physical access
                    software bugs
                    trojan horses
backdoor access
          security
bugs
         software
                    security
connections
         hijacking
                    security
credentials
         forgery
                    security
         stealing
                    security
denial of service
          security
denial of service attacks
         security
                    direct resource consumption 2nd
                    indirect resource consumption 2nd
design
          security 2nd 3rd 4th 5th 6th
                    backdoors
                    connection hijacking
                    credential forging
                    credential stealing
                    direct resource consumption (denial of service) 2nd
                    indirect resource consumption (denial of service) 2nd
                    man in the middle attacks
                    masquerading
                    network sniffing 2nd
                    physical access
                    software bugs
                    trojan horses 2nd
direct resource consumption (denial of service attacks) 2nd
directories
          security 2nd 3rd 4th 5th 6th
                    backdoors
                    connection hijacking
                    credential forging
                    credential stealing
                    direct resource comsumptions (denial of service) 2nd
                    indirect resource ce)
                    indirect resource comsumptions (denial of service)
                    man in the middle attacks
                    masquerading
                    network sniffing 2nd
                    physical access
                    software bugs
                    trojan horses 2nd
forgery
          security
hackers
hijacking connections
          security
indirect resource consumption (denial of service attacks) 2nd
man in the middle attacks (security)
masquerading
          security
network
         sniffing
                    security 2nd
physical access
          security
security 2nd 3rd
          denial of service
         denial of service attacks
                    direct resource consumption 2nd
                    indirect resource consumption 2nd
          unauthorized access 2nd
                    backdoors
                    connection hijacking
                    credential forging
                    credential stealing
                    masquerading
                    network sniffing 2nd
                    physical access
                    software bugs
                    trojan horse
         unauthorized tampering
                    man in the middle attacks
                    trojan horses
sniffing
         network
                    security 2nd
software
         bugs
                    security
stealing
         credentials
                    security
tampering
          unauthorized
                    man in the middle attacks
                    masquerading
                    trojan horses
threats
          security 2nd 3rd 4th 5th 6th
                    backdoors
                    connection hijacking
                    credential forging
                    credential stealing
                    direct resource consumption (denial of service) 2nd
                    indirect resource consumption (denial of service) 2nd
                    man in the middle attacks
                    masquerading
                    network sniffing 2nd
                    physical access
                    software bugs
                    trojan horses 2nd
trojan horses
          security 2nd
unauthorized access
          backdoors
          connection hijacking
          credential forging
          credential stealing
          network sniffing 2nd
          physical access
          software bugs
          trojan horses
unauthorized tampering
          man in the middle attacks
          masquerading
          trojan horses

2002, O'Reilly & Associates, Inc.



Understanding and Deploying LDAP Directory Services
Understanding and Deploying LDAP Directory Services (2nd Edition)
ISBN: 0672323168
EAN: 2147483647
Year: 1997
Pages: 245

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net