Security Tools

   

Now that we've described some of the security threats your directory service may face, it's time to turn our attention to the tools available to help combat them. We do not attempt to provide complete coverage of all the tools out there, but we do give an overview both of the general protection mechanisms and their embodiment in specific technologies.

First, these are the general security methods at your disposal:

  1. Authentication . Authentication is the means by which one party verifies another's identity. Authentication can be one-way or two-way (the latter is sometimes called mutual authentication ). In one-way authentication , a directory client presents a password to a directory server in an LDAP bind operation, or a directory server presents its certificate to a directory client during an SSL connection negotiation so that the connection can be encrypted. In two-way authentication , both the directory client and server exchange certificates during SSL connection negotiation.

  2. Signing . Signing is the means by which the authenticity and integrity of information is ensured. If information is signed, the recipient can determine that it was in fact sent by the indicated party and that it was not tampered with in transit. An example of signing occurs when an LDAP connection is made over SSL: The SSL layer divides the stream of data being sent into a series of blocks, and each block is accompanied by a cryptographic checksum that allows the receiver of the packet to determine whether it's been tampered with. In another example of signing, an application stores a signed value within an attribute in a directory entry; the authenticity of the value can then be verified regardless of the security of the server itself.

  3. Encryption . Encryption is the means by which the privacy of information is protected. If information is encrypted, it is scrambled in a way that only the recipient (and possibly the sender) knows how to undo. Encrypted information intercepted by anyone else is not useful. In SSL LDAP sessions, all packets transmitted are encrypted via the method negotiated during connection setup.

  4. Auditing . Auditing is the means by which you track what happens to your directory. Auditing is a key element to the overall security solution because it is often the only way to determine whether your security has been compromised and in what manner. Auditing of data handling and other procedures is also important to make sure that there are end-to-end security protections for your data. The log files maintained by most directory server products are an example of auditing.

  5. Firewalls . Firewalls and other network security technologies are used to prevent unauthorized access to resources on your networks. For example, a firewall can restrict access to your corporate network so that outbound connections from employee workstations are allowed but inbound connections are not. E-commerce sites usually use a sophisticated firewall configuration that creates different zones of network security so that multiple firewalls exist between the public Internet and database servers containing sensitive information. The topic of constructing and maintaining a secure network is beyond the scope of this book, but it is vitally important. For more on the subject, we suggest you refer to one of the texts mentioned in the Further Reading section at the end of this chapter.

  6. Intrusion detection systems . Intrusion detection systems ( IDSs ) are used to detect when an intruder is attempting to infiltrate your computing systems. In some cases, these tools can detect an attack in progress. In other cases, these tools look for telltale signs that an attack has occurred and report their findings. IDS includes network intrusion detection systems (NIDSs) that examine network packets for suspicious activity, system integrity verifiers (SIVs) that verify the integrity of critical system resources such as files and registry settings, and log file monitors (LFMs) that check for telltale signs of intrusions in log files generated by network devices and servers. These specific IDS types will be covered in a bit more depth shortly. For more information on IDSs, see the Further Reading section at the end of this chapter.

These six concepts form the basis of most practical security procedures in modern directory systems. There are other, more esoteric security concepts, such as nonrepudiation, that we will not bother to cover in this book.

Now we turn our attention to some specific technologies that provide one or more of the abstract services we just described:

  • SSL . SSL is the Secure Sockets Layer protocol. Originally developed by Kipp Hickman of Netscape, SSL is a generic mechanism designed to make connection-oriented protocols like LDAP secure. SSL is based on public key cryptography and can provide high security. It includes strong authentication, signing, and encryption services. SSL lets two communicating parties negotiate a level of security that is appropriate and acceptable to both. A variety of different security algorithms and strengths, or security levels, can be negotiated.

  • TLS . TLS is the Transport Layer Security protocol. When the Internet Engineering Task Force (IETF) formed a working group to standardize an SSL-like protocol, it started with SSL version 3.0 and changed the name to TLS. There is little difference between SSL 3.0 and TLS 1.0; in this book we use these terms interchangeably. At the time of this writing, TLS 1.0 is a Proposed Internet Standard, documented in RFC 2246.

  • Kerberos . Kerberos is a security technology originally developed at the Massachusetts Institute of Technology as part of Project Athena. Kerberos provides an authentication service and can be used to provide encryption services as well. Kerberos version 4 was the first widely used version of Kerberos. Later attempts to standardize Kerberos (although not in the IETF) with version 5 have achieved limited success. Various groups have splintered off from the core standard, producing different, incompatible versions, including Microsoft, which used Kerberos-based technology in its Windows 2000 and Active Directory products.

  • SASL . SASL , the Simple Authentication and Security Layer , was developed by John Myers of Netscape. SASL (pronounced "sazzle") is a generic framework for negotiating authentication and security layer semantics in application-layer protocols. SASL enables support for authentication, encryption, and signing services. Although it provides no security itself, SASL allows application protocols such as LDAP to negotiate security parameters. LDAP version 3 includes native support for SASL. At the time of this writing, SASL is a Proposed Internet Standard, documented in RFC 2222.

  • IPsec . IPsec stands for Internet Protocol Security . A relatively new proposed standard at the time of this writing, IPsec is a generic network-layer security mechanism designed to secure transport-layer connections between machines (such as with TCP, over which LDAP runs). Like SSL, IPsec is based on public key technology, but its focus is on securing connection endpoints, not users or applications.

  • SSH . SSH , the Secure Shell protocol, is a generic, end-to-end security package for protecting login sessions, file transfers, and other connections between machines. SSH provides strong security and is relatively easy to use. It is a good general-purpose tool you can use to secure many of the daily administrative tasks that must be performed on your directory and other systems. SSH version 2 is the most recent version at the time of this writing.

  • SATAN and ISS . Security Administrator Tool for Analyzing Networks ( SATAN ) and Internet Security Scanner ( ISS ) are generic host security-checking packages. When you point these tools at a host or network, they probe for various well-known security holes that they have been programmed to look for. When finished, they produce a report about all the problems found and how to fix them. Tools like these are invaluable to system administrators (including directory administrators) who need to ensure the security of a host on the network. However, these tools are also invaluable to attackers who are trying to break into those systems. You should beat the attackers to the punch and scan your networks before they do.

  • NIDSs . Network intrusion detection systems ( NIDSs ) monitor network activity in real time and attempt to determine when an attack is in progress. For example, a NIDS may be able to detect when a DoS attack is in progress and generate an alert. Snort is a widely used open -source NIDS package. See http://www.snort.org for more information.

  • SIVs . System integrity verifiers ( SIVs ) are packages that detect when critical system resources have been tampered with. They accomplish this by taking a snapshot of these resources (system files and Windows registry settings) and periodically comparing the resources against the snapshot. Tripwire is a widely used open-source SIV package. See http://www.tripwire.org for more information.

  • LFMs . Log file monitors ( LFMs ) are tools that examine system logs and perform an action such as paging an administrator when a particular message is logged. Swatch is a widely used LFM package. See http://oit.ucsb.edu/~eta/swatch for more information.

The list could go on and on, but we don't have room to mention all the possibilities here. This list should give you a basic idea of the kinds of tools available to you. Check the references in the Further Reading section at the end of this chapter for more on this subject.

   


Understanding and Deploying LDAP Directory Services
Understanding and Deploying LDAP Directory Services (2nd Edition)
ISBN: 0672323168
EAN: 2147483647
Year: 2002
Pages: 242

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net