1 / 42

Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando

Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando. Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com. LDAP overview. History Historical Usage Technical specs. History. Created by the University of Michigan

justise
Download Presentation

Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com

  2. LDAP overview • History • Historical Usage • Technical specs

  3. History • Created by the University of Michigan • Evolution • 1993 : LDAP v1: RFC 1487: X.500 Lightweight Directory Access Protocol • 1995 : LDAP v2: RFC 1777: Lightweight Directory Access Protocol • 1997 : LDAP v3: RFC 2251: Lightweight Directory Access Protocol (v3)

  4. Historical Usage • People-centric information • Phone books • Personnel Data • Large white page applications

  5. Technical specs • TCP/IP • Lightweight • Hierarchical structure • Easy API

  6. LDAP for a single sign-on environment? • Why single sign-on is needed? • Why LDAP is a viable solution for single-on? • Requirements for an efficient and secure single sign-on solution • Technical challenges for implementing a true single-sign on • What can LDAP do to solve the problems?

  7. Why single sign-on is needed? • Large networks • Multiple operating systems • Various network devices • Centralizing Infrastructure

  8. Why LDAP is a viable solution for single-on? • Lightweight • TCP/IP • Open standard • Already used to store People-centric information

  9. Requirements for an efficient and secure single sign-on solution • Open standard • Scalability • Access controls • Easy to integrate with current infrastructure • Easy and reliable API • Easy to manage

  10. Technical challenges for implementing a true single-sign on • Cross platform support • Cross platform user settings • Data Synchronization • Proprietary authentications • Security • Schema and organizational structure

  11. What can LDAP do to solve the problems? • Open standard • Support for SSL • Most vendors offer ACL • Customizable schema • Powerful search capabilities

  12. Test case - ASP environment

  13. Overview

  14. NT Authentication

  15. Linux/UNIX Authentication

  16. Why is this solution better? Advantages • Security • Central control of all users • Central point of revocation • Flexibility • Scalability • Financially • Most of the components are available for free use • Low management cost • Doesn't requirement a lot of administration

  17. Security • Central control of all users • Central point of revocation

  18. Advance topics • LDAP Security • Steps to secure your LDAP server • Special consideration for single sign on

  19. Steps to secure your LDAP server • 1. Identifying requirements • 2. Securing the Directory • 2. LDAP server host security • 3. Network security

  20. 1. Identifying requirements • Network access • Types of users and groups • Defining data access requirements • LDAP schema

  21. Network access • Network architecture • Identifying member servers and their requirements • Identifying Clients and their requirements

  22. Types of users and groups • Administration users • Read users • Write users • Member servers • Groups • Static • Dynamic

  23. Defining data access requirements • What can each member server do and see • Types of information can users see • What attributes the user can change on themselves • Data risk level • Is the data public? • Is the data restricted per organizational units? • Is the data used for the infrastructure?

  24. Data risk level • Is the data public? • Is the data restricted per organizational units? • Is the data used for the infrastructure?

  25. 2. Securing the Directory • Implementing ACL • Strong password management

  26. 2. LDAP server host security • File system • File system ACL • Identifying critical data • Integrity • Non-privilege user • Registry (Win32 only) • Limiting services

  27. File system • File system ACL • Identifying critical data • Integrity

  28. 3. Network security • Encrypting data • SLDAP • Authentication • Basic? • Certificate? • Anonymous?

  29. Special consideration for single sign on • Security of the object class attributes • NT Authentication using iPlanet Directory Server • PAM authentication via LDAP • Security of the authentication module

  30. NT Authentication using iPlanet Directory Server

  31. PAM authentication via LDAP

  32. Quick Links • Further readings • Tools • Implementations

  33. Further readings • LDAP Overview by Bruce Greenblatt • Why LDAP & Security Are Critical to Your Success • Solaris 8 LDAP Setup and Configuration Guide • IBM Understanding LDAP • Securing Netscape Directory Server paper (work in progress)

  34. Tools • LDAP Browser/Editor • LDAPMiner • NetscapeGetACL • LDAPRootDSE

  35. Implementations • OpenLDAP • iPlanet • Novell eDirectory • Tivoli(IBM)

  36. Questions?

  37. Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com

More Related