1 / 25

LDAP Directory Services:

LDAP Directory Services:. Security. Directory Security Syllabus. Brief Review of Directories and LDAP Brief Review of Security Basic Security Concepts Security as Applied to Directories Threats LDAP Protocol Security Features Typically Implemented Security Features Futures References.

mendezs
Download Presentation

LDAP Directory Services:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LDAP Directory Services: Security

  2. Directory SecuritySyllabus • Brief Review of Directories and LDAP • Brief Review of Security • Basic Security Concepts • Security as Applied to Directories • Threats • LDAP Protocol Security Features • Typically Implemented Security Features • Futures • References

  3. A B C D search “G,C,A” E F G Client H I Directory SecurityBrief Review of Directories & LDAP Directory Information Tree (DIT) Network LDAP Directory Database Directory Service

  4. Directory SecurityBrief Review of Directories & LDAP • What directories are… • Object repositories • Typically read more than written • Have explicit access protocols • Support relatively complex queries • What directories are not… • RDBMSs • Lack notions of.. • Tabular views • JOIN operations • Stored Procedures

  5. Directory SecurityBrief Review of Directories & LDAP • Obligatory, overly-simplified, Protocol Stack Diagram Directory-based Application LDAP TCP IP Ethernet, Cable, Wireless, whatever.

  6. Directory SecurityBrief Review of Security • Notion of Security for a network protocol is comprised of (at least) these axes.. • Identity & Authentication • “Who are you and who says so?” • Confidentiality • “Tough petunias to eavesdroppers.” • Integrity • “Did anyone muck with this data?” • Authorization • “Yes, you can do that, but no, you can’t do that other thing.”

  7. Directory SecurityBasic Security Concepts • Notions... • The notion of Identity • Of Names and Identifiers • Authentication Identity • Authorization Identity • Anonymity

  8. Directory SecurityBasic Security Concepts Overall Namespace Names Identifiers

  9. Directory SecurityBasic Security Concepts • The applicable “science & technology of implementation”... • Ciphers • Encryption • Integrity • AKA Cryptography [11]

  10. Directory SecurityBasic Security Concepts, cont’d

  11. Directory SecurityBasic Security Concepts, cont’d

  12. Directory SecurityBasic Security Concepts, cont’d

  13. Directory SecuritySecurity as Applied to Directories • One needs to separately consider each of the four security axes in the context of anticipated threats. • Also need to consider security from the perspectives of.. • the info stored in the directory, and.. • attributes of the requesters. • E.g. how much you trust them. • Note that.. • data security != access security

  14. Directory SecurityExample Deployment Scenarios

  15. A 4 B C D search “G,C,A” E F G 7. Imposter Directory Service H I Client Directory Database Directory SecurityThreats Legitimate Directory Service 2 , 3 , 7. LDAP Network , 5 , 6. Directory Database 1.

  16. 8. 9. 10. Directory SecurityThreats, cont’d Network Directory Service Host(s) Directory Database

  17. Directory SecurityLDAP Protocol Security Features • Formal notions of.. • Authentication Identifiers [7], and.. • Authorization Identifiers [7] • Leverages several security mechanisms.. • Simple passwords [2, 8] • SASL [6] • Kerberos [2] • Digest [4] • SSL/TLS [7] • effectively is a session layer • The above may be used in various combinations together.

  18. Directory SecurityLDAP Protocol Security Features • Integral-to-the-protocol data integrity and attribution are works-in-progress.

  19. Authenticated, plus Confidentiality- and Integrity-protected Channel LDAP A Directory Database B C D search “G,C,A” E F G Imposter Directory Service Client H I Directory Database Directory SecurityLDAP Security Features Illustrated Legitimate Directory Service Network LDAP

  20. IP Ethernet, Cable, Wireless,Etc. Directory SecurityBrief Intro to Directories and LDAP Directory-based Application LDAP TLS TCP

  21. IP Ethernet, Cable, Wireless,Etc. Directory SecurityBrief Intro to Directories and LDAP Directory-based Application TLS SASL LDAP TCP

  22. Directory SecurityTypical Security Features of Impls • Security Features typically found in LDAP Implementations • Simple password-based Authentication. • SSL on port 636 (aka “LDAPS”) • At least one impl does StartTLS on port 389. • Access control. • Configurability (e.g. Netscape’s DS Plug-ins).

  23. Directory SecurityTypical Impl Security Features, cont’d • Important Notice: • The LDAP protocol is NOT an authentication protocol in and of itself (IMHO). • One MAY use LDAP itself as an authentication protocol, but one needs to carefully consider what functionality it does and doesn’t bring to your deployment when used in this manner. • Deployment configuration is critical • Many server-side knobs • e.g. requiring client authentication

  24. Directory DB Auth DB Directory SecurityExample Directory Service Deployment(s) Authentication Service Desktop Clients Desktop Clients Clients LDAP LDAP-based Directory Service

  25. Directory Service SUNetIDSystem LDAP (Reads) TDS Network-based Applications Network-based Applications Directory DB Registry DB Auth DB Middleware Event Broker Network-based Applications Desktops (Browsers) TDS Web-based User Interface for Data Maintenance Registry HTTP(effectively authenticated writes) Directory SecurityBehind the Scenes (simplified) LDAP Subject’sDesktop(browser) TDS

More Related