Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust...

Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando

Sacha Faust

PricewaterhouseCoopers

[email protected]

[email protected]

mailto:[email protected]

mailto:[email protected]

2

LDAP overview

History Historical Usage Technical specs

3

History

Created by the University of Michigan Evolution

– 1993 : LDAP v1: RFC 1487: X.500 Lightweight Directory Access Protocol

– 1995 : LDAP v2: RFC 1777: Lightweight Directory Access Protocol

– 1997 : LDAP v3: RFC 2251: Lightweight Directory Access Protocol (v3)

4

Historical Usage

People-centric information– Phone books– Personnel Data

Large white page applications

5

Technical specs

TCP/IP Lightweight Hierarchical structure Easy API

6

LDAP for a single sign-on environment?

Why single sign-on is needed? Why LDAP is a viable solution for single-on? Requirements for an efficient and secure single sign-

on solution Technical challenges for implementing a true single-

sign on What can LDAP do to solve the problems?

7

Why single sign-on is needed?

Large networks Multiple operating systems Various network devices Centralizing Infrastructure

8

Why LDAP is a viable solution for single-on?

Lightweight TCP/IP Open standard Already used to store People-centric information

9

Requirements for an efficient and secure single sign-on solution

Open standard Scalability Access controls Easy to integrate with current infrastructure Easy and reliable API Easy to manage

10

Technical challenges for implementing a true single-sign

on

Cross platform support Cross platform user settings Data Synchronization Proprietary authentications Security Schema and organizational structure

11

What can LDAP do to solve the problems?

Open standard Support for SSL Most vendors offer ACL Customizable schema Powerful search capabilities

Test case - ASP environment

13

Overview

Customer Info

$ $$

Customer

Portal Server

HT

TP

S

Database

HTTPS/AIP

Tarantella +Tarantella

Security Pack

UnixApplications

Win32Applications

RDPSSH/X11

Portal Gateway

HT

TP

S

DirectoryServer

LD

AP

/SL

DA

P

14

NT Authentication

Step 2.Updating theNT SAM

Step 3.Applicationauthentication

Win32 ApplicationServer



NT PDC

Step 1. Creatingthe user entry

LDAPServer

User creationmodule






NT PDC


LDAPServer

User creationmodule






NT PDC

Step 1.Creating theuser entry

LDAPServer

User creationmodule

18

Linux/UNIX Authentication

Linux/UnixApplication

Server




Server


Server

LDAPServer

User creationmodule


Server

Step 1.Creating theuser entry



Server


Server

LDAPServer

User creationmodule

21

Why is this solution better? Advantages

Security– Central control of all users– Central point of revocation

Flexibility Scalability Financially

– Most of the components are available for free use– Low management cost– Doesn't requirement a lot of administration

22

Security

Central control of all users Central point of revocation

23

Advance topics

LDAP Security– Steps to secure your LDAP server– Special consideration for single sign on

24

Steps to secure your LDAP server

1. Identifying requirements 2. Securing the Directory 2. LDAP server host security 3. Network security

25

1. Identifying requirements

Network access Types of users and groups Defining data access requirements LDAP schema

26

Network access

Network architecture Identifying member servers and their requirements Identifying Clients and their requirements

27

Types of users and groups

Administration users Read users Write users Member servers Groups

– Static– Dynamic

28

Defining data access requirements

What can each member server do and see Types of information can users see What attributes the user can change on themselves Data risk level

– Is the data public?– Is the data restricted per organizational units?– Is the data used for the infrastructure?

29

Data risk level

Is the data public? Is the data restricted per organizational units? Is the data used for the infrastructure?

30

2. Securing the Directory

Implementing ACL Strong password management

31

2. LDAP server host security

File system– File system ACL– Identifying critical data– Integrity

Non-privilege user Registry (Win32 only) Limiting services

32

File system

File system ACL Identifying critical data Integrity

33

3. Network security

Encrypting data– SLDAP

Authentication– Basic?– Certificate?– Anonymous?

34

Special consideration for single sign on

Security of the object class attributes1. NT Authentication using iPlanet Directory Server

2. PAM authentication via LDAP

Security of the authentication module

NT Authentication using iPlanet Directory Server

PAM authentication via LDAP

37

Quick Links

Further readings Tools Implementations

38

Further readings

LDAP Overview by Bruce Greenblatt Why LDAP & Security Are Critical to Your Success Solaris 8 LDAP Setup and Configuration Guide IBM Understanding LDAP Securing Netscape Directory Server paper (work in

progress)

39

Tools

LDAP Browser/Editor LDAPMiner NetscapeGetACL LDAPRootDSE

40

Implementations

OpenLDAP iPlanet Novell eDirectory Tivoli(IBM)

Questions?

Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando

Sacha Faust

PricewaterhouseCoopers

[email protected]

[email protected]

Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust...

Documents

Transcript of Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust...