building secure, flexible and scalable environments using ldap - sans 2002 - orlando sacha faust...
TRANSCRIPT
Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando
Sacha Faust
PricewaterhouseCoopers
2
LDAP overview
History Historical Usage Technical specs
3
History
Created by the University of Michigan Evolution
– 1993 : LDAP v1: RFC 1487: X.500 Lightweight Directory Access Protocol
– 1995 : LDAP v2: RFC 1777: Lightweight Directory Access Protocol
– 1997 : LDAP v3: RFC 2251: Lightweight Directory Access Protocol (v3)
4
Historical Usage
People-centric information– Phone books– Personnel Data
Large white page applications
5
Technical specs
TCP/IP Lightweight Hierarchical structure Easy API
6
LDAP for a single sign-on environment?
Why single sign-on is needed? Why LDAP is a viable solution for single-on? Requirements for an efficient and secure single sign-
on solution Technical challenges for implementing a true single-
sign on What can LDAP do to solve the problems?
7
Why single sign-on is needed?
Large networks Multiple operating systems Various network devices Centralizing Infrastructure
8
Why LDAP is a viable solution for single-on?
Lightweight TCP/IP Open standard Already used to store People-centric information
9
Requirements for an efficient and secure single sign-on solution
Open standard Scalability Access controls Easy to integrate with current infrastructure Easy and reliable API Easy to manage
10
Technical challenges for implementing a true single-sign
on
Cross platform support Cross platform user settings Data Synchronization Proprietary authentications Security Schema and organizational structure
11
What can LDAP do to solve the problems?
Open standard Support for SSL Most vendors offer ACL Customizable schema Powerful search capabilities
Test case - ASP environment
13
Overview
Customer Info
$ $$
Customer
Portal Server
HT
TP
S
Database
HTTPS/AIP
Tarantella +Tarantella
Security Pack
UnixApplications
Win32Applications
RDPSSH/X11
Portal Gateway
HT
TP
S
DirectoryServer
LD
AP
/SL
DA
P
14
NT Authentication
Step 2.Updating theNT SAM
Step 3.Applicationauthentication
Win32 ApplicationServer
Win32 ApplicationServer
Win32 ApplicationServer
NT PDC
Step 1. Creatingthe user entry
LDAPServer
User creationmodule
Step 2.Updating theNT SAM
Step 3.Applicationauthentication
Win32 ApplicationServer
Win32 ApplicationServer
Win32 ApplicationServer
NT PDC
Step 1. Creatingthe user entry
LDAPServer
User creationmodule
Step 2.Updating theNT SAM
Step 3.Applicationauthentication
Win32 ApplicationServer
Win32 ApplicationServer
Win32 ApplicationServer
NT PDC
Step 1.Creating theuser entry
LDAPServer
User creationmodule
Step 2.Updating theNT SAM
Step 3.Applicationauthentication
Win32 ApplicationServer
Win32 ApplicationServer
Win32 ApplicationServer
NT PDC
Step 1.Creating theuser entry
LDAPServer
User creationmodule
18
Linux/UNIX Authentication
Linux/UnixApplication
Server
Step 1. Creatingthe user entry
Step 2.Applicationauthentication
Linux/UnixApplication
Server
Linux/UnixApplication
Server
LDAPServer
User creationmodule
Linux/UnixApplication
Server
Step 1.Creating theuser entry
Step 2.Applicationauthentication
Linux/UnixApplication
Server
Linux/UnixApplication
Server
LDAPServer
User creationmodule
Linux/UnixApplication
Server
Step 1.Creating theuser entry
Step 2.Applicationauthentication
Linux/UnixApplication
Server
Linux/UnixApplication
Server
LDAPServer
User creationmodule
21
Why is this solution better? Advantages
Security– Central control of all users– Central point of revocation
Flexibility Scalability Financially
– Most of the components are available for free use– Low management cost– Doesn't requirement a lot of administration
22
Security
Central control of all users Central point of revocation
23
Advance topics
LDAP Security– Steps to secure your LDAP server– Special consideration for single sign on
24
Steps to secure your LDAP server
1. Identifying requirements 2. Securing the Directory 2. LDAP server host security 3. Network security
25
1. Identifying requirements
Network access Types of users and groups Defining data access requirements LDAP schema
26
Network access
Network architecture Identifying member servers and their requirements Identifying Clients and their requirements
27
Types of users and groups
Administration users Read users Write users Member servers Groups
– Static– Dynamic
28
Defining data access requirements
What can each member server do and see Types of information can users see What attributes the user can change on themselves Data risk level
– Is the data public?– Is the data restricted per organizational units?– Is the data used for the infrastructure?
29
Data risk level
Is the data public? Is the data restricted per organizational units? Is the data used for the infrastructure?
30
2. Securing the Directory
Implementing ACL Strong password management
31
2. LDAP server host security
File system– File system ACL– Identifying critical data– Integrity
Non-privilege user Registry (Win32 only) Limiting services
32
File system
File system ACL Identifying critical data Integrity
33
3. Network security
Encrypting data– SLDAP
Authentication– Basic?– Certificate?– Anonymous?
34
Special consideration for single sign on
Security of the object class attributes1. NT Authentication using iPlanet Directory Server
2. PAM authentication via LDAP
Security of the authentication module
NT Authentication using iPlanet Directory Server
PAM authentication via LDAP
37
Quick Links
Further readings Tools Implementations
38
Further readings
LDAP Overview by Bruce Greenblatt Why LDAP & Security Are Critical to Your Success Solaris 8 LDAP Setup and Configuration Guide IBM Understanding LDAP Securing Netscape Directory Server paper (work in
progress)
39
Tools
LDAP Browser/Editor LDAPMiner NetscapeGetACL LDAPRootDSE
40
Implementations
OpenLDAP iPlanet Novell eDirectory Tivoli(IBM)
Questions?
Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando
Sacha Faust
PricewaterhouseCoopers