CIST 1601 Information Security FundamentalsChapter 5 Implementing and Maintaining a Secure Network

Collected and CompiledBy JD WillardMCSE, MCSA, Network+, Microsoft IT Academy AdministratorComputer Information Systems InstructorAlbany Technical College

Overview of Network Security Threats

The CERT/CC is an organization that tracks and reports on computer and network security threats. They are part of the Software Engineering Institute (SEI) at Carnegie-Mellon University.

Penetration testing (aka ethical hacking or “pen test”) involves the use of tools to simulate attacks on the network and on the computer systems. Penetration testing enables you to detect the existing vulnerabilities of the infrastructure, with prior approval and authorization from senior management. Penetration testing starts with defining management objectives for the tests, and includes configuration reviews, vulnerability assessments, and social engineering. Penetration tests are limited to the identification of the vulnerabilities in the system and the detection of the impact of the vulnerability to the security of an infrastructure. This process enables an organization to take corrective action, such as patching up the systems against vulnerabilities or bugs. A penetration test team reports the findings to the senior management after completing the documentation process. ISS, Ballista, and SATAN are some examples of penetration testing or ethical hacking tools used to identify network and system vulnerabilities.

Vulnerability Scanning Overview (6:30)Assessment Tools (6:56)

Penetration testing involves footprinting, scanning, and enumerating. Scanning identifies active computers, ports, and services. Enumerating involves compiling the information from the scanning phase and identifying target systems.

The IP addresses of the computers are usually discovered during a penetration test. As components of the network are discovered, the methods used will be determined. A penetration tester would need to be used outside your network. A penetration test includes the following steps:

1. Gather initial information.2. Determine the network range.3. Identify active devices.4. Discover open ports and access points.5. Identify the operating systems and their settings.6. Discover which services are using the open ports.7. Map the network.

Penetration tests may cause some disruption to network operations as a result of the actual penetration efforts conducted. Penetration tests can also make legitimate attacks by generating false data in IDS/IPS systems.

Overview of Network Security ThreatsPenetration Testing (10:04)

Defining Security Baselines

A baseline defines the minimum level of security and performance of a system in an organization. A baseline is also used as a benchmark for future changes. Any change made to the system should match the defined minimum security baseline. A security baseline is defined through the adoption of standards in an organization. You should create a System Monitor chart based on a performance log. This will ensure that performance baseline statistics are recorded for an extended period of time. The first step to creating a performance baseline is to create a security policy. Without the policy, the baseline has no guidelines to follow.

Metrics for security baselines and hardening efforts rely on identification of vulnerability and risk. It is necessary to have some mechanism for measuring vulnerability to determine whether a baseline has been met, or if a new security measure has been effective. Common Criteria has designed the evaluation criteria into seven EALs:

1. EAL 1 - A user must be assured that the system will operate correctly, but threats to security are not viewed as serious. The other EAL levels promote higher levels of security.2. EAL 2 - Developers use good design practices but security is not a high priority.3. EAL 3 - Developers provide moderate levels of security.4. EAL 4 - Security configuration is based on good commercial development. This level is the common benchmark for commercial systems, including operating systems and products.5. EAL 5 - Security is implemented starting in early design. It provides high levels of security assurance.6. EAL 6 - Specialized security engineering provides high levels of assurance. This level will be highly secure from penetration attackers.7. EAL 7 - Extremely high levels of security are provided. This level requires extensive testing, measurement, and independent testing.

Security Posture (4:39) Assessment Techniques (6:35)

Vulnerability Scanning (6:30)

Trusted OS (3:31)

Hardening the OS and NOS

Hardening an operating system (OS) or network operating system (NOS) refers to the process of making the environment more secure from attacks and intruders.

OS hardening includes encrypted file support and secured file systems selection. This allows the proper level of access control and allows you to address newly identified exploits and apply security patches, hotfixes, and service packs.

Operating System Hardening (10:08)

Configuring Network ProtocolsConfiguring an OS’s network protocols properly is a major factor in hardening. PC systems today primarily use three primary network protocols:

NetBIOS Extended User Interface (NetBEUI) Transmission Control Protocol/Internet Protocol (TCP/IP) Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)

Each of these protocols can transport Network Basic Input/Output System (NetBIOS) across networks. NetBIOS protocol-enabled systems periodically announce names, service types, and other information on the networks bound to them. NetBIOS is also used for programming interfaces and other purposes.

TCP/IP is the primary network protocol used in networks today. Microsoft is concentrating more effort into making this protocol secure.

Don’t overlook the simple things. Applications such as Netscape, Internet Explorer, and Office are susceptible to exploitation. Make sure that all your applications are up to the current release level and that all security patches have been installed.

One of the primary methods of hardening an OS is to eliminate unneeded protocols.

Network BindingBinding is the process of associating one protocol with another protocol or to a network card.

NetBIOS shouldn’t be bound to TCP/IP if at all possible. NetBIOS is a well established target of attackers. The problem lies in the fact that NetBIOS information becomes encapsulated in TCP/IP packets, making them vulnerable to sniffing.

When a server and a client attempt to communicate with each other they must first find a common language. They do so by trying different protocols based on the binding order. For that reason, the protocols most commonly used on the server/client should be at the top of the binding list.

NetBIOS binding to the TCP/IP network protocol

Network binding in a Windows XP system

Network ProtocolsNetBEUI is a proprietary protocol developed by Microsoft for Windows networks. It is the least secure between the three network protocols. NetBEUI does not provide any security capabilities. NetBEUI packets reveal information on system configuration, running services, and other information. NetBEUI is not routable and is less efficient than IPX/SPX or TCP/IP in large networking environments.

Enabling a firewall to directly pass NetBEUI/NetBIOS traffic is a major security problem, especially if enabled on a Windows network. An attacker might be able to browse an entire network and exploit the peer-to-peer nature of Windows networks.

TCP/IP is vulnerable to all the threats discussed previously. For a system connected to the Internet or other large-scale network, the security of the system is tied to the vulnerability of TCP/IP. TCP/IP is now relatively secure. Many of the newer vulnerabilities are in the operating systems and applications that use TCP/IP as the transport.

IPX/SPX is an efficient, routable protocol that was originally designed for use with Novell NetWare systems. Today’s routers don’t generally route IPX/SPX unless specifically configured to do so. NetBIOS can be bound to IPX/SPX, and it won’t be vulnerable to external attack unless it is routed.

Hardening Microsoft Windows Vista

A new feature in this operating system is the ability to apply parental controls to accounts, found in the Set Up Parental Controls for Any User applet from the Control Panel.

You can also choose the Windows Vista web filter which allows the setting of:A web restriction level Time limits settings and restriction of hours the computer can be usedBlocking of file downloads Choosing websites to allow/block

Bitlocker is available with Windows Vista. BitLocker encrypts the drive contents so that data cannot be stolen. It can encrypt both user and system files, and is enabled or disabled by an administrator for all computer users. It requires Trusted Platform Module (TPM) hardware. Whole disk encryption helps mitigate the risks associated with lost or stolen laptops and accompanying disclosure laws when the organization is required to report data breaches.

Whole-disk Encryption (5:19)

Hardening Microsoft Windows XPThere are multiple versions of Windows XP, including:

HomeMedia CenterProfessional

Microsoft has discontinued supporting XP in favor of Windows Vista.

Windows XP Professional has the ability to take advantage of the security possible from Windows 200x servers running Active Directory.

The service packs fix minor security openings within the operating system.

One of the best tools to look for possible illicit activity on a workstation is System Monitor. This utility can be used to examine activity on any counter, and excessive processor usage is one worth paying attention to if you suspect the workstation is affected or being illegitimately accessed. In previous versions of Windows, this utility was a standalone menu choice. With Windows XP, it became a subcomponent (a snap-in) in the Performance Console. Performance console is used for tracking and viewing the utilization of operating system resources. To access the Performance Console, choose Start > Run > and type perfmon.msc.

By default, System Monitor comes up showing three counters:

Pages/sec Avg. Disk Queue Length % Processor Time

To add more counters, right click in the right pane and choose Add Counters from the popup menu.

Hardening Windows Server 2003Windows Server 2003 was released in four variants:

Web editionStandard editionEnterprise editionDatacenter edition

This product introduced the following features to the Microsoft server line:

Internet connection firewallSecure authentication (locally and remotely) Secure wireless connectionsSoftware restriction policies Secure Web Server (IIS 6)Encryption and cryptography enhancements Improved security in VPN connectionsPKI and X.509 certificate support

Group Policy enables you to:Set consistent common security standards users and computersEnforce common computer and user configurationsSimplify computer configuration by distributing applicationsRestrict the distribution of applications that may have limited licenses

With a Group Policy, you create restrictions (usually through predefined security templates ) that will apply to workstations when users authenticate. Upon each authentication, those restrictions are then applied as Registry settings, providing an efficient way to manage a large number of computers. The restrictions you set come from choices within template files. The Group Policy object (GPO) is used to apply Group Policy to users and computers.GPOs can be associated with or linked to sites, domains, or organizational units. The group policies would be applied to the computers on your network from the domain controllers. This method allows for centralized deployment and management. For example, you could use group policies to ensure that users must change their password at the next logon and must follow certain password guidelines. Group Policies are applied in a specific order or hierarchy. By default, a group policy is inherited and cumulative. The settings that will actually be applied to an object will be a combination of all the settings that can affect the object. Group policies get applied from the bottom up, so if there is a conflict, the policy higher up in the list will prevail, unless it meets one of the exceptions such as block inheritance and loopback. You can use the Resultant Set of Policy (RSoP) tool to determine the effective settings on the computer that you are working from or any other computer in a Windows Server 2003 AD domain.You can use gpresult command to see what policy is in effect and to troubleshoot problems. Security groups are used to create a set of users to assign resource permissions. For example, you could create a security group for each department so that certain folders could only be accessed by a single department.

Hardening Windows Server 2003

Hardening Microsoft Windows 2000

Windows 2000 includes workstation and several server versions. Windows 2000 provides a Windows Update icon on the Start menu, which allows you to connect to the Microsoft website and automatically download and install updates. A large number of security updates are available for Windows 2000—make sure they’re applied.

Some of the more attack-prone services include IIS, FTP, and other common web technologies. Make sure these services are disabled if they aren’t needed, and keep them up-to-date with the most recent security and service packs. Microsoft implemented a directory service called Active Directory (AD) with Windows 2000. AD is the backbone for all security, access, and network implementations. AD allows full control of resources by administrators. AD functions are managed by one or more servers. These servers are connected in a tree structure that allows information to be shared or controlled through the entire AD structure. Group policies, security templates, and security groups are also available in Windows 2000.

Event Viewer enables you to view certain events that occur on the system.

Event Viewer maintains three log files:

One for system processesOne for security informationOne for applications

The security log records security events, and is available for viewing only by administrators. For security events to be monitored, you must enable auditing. Another important security tool is Performance Monitor. This tool can be a lifesaver when you’re troubleshooting problems and looking for resource-related issues.

Hardening Microsoft Windows 2000

Hardening Unix/LinuxOver a dozen different versions of Unix are available; the most popular is a free version derivative called Linux. Linux and Unix, when properly configured, provide a high level of security.

The product designers took an open-systems approach, meaning that the entire source code for the operating system was readily available, which allowed programmers, computer scientists, and systems developers to tinker with and improve the product.

Unix can run almost every protocol, service, and capability designed. You should run a script during system startup to configure the protocols and determine which services are started.

All Unix security is handled at the file level. Files and directories need to be established properly to ensure correct access permissions. The file structure is hierarchical by nature, and when a file folder access level is set, all subordinate file folders usually inherit this access. This inheritance of security is established by the systems administrator or by a user who knows how to adjust directory permissions.

Keeping patches and updates current is essential in Unix.

Linux also provides a great deal of activity logging, essential in establishing patterns of intrusion.

An additional method of securing Linux systems is accomplished by adding TCP wrappers, low-level logging packages designed for Unix. Wrappers provide additional detailed logging on activity using a specific protocol. Each protocol or port must have a wrapper installed for it. The wrappers then record activities and deny access to the service or server.

Hardening Novell NetWareNovell was one of the first companies to introduce a network operating system (NOS) for desktop computers, called NetWare, which provided the ability to connect PCs into primitive but effective LANs.

The most recent version of NetWare, version 6.5, includes file sharing, print sharing, support for most clients, and fairly tight security.

NetWare version 6.x is primarily susceptible to denial of service (DoS) types of attacks, as opposed to exploitation and other attacks. Novell support packs fix known problems with the OS and occasionally add additional functionality

NetWare security is accomplished through a combination of access controls, user rights, security rights, and authentication.

The heart of NetWare security is the Novell Directory Service (NDS) or eDirectory (for newer Novell implementations). NDS and eDirectory maintain information about rights, access, and usage on a NetWare-based network.

Newer versions of NetWare support TCP/IP natively and are susceptible to the same types of attacks.

Hardening Apple MacintoshMacintosh systems seem to be the most vulnerable to physical access attacks targeted through the console. The network implementations are as secure as any other operating system.

Macintosh security breaks down in its access control and authentication systems.

Macintosh uses a simple 32-bit password encryption scheme that is relatively easy to crack. The password file is located in the Preference folder; if this file is shared or is part of a network share, it may be vulnerable to decryption.

Macintosh systems have implemented TCP/IP networking as an integral part of the operating system.

To secure the system, verify that it is not configured to automatically log in a user at startup. Require a username and password in order to gain access to the Mac itself, as well as to the network. Configure a screensaver that requires a password to resume a session.

OS X, the successor to Macintosh, is a descendant of BSD-based Unix. As such, the information described in “Hardening Unix/Linux” applies.

Hardening FilesystemsFile Allocation Table (FAT)FAT is a Microsoft file system that provides share-level and user-level access privileges. If a user has the appropriate permission to a drive or directory, the user can access any file in that directory.The FAT file system offers the least security and is especially unsecure in an Internet environment.

The New Technology File System (NTFS)NTFS is a Microsoft file system that uses access control lists (ACLs) to configure permissions for users and groups. Each file, directory, and volume can have an assigned ACL. Each entry in the ACL can specify the access type granted.Encrypting File System (EFS) can also be used to encrypt data stored on the hard disk.Microsoft strongly recommends that all network shares be established using NTFS.

Novell NetWare Storage ServicesNSS is Novell’s newest filesystem. It’s a proprietary environment for servers.NSS allows complete control of every file resource on a NetWare server.The NSS file system provides security, high performance, large file storage capacities, and uses the NDS or eDirectory to provide authentication for access.

Unix FilesystemThe Unix filesystem is a completely hierarchical filesystem. Each file, filesystem, and subdirectory has complete granularity of access control. The three primary attributes in a Unix file or directory are Read, Write, and Execute. The ability to individually create these capabilities, as well as to establish inheritance to subdirectories, gives Unix the highest level of security available for commercial systems. NTFS is based on this method of file organization.

Hardening Filesystems

Hierarchical file structure used in Unix and other operating systems

Network File System (NFS) NFS is the Unix standard for remote file systems.NFS allows computers to mount the file system from a remote location, thereby enabling the client system to view the server storage as part of the local client.

Apple File Sharing (AFS)AFS was intended to provide simple networking for Apple Macintosh systems. AFS allows the file owner to establish password and access privileges, similar to the Unix filesystem. OS X, the newest version of the Macintosh operating system, has more fully implemented a filesystem that is based on the Unix model. The major weakness of the operating system involves physical control of the systems.

Hardening Filesystems

Updating Your Operating System

HotfixesA hotfix makes repairs to a computer during its normal operation so that the computer can continue to operate until a permanent repair can be made. It usually involves replacing files with an updated version. A hotfix can also be referred to as a bug fix.Hotfixes are, typically, small and specific-purpose updates that alter the behavior of installed applications in a limited manner. These are the most common type of update. A hotfix is related to a service pack and should be deployed with this in mind.

Service Packs and Support PacksA service pack is a major, crucial update for the OS or application for which it is intended, and consists of a collection of all hotfixes and patches released to date since the OS or product was shipped. A service pack is mandatory for all users, addresses a new vulnerability, and should be deployed as soon as possible.Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application.A support pack is another term used for service packs.

Patches A patch is a temporary workaround of a bug or problem in code that is applied manually. Once more data is known about an issue, a service pack or hotfix may be issued to fix the problem on a larger scale.A patch should be installed on a server only after it has been tested on a non-production server and by the computing community.A common method for hackers to infect your systems is to send an official-looking e-mail about software that you need. The only way to ensure that a patch or service pack comes from the vendor is to go to the vendor’s Web site. This ensures that you are obtaining the security patch directly from the vendor.

Application Patch Management (5:21)

Patch Management (4:16)

Updating Network DevicesAs a security administrator, you should make sure that software for devices such as routers and switches is kept up-to-date. These devices usually contain a ROM-based (read-only memory) OS and applications.

Routers have become increasingly complex, as have firewalls and other devices in your network. If they aren’t kept up-to-date, they will become vulnerable to new attacks or exploits.

Updating network switch firmware to newest versions, putting passwords on all remote-configurable network hardware, and locking down all unused ports on the firewall will contribute to network hardening.

Configuring Routers and FirewallsRouters and firewalls are your front line of defense against attacks being launched from outside the company network. Access control list (ACL) mechanisms are implemented in many routers, firewalls, and other network devices.You can configure and apply access control lists to the interfaces of routers to filter out unauthorized traffic. Through ACLs, you can design and change network security to counter specific security threats.ACLs can be configured on router interfaces for inbound and outbound packets. ACLs deployed on a router will improve network security by confining sensitive internal data traffic to computers on a specific subnet.An ACL can also be used to exclude a particular system, IP address, or user. The following can be configured in an ACL:

Source and/or destination IP addressSource and/or destination protocol numberSource and/or destination port number

The most essential operational aspects of network device hardening involve ensuring that your network devices run only necessary protocols, services, and access control lists.

Access Control Lists (1:57)

Hardening Applications

Application hardening includes default application administration accounts, standard passwords, and common services installed by default should also be reviewed and changed or disabled as required. Applications must be maintained in an updated state through the regular review of hotfixes, patches, and service packs.

Application Configuration Baselining and Hardening (4:10)

Hardening Web ServersWeb servers are favorite areas for attackers to exploit. Every service and capability supported on a website is potentially a target for exploitation. Make sure they’re kept to the most current software standards. You must also make certain that you’re allowing users to have only the minimal permissions necessary to accomplish their tasks. If users are accessing your server via an anonymous account, then make certain the anonymous account has only the permissions needed to view web pages and nothing more. Filters allow you to limit the traffic that is allowed through. Limiting traffic to only that which is required for your business can help ward off attacks.Executable scripts, such as Common Gateway Interface (CGI) scripts, often run at elevated permission levels. Under most circumstances this isn’t a problem, however, if the user can break out of the script while at the elevated level then you have a problem. The best course of action is to verify that all scripts on your server have been thoroughly tested, debugged, and approved for use.

Hardening E-Mail ServersAn e-mail server is a middle man in the delivery of the message.

The primary firewall to protect you from e-mail viruses would be e-mail servers with active virus scanners.

E-mail servers detect the viruses in the messages received from various sources and send warnings to the recipient to warn him/her of the risky mail. This server has the necessary means to reject infected mail content.

SMTP is the primary protocol used in e-mail. An SMTP virus filter checks all incoming and outgoing e-mails for suspicious code. If a file is potentially infected, the scanner notifies the originator and quarantines the file.

E mail virus scanner on an e mail server‑ ‑

Hardening FTP ServersFTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. Always disable the anonymous user account.In most environments, FTP sends User IDs and password information unencrypted. This makes these accounts vulnerable to network sniffing.Most FTP servers allow you to create file areas on any drive on the system. You should create a separate drive or subdirectory on the system to allow file transfers. If possible, use virtual private network (VPN) or Secure Shell (SSH) connections for FTP-type activities.

Hardening DNS ServersDNS is one of the most popular directory services in use today.

DNS can identify an individual computer system on the Internet. DNS maps IP addresses to domain names and to individual systems.

Because DNS servers usually store a vast quantity of information on the network and its configuration, they are also typically targeted by network footprinting attacks, which attempts to gather information on your network. To protect your DNS servers from network footprinting attacks, ensure that all information on the network, which gets stored in external DNS servers, are kept at a minimum.

Limiting the registration of name and IP address to authorized clients prevents an unauthorized entry from being created on the DNS server’s zone database file.

DNS (2:04)

The Windows 2000 DNS version implements DNS security. This assists in preventing DNS spoofing, and ensures that client systems access the proper DNS server.

You should set up DNS servers so that they only perform zone transfers to specific secondary DNS servers.

For the perimeter network, use a separate DNS server. This server should not contain information which you do not want public users to access. DNS PoisoningQuery results that are forged and returned to the requesting client or recursive DNS query can poison the DNS records.Use a version of DNS that includes the correction for preventing DNS cache poisoning, or alternatively, obtain the relevant security patch to address this issue.

ARP poisoningBecause ARP does not require any type of validation, as ARP requests are sent, the requesting devices believe that the incoming ARP replies are from the correct devices. This can allow a perpetrator to trick a device into thinking any IP address is related to any MAC address.

Hardening DNS Servers

Hardening File and Print Servers and ServicesDetermine whether file and print sharing is really needed. If it isn’t, unbind NetBIOS from TCP/IP. By doing so, you effectively disable Windows SMB file and print sharing reducing the risk of intruders being able to access any files on the hard drive.

Unprotected network shares are easy targets and a top security exploit.

Never share the root directory (C:) of a disk. If an attacker penetrates the root directory, all the subdirectories under the root are vulnerable.

Depending on your operating systems in use, there are two areas to look at: Server Message Block (SMB) file-sharing protocol Common Internet File System (CIFS).

User education and mandatory settings can go a long way toward making sure that file sharing is not enabled unless needed.

Network share connection

Print servers pose several risks, including possible security breaches in the event that unauthorized parties access cached print jobs or sensitive printed material.

DoS attacks may be used to disrupt normal methods of business, and network-connected printers require authentication of access to prevent attackers from generating printed memos, invoices, or any other manner of printed materials.

Securing file and print sharing: Use an antivirus product that searches for CIFS wormsRun intrusion testing toolsFilter traffic on UDP/TCP ports 137, 138. 139, 445On Unix systems, make sure port 111, the Remote Procedure Call (RPC) port, is closedInstall proper firewalls

Hardening File and Print Servers and Services

Hardening DHCP ServicesDynamic Host Configuration Protocol (DHCP) is used in many networks to automate the assignment of IP addresses to workstations. DHCP services can be provided by routers, switches, and servers. In a given network or segment, only one DHCP server should be running. An exception would be if you are implementing redundant DHCP services without overlapping scopes. DHCP-enabled clients can be serviced by a Network Address Translation (NAT) server. DHCP usage should be limited to workstation systems.If the OS in use does not support DHCP server authentication, attackers may also configure their own DHCP servers within a subnet, taking control of the network settings of clients and obtaining leases from these rogue servers. Microsoft’s Active Directory requires that DHCP servers be authorized.

Working with Data Repositories

Directory services are tools that help organize and manage complex networks. They allow data files, applications, and other information to be quickly and easily relocated within a network.In addition to creating and storing data, directory services must publish appropriate data to users. Security for directory services is typically accomplished by using both authentication and access control.

Lightweight Directory Access ProtocolLDAP is a standardized directory access protocol that uses TCP/IP and allows queries to be made of directories (specifically, a pared down X.500-based directory). This is the computer equivalent of a phone book.

If a directory service supports LDAP, you can query that directory with an LDAP client.

An LDAP directory is defined as a tree-like structure with entries, each of which consists of named attributes with values.

Services, such as repository and distribution of digital certificates, can be handled by external servers running the LDAP protocol.

LDAP servers are external repositories. Therefore, the primary concern is the availability of systems, and the secondary consideration involves maintaining the confidentiality and integrity of information stored on such systems.

LDAP, by default, uses TCP port 389.

Working with Data Repositories

Directory structure showing unique identification of a user

LDAP (6:09)

Active Directory Microsoft implemented a directory service called Active Directory (AD) with Windows 2000. AD is the backbone for all security, access, and network implementations. AD gives administrators full control of resources. It provides services for other directory services, such as LDAP. One or more servers manage AD functions; these servers are connected in a tree structure that allows information to be shared or controlled through the entire AD structure. In conjunction with Active Directory, LDAP uses four different name types:

A Distinguished Name (DN) exists for every object in AD. These values can’t be duplicates and must be unique. This is the full path of the object, including any containers. A Relative Distinguished Name (RDN) doesn’t need to be a wholly unique value as long as there are no duplicates within the organizational unit (OU). As such, an RDN is the portion of the name that is unique within its container. A User Principal Name (UPN) is often referred to as a friendly name. It consists of the user account and the user’s domain name and is used to identify the user (think of an e mail address). ‑The Canonical Name (CN) is the DN given in a top-down notation.

Working with Data Repositories

X.500 The International Telecommunications Union (ITU) implemented the X.500 standard, which was the basis for directory structures such as LDAP. The major problem implementing a full-blown X.500 structure revolved around it’s complexity. Novell was one of the first manufacturers to implement X.500 in its NetWare NDS product.

eDirectory eDirectory is the backbone for new Novell networks. It stores information on all system resources and users and any other relevant information about systems attached to a NetWare server. eDirectory is an upgrade and replacement for NDS, and has gained wide acceptance.

Working with Data Repositories

Databases and TechnologiesThe primary tool for data management is the database. The relational database is the most common approach. It allows data to be viewed in dynamic ways based on the user’s or administrator’s needs. The most common language used to speak to databases is called Structured Query Language (SQL). SQL allows queries to be configured in real time and passed to database servers. This flexibility causes a major vulnerability when it isn’t implemented securely.Database servers suffer from all the vulnerabilities discussed so far.To improve system performance and the security of databases, companies have implemented the tiered model of systems:

One-tier model The database and application reside on one system. The one-tier model is usually used to host a stand-alone database.Two-tier model In the two-tier and three-tier model, the application being run by the client PC or system accesses a database hosted on a different server.Three-tier model A middle-tier server receives and verifies requests from clients, before passing it to the server on which the database resides. After the request is processed by the database server, the server passes the information to the middle-tier server, who then passes the data to the client. The middle-tier server provides additional security.

The End