Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory.

Slides:

Advertisements

Similar presentations

Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.

Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Chapter 17: WEB COMPONENTS

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Desktop Computing Strategic Project Sandia National Labs May 2, 2009 Jeremy Allison Andy Ambabo James Mcdonald Sandia is a multiprogram laboratory operated.

Active Directory: Final Solution to Enterprise System Integration

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Administering Active Directory

What is Program Management?

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Chapter 10: Authentication Guide to Computer Network Security.

Automated Computer Account Management in Active Directory June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Introduce LDAP 张海鹏 SOA Mult - Little system User Manager System (share between other systems) How to store user Information How to access.

Designing Active Directory for Security

Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box.

Module 11: Remote Access Fundamentals

Lesson 17-Windows 2000/Windows 2003 Server Security Issues.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management Ingrian Networks.

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Lessons learned during Sandia’s encryption implementation NLIT 2009 May 2008 Sam Jones Matt Snitchler Desktop Technology Development Sandia is a multiprogram.

Module 7: Implementing Security Using Group Policy.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Web Services Security Patterns Alex Mackman CM Group Ltd

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Automated File Server Disk Quota Management May 13 th, 2008 Bill Claycomb Computer Systems Analyst Infrastructure Computing Systems Department Sandia is.

Virtual Directory Services and Directory Synchronization May 13 th, 2008 Bill Claycomb Computer Systems Analyst Infrastructure Computing Systems Department.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Introduction to LDAP Frank A. Kuse.

The Dirty Business of Auditing

CEG 2400 Fall 2012 Directory Services - LDAP

Introduction to Name and Directory Services

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

Agenda Directory services and virtual directories Threats to directory services Attack models for directory services –Preventing attacks on directory services Protecting information in directory services Future directions

Directory Services Localized data store containing information about objects –Users –Computers –Contacts, etc. Provide information to applications –Authentication and access control –Contact information –Group membership Use LDAP Communication Protocol –Lightweight Directory Access Protocol

Directory Services Data dn: cn=Joe User,dc=somedomain,dc=com cn: Joe User givenName: Joe sn: User telephoneNumber: postalAddress: 123 Main St. mail: objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top

Directory Services Popular Directory Services Implementations –Windows Server Active Directory –IBM Tivoli –Apple Open Directory –OpenLDAP –Fedora Directory Server –Sun JAVA System Directory Server

Virtual Directories Directory Servers Virtual Directory Server Client

Virtual Directories Directory Servers Virtual Directory Server Data Stores Synchronization

Threats to Sensitive Directory Information “Insider Threat Study: Illicit Cyber Activity in the Government Sector”, a study conducted by U.S. Secret Service and CERT (2008) found: –Most of the insiders had authorized access at the time of their malicious activities –Access control gaps facilitated most of the insider incidents, including: The ability of an insider to use technical methods to override access controls without detection System vulnerabilities that allowed technical insiders to use their specialized skills to override access controls without detection

Attack Models on Virtual Directories Authentication Attacks Cache Attacks Data Transformation Attacks Network Attacks Data Source Attacks

Authentication Attacks Destination Servers Virtual Directory Server Stored Credentials Stored Credentials Stored Credentials User Credentials

Preventing Authentication Attacks Require pass-through authentication –Use a surrogate pass-through directory if necessary User restricted accounts when stored credentials are required

Cache Attacks Directory Servers Virtual Directory Server High Speed Cache Client

Preventing Cache Attacks Do not use cache for high-risk information Require frequent consistency checks Require datastore connectivity before returning any data Protect cache on directory server

Data Transformation Attacks Directory Servers Virtual Directory Server Client Data Transformation (505) US Citizen: NUS Citizen: Y

Preventing Data Transformation Attacks Protect transformation scripts on virtual directory server Do not allow transformation of sensitive data Double-check sensitive data sent to client machines Establish consistency checking on transformation scripts –Monitor for changes

Network Attacks Directory Server Virtual Directory Server Change Detected: Disable Account X Accounts: X Y Z

Network Attacks Directory Server Virtual Directory Server Change Detected: Disable Account X Accounts: X Y Z

Preventing Network Attacks Detect inconsistencies in data stores Require consistency checking at standard intervals Require consistency checking after network disruption Require transactions to be atomic and durable

Data Source Attacks Authoritative Data Store Virtual Directory Server Account Store AccountsEnabled XY YY ZN AccountsEnabled XY YY ZY AccountsEnabled XY YY ZN AccountsEnabled XY YY ZY Synchronization

Preventing Data Source Attacks Protect authoritative data sources Monitor sensitive data modifications Protect sensitive data

Protecting Sensitive Directory Information Personal Virtual Directory Service

Protecting and Delegating Access New Approach S – symmetric data encryption key K rw / K’ rw – public/private key pair for signing data K ux – data user public key K o / K’ o – data owner public/private key pair ID o – data owner identifier

Personal Virtual Directory Service Components

Advantages of PVDS Uses existing key management infrastructure Little client modification No user-based key protection Directory independent –Can be extended to protect databases as well Performance impact largely confined to clients utilizing PVDS capabilities

Future Directions Implement attack models to determine feasibility Explore attacks on various VDS implementations Identify additional attacks on virtual directory servers PVDS –Reduce the impact of working with encrypted attributes –Analyze impact to different types of data sources –Consider how security policies may conflict with using a virtual directory to manage security –Usability studies

Questions