©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect +1 650 404 3292.

Slides:



Advertisements
Similar presentations
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Advertisements

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Information Technology Registry Services Security LDAP-based Attributes and Authentication.
System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.
Directory Services BICS 565. What is a Directory Service (DS)? A service that allows users to lookup information about entities in an organization Entities.
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Understanding Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
Active Directory Lecture 3 – Domain Services Primer.
1 Linux Networking and Security Chapter 3. 2 Configuring Client Services Configure DNS name resolution Configure dial-up network access using PPP Understand.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
OU Passwords What they all mean. What is a password Webster’s Online Dictionary describes a password as “a sequence of characters required for access.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
Introduction To OpenLDAP Directory Services. What is a Directory Service? A specialized database optimized for reading, browsing, and searching. No complicated.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.
Chapter 9: Novell NetWare
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Copyright 2000 eMation SECURITY - Controlling Data Access with
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Windows 2000 Operating System -- Active Directory Service COSC 516 Yuan YAO 08/29/2000.
COMP1321 Digital Infrastructure Richard Henson February 2014.
Module 11: Remote Access Fundamentals
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Building Secure, Flexible and Scalable Environments using LDAP - SANS Orlando Sacha Faust PricewaterhouseCoopers
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.
LDAP: Introduction CNS 4650 Fall 2004 Rev. 2. LDAP History Simplify directory access protocol Front-end to X.500 Developed my UMich.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
LDAP Authentication Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.
LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22.
Operating System Security Fundamentals Dr. Gabriel.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
TCP/IP (Transmission Control Protocol / Internet Protocol)
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 7: Implementing Security Using Group Policy.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
WEB SERVER SOFTWARE FEATURE SETS
OVERVIEW OF ACTIVE DIRECTORY
LDAP- Protocol and Applications. Role of LDAP Allow clients to access a directory service Directories hold hierarchical structured information Clients.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Application of the Internet 1998/12/09 KEIO University, JAPAN Mikiyo
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
COMP1321 Digital Infrastructure Richard Henson March 2016.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
Application layer tcp/ip
IIS.
SECURITY IN THE LINUX OPERATING SYSTEM
Topic 5: Communication and the Internet
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect

©Copyright 1999 Peter Shipley Outline u What is a LDAP u Why do we need LDAP u What uses dose it have u What are the potential dangers u Methods of attacks

©Copyright 1999 Peter Shipley What Is a LDAP X.500 is a model for Directory Services in the OSI model. The DAP (Directory Access Protocol) runs over the OSI network protocol stack.It’s fairly "heavyweight". Therefore, University of Michigan developed the "lightweight” version of DAP and called it LDAP.

©Copyright 1999 Peter Shipley What Is a LDAP A directory is essentially a database but tends to contain more descriptive, attribute based information. The information in an LDAP directory tends to be read more than it is written so LDAP has been designed to be more read-optimized

©Copyright 1999 Peter Shipley What kind of information can be stored in the directory? The LDAP directory service model is based on entries. An entry is a collection of attributes that have a name, called a DN (distinguished name).

©Copyright 1999 Peter Shipley What kind of information can be stored in the directory? The DN is used to refer to the entry unambiguously. Each of the entry's attributes has a type and one or more values. The types are typically mnemonic strings, like "cn" for common name, or "mail" for address. The values depend on what type of attribute is it.

©Copyright 1999 Peter Shipley What Operating Systems support it ? Since many of these packages come with source, its really available under any operating system.

©Copyright 1999 Peter Shipley What software is out there u OPENLDAP u UMICH's original LDAP server u Netscape Directory Server u Sun's LDAP server and even Microsoft is jumping on the LDAP bandwagon with Win2000 and Active Directory

©Copyright 1999 Peter Shipley What applications are there Not only are there are a lot of servers out there, there are also a lot of applications that are LDAP-enabled. Being LDAP-enabled essentially means that the application is able to retrieve information via LDAP.

©Copyright 1999 Peter Shipley What applications are there Examples of LDAP-enabled applications would be: u Netscape Messaging Server u Netscape Calendar u Sun's SIMS mail server u sendmail (with ldapx extensions)

©Copyright 1999 Peter Shipley What are people using LADP for? u Personal directory services u Mail routing u login / password authentication u PKI u IP address distribution (linking with the DNS and DHCP protocols)

©Copyright 1999 Peter Shipley What are people using LADP for Because of the push for centralization of information, don't be surprised if nearly every new network application that comes to market in the near future will support LDAP.

©Copyright 1999 Peter Shipley What are people using LADP for Within companies like Intel and Motorola, which are based around X.500 and DAP, there is a big push for having DAP->LDAP gateways put in place and, ultimately, relying on LDAP for everything. This includes HR records, badging systems, etc.

©Copyright 1999 Peter Shipley What are the Dangers? Eggs in one basket New/Untested technology Inexperienced administrators / contractors History repeating itself (YP/NIS, DNS (v2), “Registry” services etc..)

©Copyright 1999 Peter Shipley What are the Dangers? u Because of DAP being in a lot of places, there are very insecure and poorly coded DAP->LDAP gateways out there. u Default permissions for LDAP are very insecure. (ACL's etc) u Single "control all" Directory Manager user that, in all of the current API's, is there in plain text. Very little work on real authentication methods.

©Copyright 1999 Peter Shipley What are the Dangers? u Code exploits are already being discovered and published. u DOS attacks are coming into use Flooding the server with (simple) queries Flooding the server with (expensive operations) u The service is only as secure as the server it runs on.

©Copyright 1999 Peter Shipley What are the Dangers? u Data Harvesting Spammers harvesting addresses System crackers harvesting account names and passwords u Data Modification There are no automated data/content integrity auditing tools (yet) Commercial auditing products to not address LDAP (yet)

©Copyright 1999 Peter Shipley How one can locate a LDAP server portscan: nmap -P0 -p 636, /24 Firewalling the best protection as does log monitoring.

©Copyright 1999 Peter Shipley How one can locate a LDAP server DNS: SVR records (rfc 2052) ldap..com companies seem to name servers after there purpose A large number of sites are beginning to use rfc 2052

©Copyright 1999 Peter Shipley How one can locate a LDAP server Referals: URLs and x.500 server links By doing a file tree walk a “bot” can search and locate external referrals for later data harvesting

©Copyright 1999 Peter Shipley How Bad is it? A random survey of ldap enabled sites on the Internet found a relatively large number had sensitive information available via anonymous authentication.

©Copyright 1999 Peter Shipley How Bad is it? The same survey of ldap enabled sites on the Internet found a relatively large number did not utilize SSL secured connections. And thus utilized “simple Passwords” as a primary authentication method. Do to the high transaction speed of LDAP servers one can attempt a dictionary attack with relatively high speed.

©Copyright 1999 Peter Shipley How Bad is it? Data found on such systems were access passwords (cleartext), Full usernames and semi-personal info such as office and home phone numbers, postal addresses, employee status, encrypted login passwords. This personal information led to the speedy cracking of most of the encrypted login passwords.

©Copyright 1999 Peter Shipley What can be done Use strong authentication. Dedicate a server (don’t bundle services )

©Copyright 1999 Peter Shipley What can be done LDAP generally comes with several authentication methods for securing data: Anonymous Authentication Simple Passwords SSL (with simple passwords) SSL (with certificate authentication) Kerberos

©Copyright 1999 Peter Shipley Anonymous Authentication This method of authentication refers to non- authenticated connections and is useful for data making non-restricted data available (e.g.: phone/office numbers, finger information, et el.)

©Copyright 1999 Peter Shipley Simple Passwords This authentication method relies on the use of simple clear-text passwords (similar to telnet). This is considered the most insecure authentication method, is it also the most used.

©Copyright 1999 Peter Shipley SSL (with simple passwords) This authentication method relies on the use of simple passwords over a secured/encrypted link). This is a most secure authentication method, but it is also simple to attack with brute force methods.

©Copyright 1999 Peter Shipley SSL (with certificate authentication) This is one of the more secure methods since the user cryptographically authenticates themselves with a digital certificate. The down point for this method is cost and scalability.

©Copyright 1999 Peter Shipley Kerberos Kerberos is also a certificate based authentication scheme, that provides for scalability as well as cost effective. Kerberos can be the most complex to setup.

©Copyright 1999 Peter Shipley Other References u “Understanding and Deploying LDAP Directory Services” Howes, Smith and Good, ISBN u “LDAP Programming Directory-Enabled Application with Lightweight Directory Access Protocol” Howes and Smith, ISBN `

©Copyright 1999 Peter Shipley Other References u Bugtraq searchable archives u RFC “A DNS RR for specifying the location of services” - Paul Vixie u LDAP related RFCs and u RFC “Simple Authentication and Security Layer”

©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.