Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Technology Registry Services Security LDAP-based Attributes and Authentication.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Technology Registry Services Security LDAP-based Attributes and Authentication."— Presentation transcript:

1 Information Technology Registry Services Security LDAP-based Attributes and Authentication

2 Information Technology 6/1/20152 Presentation Goals Describe –The Registry –Its use for authentication –Its use for attribute information –Security of Registry information

3 Information Technology 6/1/20153 The Registry A database exposed through LDAP protocols Populated from both authoritative and other sources Failure-tolerant architecture Looks like a directory with more data items But it’s NOT the “white pages”

4 Information Technology 6/1/20154 What Data Items? Names, addresses, phone numbers Affiliations, positions, locations, groups E-mail routing Passwords and certificates Entitlements Optional information Standards-based items

5 Information Technology 6/1/20155 LDAP Cluster SESHRIS Load balancing Load balancing Replication registry.northwestern.edudirectory.northwestern.edu IT Computing Services Extraction Replication SNAP RegistryWhite Pages Note: schematic – not an engineering representation

6 Information Technology 6/1/20156 Access to Data Items Access is controlled in four ways: –Anonymous bind to registry is reserved to known e-mail hosts –User binding restricted by IP address –Attribute retrieval protected by application credentialing and Access Control Lists –White pages is an extract of registry data

7 Information Technology 6/1/20157 Anonymous Binding Appropriate for white pages lookup Fast – no encryption Program binds, then queries by indexed attribute Return is defined by ACL Eudora Outlook Relay LDAP Service ??

8 Information Technology 6/1/20158 User Binding The only means to check username and password validity Restricted by IP address to avoid brute-force attacks Encrypted via SSL Will eventually be isolated from the application by SSO Return is defined by ACL SES SNAP Hecky LDAP Service

9 Information Technology 6/1/20159 Attribute Retrieval Binding Application presents assigned credentials to bind as itself Queries and receives return defined by unique ACL Encrypted via SSL Ex: from NetID get DN NUTV VPN Course Mgmt LDAP Service

10 Information Technology 6/1/201510 IP Address Restrictions Restriction of LDAP protocols by IP address is performed by ITCS firewall Request-specific ACL limits exposure of data items ACLs Registry Data LDAP Registry

11 Information Technology 6/1/201511 Use of Bindings Anonymous binding is used by e-mail clients Access to Registry is strictly controlled Passwords and private attributes are protected via SSL RegistryDirectory AnonymousRestricted by IP address Governed by privacy rules User (SSL)Restricted by IP address Not Permitted Application (SSL) Credentials required Directory Web page only Bindings

12 Information Technology 6/1/201512 Typical Three-Step Scenario Binding with DN and password is IP-restricted and isolated from application coding Binding as an application presents credentials defining returned attributes LDAP Plug-in Web Server LDAP Plug-in Application Server Registry 3. Bind as application Key: NetID Return: attributes Transaction data including NetID 1.Bind as web server, search by NetID for DN, then 2.Bind by DN to validate password (SSL)

13 Information Technology 6/1/201513 White Pages is a Separate Service White pages (directory.northwestern.edu) is a separate service on separate hardware: –To increase performance –To separate the Registry for better security –To expose only the relevant data items to potential compromise

14 Information Technology 6/1/201514 How is Registry Access Governed? Due to the protections in place, access must be requested through NUIT. Requests must be approved by the custodian(s) of the data. NUIT then assigns the appropriate ACL to restrict access to only the approved data items.

15 Information Technology 6/1/201515 How are Data Items Selected? Registry data items fall into categories: –Those entrusted by SES and HRIS –Those necessary for e-mail routing and selective access to network services as defined by NUIT –Those historically available in the white pages

16 Information Technology 6/1/201516 New Data Items Requests to include new items must be reviewed by NUIT and the source Additional reviews by administrative offices may be required New data items are not automatically exposed to existing ACLs

Download ppt "Information Technology Registry Services Security LDAP-based Attributes and Authentication."

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Innosoft international inc. Ó 1999 Innosoft International, Inc. Using LDAPv3 for Directory-Enabled Applications & Networking Greg Lavender Director of.

Innosoft international inc. Ó 1999 Innosoft International, Inc. Using LDAPv3 for Directory-Enabled Applications & Networking Greg Lavender Director of.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lecture 2: Servers and Services Network Design & Administration.

Lecture 2: Servers and Services Network Design & Administration.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Information Technology Information Systems Architecture What’s new. What’s happening.

Information Technology Information Systems Architecture What’s new. What’s happening.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Directory Architecture Plans and Status UNITS Meeting Feb 2005 Tom Board, Director, ISA.

Directory Architecture Plans and Status UNITS Meeting Feb 2005 Tom Board, Director, ISA.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
SIMI: ISO Perspective Al ISO CSU Northridge

SIMI: ISO Perspective Al ISO CSU Northridge
User Authentication for Enterprise Applications - The Future in Transitions.

User Authentication for Enterprise Applications - The Future in Transitions.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Similar presentations

Ads by Google