Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 30 September 1999 Concepts A directory is a hierarchical, searchable database for relatively stable data - Information about users and other global entities.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 30 September 1999 Concepts A directory is a hierarchical, searchable database for relatively stable data - Information about users and other global entities."— Presentation transcript:

1 1 30 September 1999 Concepts A directory is a hierarchical, searchable database for relatively stable data - Information about users and other global entities for access by users and applications - Information specific to an application for access enterprise-wide by the application Actually more extensively used today than user-searching Examples: locations, URLs, time-out periods A directory service is a directory information store plus the tools and services used to resolve names to objects A schema formally defines the universe of object types that may be stored in a given directory service A Directory Information Tree (DIT) is the hierarchically organized collection of objects stored in a directory

2 2 30 September 1999 Concepts (Concluded) A namespace is a bounded area within which the name of an object can be resolved to the object or information represented by the name Replication synchronizes the physical databases that comprise the logical Directory A meta-directory is a collection of pointers to data and/or copies of data from various authoritative information stores - With join engine, presents a consistent view of the data - Recognizes standard directory access protocols, usually LDAP LDAP User Common Name SMTP address Phone number Salary

3 3 30 September 1999 Security Services to Other Components Holds data that supports security services provided by other infrastructure components - Credentials - Credential revocation information - Role membership - Keys - Application configuration information Certificate Revocation List Role Joe Jenny Jenny

4 4 30 September 1999 Responsibilities for Internal Security Protect confidentiality and integrity of data stored in the directory service - Uses internal access control based on identification, authentication, and authorization Protect data transmitted between the directory service and users, applications, or other directory service implementations - Can use SSL/TLS - Can rely on service provided by host or network Provide adequate availability for expected accesses Keep audit log of significant events, including: - Logins to the directory service - Directory resource accesses - Administrative actions - Synchronization activities - Data changes

5 5 30 September 1999 State of the Practice Directories are not widely in use today As the use of technologies that are reliant on directories increases (e.g., PKI), directory use will increase

6 6 30 September 1999 State of the Art Protocol Choices Today X.500 client is infeasible - Too complex, not supported by many COTS products - Difficult-to-find proxy applications that would allow X.500 Directory Access Protocol (DAP) through firewalls LDAP by itself is not adequate across many directory services - LDAP v.3 is still in draft form, important for replication - Replication of access control settings is not well supported Other options are non-standard X.500 server + LDAP client may be the best choice today - Provides both a widely available, stable client and good replication - BUT: difficult to manage because configuration requires manually specifying directory relationships

7 7 30 September 1999 State of the Art Near Future: Meta-Directory LDAP client + meta-directory capability across many different server types may become the best choice in the future - Allows the DIT to vary from place to place - Allows single view into many different data stores - Allows different protections for different data stores BUT: Market is immature - Only one vendor, Zoomit, offers join engine today - Zoomit product is reasonably stable but hard to use LDAP/SSL C=US,O=MITRE SSL FW Taxpayer Data O=MITRE, C=US Phone numbers, certificates

8 8 30 September 1999 State of Products Today Zoomit, Microsoft, ISOCOR, Netscape, NetVision, DCL, Novell and Lotus all have offerings - Zoomit is in transition, bought by Microsoft in August 1999 - Microsoft will offer Zoomit to customers through Microsoft’s consulting services ISOCOR is currently scheduled to release their Meta-Join product 4th QTR ‘99 Netscape has purchased the ISOCOR source code on a one-time-basis to develop its own meta-directory capabilities Novell has established a partnership with NetVision NetVision functions have an extension to the NDS Schema DCL X.500 directory supports a synchronization tool called DCL Link Lotus does not currently compete in this market and references other 3rd party vendors to solve this integration problem

9 9 30 September 1999 Management Responsibilities for Security The directory holds information that controls essential security functions, such as certificates used for authentication - Therefore, management of the directory is management of security Operational management responsibilities: - Maintain data - Schedule and monitoring replication - Assure availability and performance - Configure servers with respect to other servers Configure replication Configure search redirection functions Oversight management responsibilities: - Select the overall enterprise-wide directory architecture - Define the schema and DIT across the enterprise - Set policies for directory service configuration and operational management

10 1010 30 September 1999 Risk Factor: Selecting the Directory Architecture Determine directory services to be used throughout the enterprise and the relationships among them Option 1: one large directory with all data in it Option 2: many small directories with selected data in each and a global search capability Option 3: same as Option 2, except include meta-directory - Meta-directory provides central consistent access point - Subordinate authoritative data sources can be of different kinds, including directories, databases, and address books Risk: many independent directories may be fielded before management can develop a comprehensive IRS-wide view - Risk mitigation: if Option 3 is selected then the independent directories can be folded into the enterprise directory with minimal disruption

11 1 30 September 1999 Risk Factor: Password Protection Especially important if directory holds data used to implement security, such as access control support information or security software configuration information Passwords must never be sent in clear-text mode Risk: network encryption may not be implemented on every link - Risk mitigation: use SSL or equivalent protection for all login dialogs

12 1212 30 September 1999 Risk Factor: Control of Data Aggregation The best solution to a security business need, such as S/MIME to encrypt email messages, may require some data, such as employee S/MIME certificates, to be made available outside the enterprise Policy may limit searches to discover names of IRS employees Implies need to limit searches for aggregated data while allowing searches for specific data Risk: Failure to allow specific searches in the directory may limit design options for application security services Please send me Joe’s certificate OK Please send me all certificates Sorry

13 1313 30 September 1999 Risk Factor: Proper Access Control Some directory services don’t allow access controls to be set on individual attributes, only on objects Where access controls can be set for individual attributes, maintaining correct protections may be difficult Risk: relying on directory access control settings may make it difficult to maintain good access control - Risk mitigation: use directory services architecture to isolate sensitive data FW Less Sensitive Data More Sensitive Data

14 1414 30 September 1999 Risk Factor: Additional Applications Testing Applications can interfere with each other - Applications may write to the same attribute with different formats For example, the same phone number may be stored as (703) 883-1212, 703-883-1212, or 703.883.1212 Workaround: some directory services support normalizing name formats - Different applications may have different expectations for the meaning of the same attribute For example, name could hold first name, full name, or common name Workaround: use multivalued attributes where conflicts may occur - Different applications may use different names for the same attribute For example, name, namen, or nom A workaround is to provide name translation using aliases Risk: installing one application may break other applications - Risk mitigation: applications acceptance testing will need to test for directory use conflicts with other applications

15 1515 30 September 1999 Risk Factor: Interaction with PKI Applications Certificate authorities are often linked to the directory service - On certificate requests the CA can look up the authoritative entry for the authenticated user and automatically fill in all the information it needs - On certificate granting, the CA can store the certificate in the directory Risk: directory naming structures and attributes may not meet the needs of the CA - Risk mitigation: when the directory service and CA are defined, management should ensure that the directory project and CA projects work together to define compatible structures Employee Name Certificate Employee Nom Cert

16 1616 30 September 1999 Recommendations Plan to use meta-directory Use SSL or equivalent protection for all login dialogs and other transfers of sensitive information between the client and the directory Integrate policy and implementation to allow limited access to data from the outside Use directory services architecture to isolate sensitive data Include directory use conflicts with other applications in applications acceptance testing When the directory services and CA are defined, management should ensure that the directory project and CA projects work together to define compatible structures Define normalized attributes (e.g., phone number format) and standard use of object classes and attributes within the IRS

17 1717 30 September 1999 Acronyms CACertification Authority DITDirectory Information Tree ETAElectronic Tax Administration FWfirewall IPTIntegrated Product Team IRSInternal Revenue Service LDAPLightweight Directory Access Protocol PKIPublic Key Infrastructure S/MIMESecure Multipurpose Internet Mail Extension SMTPSimple Mail Transfer Protocol SRSub-release SSLSecure Sockets Layer TLSTransport Layer Security URLUniform Resource Locator USUnited States VPNvirtual private network

Download ppt "1 30 September 1999 Concepts A directory is a hierarchical, searchable database for relatively stable data - Information about users and other global entities."

Similar presentations

Chapter 10: Designing Databases

Chapter 10: Designing Databases
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 12 Network Security.

Chapter 12 Network Security.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Identity and Access Management

Identity and Access Management
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET

Similar presentations

Ads by Google