Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDAP Directory Services: Security. Directory Security Syllabus  Brief Review of Directories and LDAP  Brief Review of Security  Basic Security Concepts.

Published byLogan Poole Modified over 9 years ago

Similar presentations

Presentation on theme: "LDAP Directory Services: Security. Directory Security Syllabus  Brief Review of Directories and LDAP  Brief Review of Security  Basic Security Concepts."— Presentation transcript:

1 LDAP Directory Services: Security

2 Directory Security Syllabus  Brief Review of Directories and LDAP  Brief Review of Security  Basic Security Concepts  Security as Applied to Directories  Threats  LDAP Protocol Security Features  Typically Implemented Security Features  Futures  References

3 Directory Security Brief Review of Directories & LDAP Directory Database Network Directory Service Directory Information Tree (DIT) A BC F D EG HI Client search “G,C,A” LDAP

4 Directory Security Brief Review of Directories & LDAP What directories are… –Object repositories –Typically read more than written –Have explicit access protocols –Support relatively complex queries What directories are not… –RDBMSs –Lack notions of.. Tabular views JOIN operations Stored Procedures

5 Directory Security Brief Review of Directories & LDAP Obligatory, overly-simplified, Protocol Stack Diagram Directory-based Application IP Ethernet,Cable,Wireless, whatever. TCP LDAP

6 Directory Security Brief Review of Security Notion of Security for a network protocol is comprised of (at least) these axes.. –Identity & Authentication “Who are you and who says so?” –Confidentiality “Tough petunias to eavesdroppers.” –Integrity “Did anyone muck with this data?” –Authorization “Yes, you can do that, but no, you can’t do that other thing.”

7 Directory Security Basic Security Concepts Notions... –The notion of Identity –Of Names and Identifiers Authentication Identity Authorization Identity –Anonymity

8 Directory Security Basic Security Concepts Overall Namespace Names Identifiers

9 Directory Security Basic Security Concepts The applicable “science & technology of implementation”... – Ciphers – Encryption – Integrity AKA Cryptography [11]

10 Directory Security Basic Security Concepts, cont’d

11

12

13 Directory Security Security as Applied to Directories One needs to separately consider each of the four security axes in the context of anticipated threats. Also need to consider security from the perspectives of.. –the info stored in the directory, and.. –attributes of the requesters. E.g. how much you trust them. Note that.. –data security != access security

14 Directory Security Example Deployment Scenarios

15 Directory Security Threats Directory Database Network Legitimate Directory Service Client search “G,C,A” LDAP 1. 2, 3, 5, 6. 4, 7. 7. Directory Database Imposter Directory Service A BC F D EG HI

16 Directory Security Threats, cont’d Directory Database Network Directory Service Host(s) 8. 9. 10.

17 Directory Security LDAP Protocol Security Features Formal notions of.. –Authentication Identifiers [7], and.. –Authorization Identifiers [7] Leverages several security mechanisms.. –Simple passwords [2, 8] –SASL [6] Kerberos [2] Digest [4] –SSL/TLS [7] effectively is a session layer The above may be used in various combinations together.

18 Directory Security LDAP Protocol Security Features Integral-to-the-protocol data integrity and attribution are works-in-progress.

19 LDAP Directory Security LDAP Security Features Illustrated Directory Database Network Legitimate Directory Service Client search “G,C,A” A BC F D EG HI Authenticated, plus Confidentiality- and Integrity-protected Channel LDAP Imposter Directory Service Directory Database

20 Directory Security Brief Intro to Directories and LDAP Directory-based Application IP Ethernet,Cable,Wireless, Etc. TCP TLS LDAP

21 Directory Security Brief Intro to Directories and LDAP Directory-based Application IP Ethernet,Cable,Wireless, Etc. TCP TLS SASL LDAP

22 Directory Security Typical Security Features of Impls Security Features typically found in LDAP Implementations Simple password-based Authentication. SSL on port 636 (aka “LDAPS”) At least one impl does StartTLS on port 389. Access control. Configurability (e.g. Netscape’s DS Plug-ins).

23 Directory Security Typical Impl Security Features, cont’d Important Notice: –The LDAP protocol is NOT an authentication protocol in and of itself (IMHO).IMHO –One MAY use LDAP itself as an authentication protocol, but one needs to carefully consider what functionality it does and doesn’t bring to your deployment when used in this manner. Deployment configuration is critical Many server-side knobs –e.g. requiring client authentication

24 Directory Security Example Directory Service Deployment(s) Desktop Clients Clients LDAP LDAP-based Directory Service Authentication Service Auth DBDirectory DB

25 Registry DBAuth DBDirectory DB Directory Security Behind the Scenes (simplified) LDAP TDS Middleware Event Broker Registry TDS Subject’s Desktop (browser) Web-based User Interface for Data Maintenance HTTP (effectively authenticated writes) Directory Service LDAP (Reads) Network-based Applications Network-based Applications Network-based Applications Desktops (Browsers) SUNetID System TDS

Download ppt "LDAP Directory Services: Security. Directory Security Syllabus  Brief Review of Directories and LDAP  Brief Review of Security  Basic Security Concepts."

Similar presentations

Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Introduction to z/OS Security Lesson 4: There’s more to it than RACF
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Information Technology Registry Services Security LDAP-based Attributes and Authentication.

Information Technology Registry Services Security LDAP-based Attributes and Authentication.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Windows Server 2003. WHAT IS ACTIVE DIRECTORY? FUNDAMENTALS OF THE ACTIVE DIRECTORY – Benefits of Using the Active Directory in an Enterprise Environment.

Windows Server WHAT IS ACTIVE DIRECTORY? FUNDAMENTALS OF THE ACTIVE DIRECTORY – Benefits of Using the Active Directory in an Enterprise Environment.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.

Similar presentations

Ads by Google