Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust...
-
Upload
nathan-greene -
Category
Documents
-
view
230 -
download
0
Transcript of Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust...
![Page 1: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/1.jpg)
Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando
Sacha Faust
PricewaterhouseCoopers
![Page 2: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/2.jpg)
2
LDAP overview
History Historical Usage Technical specs
![Page 3: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/3.jpg)
3
History
Created by the University of Michigan Evolution
– 1993 : LDAP v1: RFC 1487: X.500 Lightweight Directory Access Protocol
– 1995 : LDAP v2: RFC 1777: Lightweight Directory Access Protocol
– 1997 : LDAP v3: RFC 2251: Lightweight Directory Access Protocol (v3)
![Page 4: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/4.jpg)
4
Historical Usage
People-centric information– Phone books– Personnel Data
Large white page applications
![Page 5: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/5.jpg)
5
Technical specs
TCP/IP Lightweight Hierarchical structure Easy API
![Page 6: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/6.jpg)
6
LDAP for a single sign-on environment?
Why single sign-on is needed? Why LDAP is a viable solution for single-on? Requirements for an efficient and secure single sign-
on solution Technical challenges for implementing a true single-
sign on What can LDAP do to solve the problems?
![Page 7: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/7.jpg)
7
Why single sign-on is needed?
Large networks Multiple operating systems Various network devices Centralizing Infrastructure
![Page 8: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/8.jpg)
8
Why LDAP is a viable solution for single-on?
Lightweight TCP/IP Open standard Already used to store People-centric information
![Page 9: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/9.jpg)
9
Requirements for an efficient and secure single sign-on solution
Open standard Scalability Access controls Easy to integrate with current infrastructure Easy and reliable API Easy to manage
![Page 10: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/10.jpg)
10
Technical challenges for implementing a true single-sign
on
Cross platform support Cross platform user settings Data Synchronization Proprietary authentications Security Schema and organizational structure
![Page 11: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/11.jpg)
11
What can LDAP do to solve the problems?
Open standard Support for SSL Most vendors offer ACL Customizable schema Powerful search capabilities
![Page 12: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/12.jpg)
Test case - ASP environment
![Page 13: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/13.jpg)
13
Overview
Customer Info
$ $$
Customer
Portal Server
HT
TP
S
Database
HTTPS/AIP
Tarantella +Tarantella
Security Pack
UnixApplications
Win32Applications
RDPSSH/X11
Portal Gateway
HT
TP
S
DirectoryServer
LD
AP
/SL
DA
P
![Page 14: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/14.jpg)
14
NT Authentication
Step 2.Updating theNT SAM
Step 3.Applicationauthentication
Win32 ApplicationServer
Win32 ApplicationServer
Win32 ApplicationServer
NT PDC
Step 1. Creatingthe user entry
LDAPServer
User creationmodule
![Page 15: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/15.jpg)
Step 2.Updating theNT SAM
Step 3.Applicationauthentication
Win32 ApplicationServer
Win32 ApplicationServer
Win32 ApplicationServer
NT PDC
Step 1. Creatingthe user entry
LDAPServer
User creationmodule
![Page 16: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/16.jpg)
Step 2.Updating theNT SAM
Step 3.Applicationauthentication
Win32 ApplicationServer
Win32 ApplicationServer
Win32 ApplicationServer
NT PDC
Step 1.Creating theuser entry
LDAPServer
User creationmodule
![Page 17: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/17.jpg)
Step 2.Updating theNT SAM
Step 3.Applicationauthentication
Win32 ApplicationServer
Win32 ApplicationServer
Win32 ApplicationServer
NT PDC
Step 1.Creating theuser entry
LDAPServer
User creationmodule
![Page 18: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/18.jpg)
18
Linux/UNIX Authentication
Linux/UnixApplication
Server
Step 1. Creatingthe user entry
Step 2.Applicationauthentication
Linux/UnixApplication
Server
Linux/UnixApplication
Server
LDAPServer
User creationmodule
![Page 19: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/19.jpg)
Linux/UnixApplication
Server
Step 1.Creating theuser entry
Step 2.Applicationauthentication
Linux/UnixApplication
Server
Linux/UnixApplication
Server
LDAPServer
User creationmodule
![Page 20: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/20.jpg)
Linux/UnixApplication
Server
Step 1.Creating theuser entry
Step 2.Applicationauthentication
Linux/UnixApplication
Server
Linux/UnixApplication
Server
LDAPServer
User creationmodule
![Page 21: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/21.jpg)
21
Why is this solution better? Advantages
Security– Central control of all users– Central point of revocation
Flexibility Scalability Financially
– Most of the components are available for free use– Low management cost– Doesn't requirement a lot of administration
![Page 22: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/22.jpg)
22
Security
Central control of all users Central point of revocation
![Page 23: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/23.jpg)
23
Advance topics
LDAP Security– Steps to secure your LDAP server– Special consideration for single sign on
![Page 24: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/24.jpg)
24
Steps to secure your LDAP server
1. Identifying requirements 2. Securing the Directory 2. LDAP server host security 3. Network security
![Page 25: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/25.jpg)
25
1. Identifying requirements
Network access Types of users and groups Defining data access requirements LDAP schema
![Page 26: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/26.jpg)
26
Network access
Network architecture Identifying member servers and their requirements Identifying Clients and their requirements
![Page 27: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/27.jpg)
27
Types of users and groups
Administration users Read users Write users Member servers Groups
– Static– Dynamic
![Page 28: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/28.jpg)
28
Defining data access requirements
What can each member server do and see Types of information can users see What attributes the user can change on themselves Data risk level
– Is the data public?– Is the data restricted per organizational units?– Is the data used for the infrastructure?
![Page 29: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/29.jpg)
29
Data risk level
Is the data public? Is the data restricted per organizational units? Is the data used for the infrastructure?
![Page 30: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/30.jpg)
30
2. Securing the Directory
Implementing ACL Strong password management
![Page 31: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/31.jpg)
31
2. LDAP server host security
File system– File system ACL– Identifying critical data– Integrity
Non-privilege user Registry (Win32 only) Limiting services
![Page 32: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/32.jpg)
32
File system
File system ACL Identifying critical data Integrity
![Page 33: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/33.jpg)
33
3. Network security
Encrypting data– SLDAP
Authentication– Basic?– Certificate?– Anonymous?
![Page 34: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/34.jpg)
34
Special consideration for single sign on
Security of the object class attributes1. NT Authentication using iPlanet Directory Server
2. PAM authentication via LDAP
Security of the authentication module
![Page 35: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/35.jpg)
NT Authentication using iPlanet Directory Server
![Page 36: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/36.jpg)
PAM authentication via LDAP
![Page 37: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/37.jpg)
37
Quick Links
Further readings Tools Implementations
![Page 38: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/38.jpg)
38
Further readings
LDAP Overview by Bruce Greenblatt Why LDAP & Security Are Critical to Your Success Solaris 8 LDAP Setup and Configuration Guide IBM Understanding LDAP Securing Netscape Directory Server paper (work in
progress)
![Page 39: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/39.jpg)
39
Tools
LDAP Browser/Editor LDAPMiner NetscapeGetACL LDAPRootDSE
![Page 40: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/40.jpg)
40
Implementations
OpenLDAP iPlanet Novell eDirectory Tivoli(IBM)
![Page 41: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/41.jpg)
Questions?
![Page 42: Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com.](https://reader036.fdocuments.net/reader036/viewer/2022062517/56649ecf5503460f94bdc4b9/html5/thumbnails/42.jpg)
Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando
Sacha Faust
PricewaterhouseCoopers