Building Secure, Flexible and Scalable Environments using
Download
Report
Transcript Building Secure, Flexible and Scalable Environments using
Building Secure, Flexible and
Scalable Environments using
LDAP - SANS 2002 - Orlando
Sacha Faust
PricewaterhouseCoopers
[email protected]
[email protected]
LDAP overview
2
History
Historical Usage
Technical specs
History
Created by the University of Michigan
Evolution
–
–
–
3
1993 : LDAP v1: RFC 1487: X.500 Lightweight Directory
Access Protocol
1995 : LDAP v2: RFC 1777: Lightweight Directory Access
Protocol
1997 : LDAP v3: RFC 2251: Lightweight Directory Access
Protocol (v3)
Historical Usage
People-centric information
–
–
4
Phone books
Personnel Data
Large white page applications
Technical specs
5
TCP/IP
Lightweight
Hierarchical structure
Easy API
LDAP for a single sign-on
environment?
6
Why single sign-on is needed?
Why LDAP is a viable solution for single-on?
Requirements for an efficient and secure single signon solution
Technical challenges for implementing a true singlesign on
What can LDAP do to solve the problems?
Why single sign-on is needed?
7
Large networks
Multiple operating systems
Various network devices
Centralizing Infrastructure
Why LDAP is a viable solution for
single-on?
8
Lightweight
TCP/IP
Open standard
Already used to store People-centric information
Requirements for an efficient and
secure single sign-on solution
9
Open standard
Scalability
Access controls
Easy to integrate with current infrastructure
Easy and reliable API
Easy to manage
Technical challenges for
implementing a true single-sign
on
10
Cross platform support
Cross platform user settings
Data Synchronization
Proprietary authentications
Security
Schema and organizational structure
What can LDAP do to solve the
problems?
11
Open standard
Support for SSL
Most vendors offer ACL
Customizable schema
Powerful search capabilities
Test case - ASP environment
$
$
Overview
$
HTTPS
Customer
HTTPS
Portal Gateway
Tarantella +
Tarantella
Security Pack
RD
Win32
Applications
13
P
LDAP/SLDAP
HT
TP
S/
AI
P
Portal Server
Directory
Server
SS
H
/X
11
Unix
Applications
Customer Info
Database
NT Authentication
User creation
module
Step 1. Creating
the user entry
LDAP
Server
Step 2.
Updating the
NT SAM
NT PDC
Step 3.
Application
authentication
Win32 Application
Server
14
Win32 Application
Server
Win32 Application
Server
User creation
module
Step 1. Creating
the user entry
LDAP
Server
Step 2.
Updating the
NT SAM
NT PDC
Step 3.
Application
authentication
Win32 Application
Server
Win32 Application
Server
Win32 Application
Server
User creation
module
Step 1.
Creating the
user entry
LDAP
Server
Step 2.
Updating the
NT SAM
NT PDC
Step 3.
Application
authentication
Win32 Application
Server
Win32 Application
Server
Win32 Application
Server
User creation
module
Step 1.
Creating the
user entry
LDAP
Server
Step 2.
Updating the
NT SAM
NT PDC
Step 3.
Application
authentication
Win32 Application
Server
Win32 Application
Server
Win32 Application
Server
Linux/UNIX Authentication
User creation
module
Step 1. Creating
the user entry
LDAP
Server
Step 2.
Application
authentication
Linux/Unix
Application
Server
18
Linux/Unix
Application
Server
Linux/Unix
Application
Server
User creation
module
Step 1.
Creating the
user entry
LDAP
Server
Step 2.
Application
authentication
Linux/Unix
Application
Server
Linux/Unix
Application
Server
Linux/Unix
Application
Server
User creation
module
Step 1.
Creating the
user entry
LDAP
Server
Step 2.
Application
authenticatio
Linux/Unix
Application
Server
Linux/Unix
Application
Server
Linux/Unix
Application
Server
Why is this solution better?
Advantages
Security
–
–
Flexibility
Scalability
Financially
–
–
21
Central control of all users
Central point of revocation
–
Most of the components are available for free use
Low management cost
Doesn't requirement a lot of administration
Security
22
Central control of all users
Central point of revocation
Advance topics
LDAP Security
–
–
23
Steps to secure your LDAP server
Special consideration for single sign on
Steps to secure your LDAP server
24
1. Identifying requirements
2. Securing the Directory
2. LDAP server host security
3. Network security
1. Identifying requirements
25
Network access
Types of users and groups
Defining data access requirements
LDAP schema
Network access
26
Network architecture
Identifying member servers and their requirements
Identifying Clients and their requirements
Types of users and groups
Administration users
Read users
Write users
Member servers
Groups
–
–
27
Static
Dynamic
Defining data access requirements
What can each member server do and see
Types of information can users see
What attributes the user can change on themselves
Data risk level
–
–
–
28
Is the data public?
Is the data restricted per organizational units?
Is the data used for the infrastructure?
Data risk level
29
Is the data public?
Is the data restricted per organizational units?
Is the data used for the infrastructure?
2. Securing the Directory
30
Implementing ACL
Strong password management
2. LDAP server host security
File system
–
–
–
31
File system ACL
Identifying critical data
Integrity
Non-privilege user
Registry (Win32 only)
Limiting services
File system
32
File system ACL
Identifying critical data
Integrity
3. Network security
Encrypting data
–
Authentication
–
–
–
33
SLDAP
Basic?
Certificate?
Anonymous?
Special consideration for single
sign on
Security of the object class attributes
1.
2.
34
NT Authentication using iPlanet Directory Server
PAM authentication via LDAP
Security of the authentication module
NT Authentication using iPlanet
Directory Server
PAM authentication via LDAP
Quick Links
37
Further readings
Tools
Implementations
Further readings
38
LDAP Overview by Bruce Greenblatt
Why LDAP & Security Are Critical to Your Success
Solaris 8 LDAP Setup and Configuration Guide
IBM Understanding LDAP
Securing Netscape Directory Server paper (work in
progress)
Tools
39
LDAP Browser/Editor
LDAPMiner
NetscapeGetACL
LDAPRootDSE
Implementations
40
OpenLDAP
iPlanet
Novell eDirectory
Tivoli(IBM)
Questions?
Building Secure, Flexible and
Scalable Environments using
LDAP - SANS 2002 - Orlando
Sacha Faust
PricewaterhouseCoopers
[email protected]
[email protected]