Slide 1

Download Report

Transcript Slide 1 

CIST 1601 Information Security Fundamentals
Chapter 5 Implementing and Maintaining a Secure Network
Collected and Compiled
By JD Willard
MCSE, MCSA, Network+,
Microsoft IT Academy Administrator
Computer Information Systems Instructor
Albany Technical College
Overview of Network Security Threats
Vulnerability Scanning Overview (6:30)
Assessment Tools (6:56)
The CERT/CC is an organization that tracks and reports on computer and network
security threats. They are part of the Software Engineering Institute (SEI) at CarnegieMellon University.
Penetration testing (aka ethical hacking or “pen test”) involves the use of tools to
simulate attacks on the network and on the computer systems.
Penetration testing enables you to detect the existing vulnerabilities of the
infrastructure, with prior approval and authorization from senior management.
Penetration testing starts with defining management objectives for the tests, and
includes configuration reviews, vulnerability assessments, and social engineering.
Penetration tests are limited to the identification of the vulnerabilities in the system and
the detection of the impact of the vulnerability to the security of an infrastructure. This
process enables an organization to take corrective action, such as patching up the
systems against vulnerabilities or bugs.
A penetration test team reports the findings to the senior management after completing
the documentation process. ISS, Ballista, and SATAN are some examples of penetration
testing or ethical hacking tools used to identify network and system vulnerabilities.
Overview of Network Security Threats
Penetration Testing (10:04)
Penetration testing involves footprinting, scanning, and enumerating.
Scanning identifies active computers, ports, and services.
Enumerating involves compiling the information from the scanning phase and identifying target
systems.
The IP addresses of the computers are usually discovered during a penetration test. As
components of the network are discovered, the methods used will be determined.
A penetration tester would need to be used outside your network. A penetration test
includes the following steps:
1. Gather initial information.
2. Determine the network range.
3. Identify active devices.
4. Discover open ports and access points.
5. Identify the operating systems and their settings.
6. Discover which services are using the open ports.
7. Map the network.
Penetration tests may cause some disruption to network operations as a result of the
actual penetration efforts conducted. Penetration tests can also make legitimate attacks
by generating false data in IDS/IPS systems.
Defining Security Baselines
Security Posture (4:39)
Assessment Techniques (6:35)
A baseline defines the minimum level of security and performance of a system in an organization. A
baseline is also used as a benchmark for future changes. Any change made to the system should match the
defined minimum security baseline. A security baseline is defined through the adoption of standards in an
organization.
Vulnerability Scanning (6:30)
You should create a System Monitor chart based on a performance log. This will ensure that performance
baseline statistics are recorded for an extended period of time. The first step to creating a performance
baseline is to create a security policy. Without the policy, the baseline has no guidelines to follow.
Metrics for security baselines and hardening efforts rely on identification of vulnerability and risk. It is
necessary to have some mechanism for measuring vulnerability to determine whether a baseline has been
met, or if a new security measure has been effective.
Trusted OS (3:31)
Common Criteria has designed the evaluation criteria into seven EALs:
1. EAL 1 - A user must be assured that the system will operate correctly, but threats to security are not viewed as
serious. The other EAL levels promote higher levels of security.
2. EAL 2 - Developers use good design practices but security is not a high priority.
3. EAL 3 - Developers provide moderate levels of security.
4. EAL 4 - Security configuration is based on good commercial development. This level is the common benchmark
for commercial systems, including operating systems and products.
5. EAL 5 - Security is implemented starting in early design. It provides high levels of security assurance.
6. EAL 6 - Specialized security engineering provides high levels of assurance. This level will be highly secure from
penetration attackers.
7. EAL 7 - Extremely high levels of security are provided. This level requires extensive testing, measurement, and
independent testing.
Hardening the OS and NOS
Operating System Hardening (10:08)
Hardening an operating system (OS) or network
operating system (NOS) refers to the process of
making the environment more secure from
attacks and intruders.
OS hardening includes encrypted file support and
secured file systems selection. This allows the
proper level of access control and allows you to
address newly identified exploits and apply
security patches, hotfixes, and service packs.
Configuring Network Protocols
Configuring an OS’s network protocols properly is a major factor in hardening. PC
systems today primarily use three primary network protocols:
NetBIOS Extended User Interface (NetBEUI)
Transmission Control Protocol/Internet Protocol (TCP/IP)
Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
Each of these protocols can transport Network Basic Input/Output System (NetBIOS)
across networks. NetBIOS protocol-enabled systems periodically announce names,
service types, and other information on the networks bound to them. NetBIOS is also
used for programming interfaces and other purposes.
TCP/IP is the primary network protocol used in networks today. Microsoft is
concentrating more effort into making this protocol secure.
Don’t overlook the simple things. Applications such as Netscape, Internet Explorer, and
Office are susceptible to exploitation. Make sure that all your applications are up to the
current release level and that all security patches have been installed.
One of the primary methods of hardening an OS is to eliminate unneeded protocols.
Network Binding
Binding is the process of associating
one protocol with another protocol or
to a network card.
NetBIOS shouldn’t be bound to TCP/IP if
at all possible. NetBIOS is a well
established target of attackers. The
problem lies in the fact that NetBIOS
information becomes encapsulated in
TCP/IP packets, making them vulnerable
to sniffing.
NetBIOS binding to the TCP/IP network protocol
When a server and a client attempt to
communicate with each other they
must first find a common language.
They do so by trying different protocols
based on the binding order. For that
reason, the protocols most commonly
used on the server/client should be at
the top of the binding list.
Network binding in a Windows XP system
Network Protocols
NetBEUI is a proprietary protocol developed by Microsoft for Windows networks. It is
the least secure between the three network protocols. NetBEUI does not provide any
security capabilities. NetBEUI packets reveal information on system configuration,
running services, and other information. NetBEUI is not routable and is less efficient than
IPX/SPX or TCP/IP in large networking environments.
Enabling a firewall to directly pass NetBEUI/NetBIOS traffic is a major security problem,
especially if enabled on a Windows network. An attacker might be able to browse an
entire network and exploit the peer-to-peer nature of Windows networks.
TCP/IP is vulnerable to all the threats discussed previously. For a system connected to
the Internet or other large-scale network, the security of the system is tied to the
vulnerability of TCP/IP. TCP/IP is now relatively secure. Many of the newer vulnerabilities
are in the operating systems and applications that use TCP/IP as the transport.
IPX/SPX is an efficient, routable protocol that was originally designed for use with Novell
NetWare systems. Today’s routers don’t generally route IPX/SPX unless specifically
configured to do so. NetBIOS can be bound to IPX/SPX, and it won’t be vulnerable to
external attack unless it is routed.
Hardening Microsoft Windows Vista
A new feature in this operating system is the ability to apply parental controls to
accounts, found in the Set Up Parental Controls for Any User applet from the
Control Panel.
You can also choose the Windows Vista web filter which allows the setting of:
A web restriction level
Time limits settings and restriction of hours the computer can be used
Blocking of file downloads
Choosing websites to allow/block
Whole-disk Encryption (5:19)
Bitlocker is available with Windows Vista. BitLocker encrypts the drive contents
so that data cannot be stolen. It can encrypt both user and system files, and is
enabled or disabled by an administrator for all computer users. It requires
Trusted Platform Module (TPM) hardware.
Whole disk encryption helps mitigate the risks associated with lost or stolen
laptops and accompanying disclosure laws when the organization is required to
report data breaches.
Hardening Microsoft Windows XP
There are multiple versions of Windows XP,
including:
Home
Media Center
Professional
Microsoft has discontinued supporting XP in
favor of Windows Vista.
Windows XP Professional has the ability to
take advantage of the security possible from
Windows 200x servers running Active
Directory.
The service packs fix minor security
openings within the operating system.
One of the best tools to look for possible
illicit activity on a workstation is System
Monitor. This utility can be used to examine
activity on any counter, and excessive
processor usage is one worth paying
attention to if you suspect the workstation is
affected or being illegitimately accessed.
In previous versions of Windows, this utility
was a standalone menu choice. With
Windows XP, it became a subcomponent (a
snap-in) in the Performance Console.
Performance console is used for tracking
and viewing the utilization of operating
system resources.
To access the Performance Console, choose
Start > Run > and type perfmon.msc.
By default, System Monitor comes up showing three counters:
Pages/sec
Avg. Disk Queue Length
% Processor Time
To add more counters, right click in the right pane and choose
Add Counters from the popup menu.
Hardening Windows Server 2003
Windows Server 2003 was released in four variants:
Web edition
Standard edition
Enterprise edition
Datacenter edition
This product introduced the following features to the Microsoft
server line:
Internet connection firewall
Secure authentication (locally and remotely)
Secure wireless connections
Software restriction policies Secure Web Server (IIS 6)
Encryption and cryptography enhancements
Improved security in VPN connections
PKI and X.509 certificate support
Hardening Windows Server 2003
Group Policy enables you to:
Set consistent common security standards users and computers
Enforce common computer and user configurations
Simplify computer configuration by distributing applications
Restrict the distribution of applications that may have limited licenses
With a Group Policy, you create restrictions (usually through predefined security templates ) that will apply to workstations
when users authenticate. Upon each authentication, those restrictions are then applied as Registry settings, providing an
efficient way to manage a large number of computers. The restrictions you set come from choices within template files.
The Group Policy object (GPO) is used to apply Group Policy to users and computers.
GPOs can be associated with or linked to sites, domains, or organizational units.
The group policies would be applied to the computers on your network from the domain controllers. This method allows
for centralized deployment and management. For example, you could use group policies to ensure that users must change
their password at the next logon and must follow certain password guidelines.
Group Policies are applied in a specific order or hierarchy. By default, a group policy is inherited and cumulative. The
settings that will actually be applied to an object will be a combination of all the settings that can affect the object. Group
policies get applied from the bottom up, so if there is a conflict, the policy higher up in the list will prevail, unless it meets
one of the exceptions such as block inheritance and loopback.
You can use the Resultant Set of Policy (RSoP) tool to determine the effective settings on the computer that you are
working from or any other computer in a Windows Server 2003 AD domain.
You can use gpresult command to see what policy is in effect and to troubleshoot problems.
Security groups are used to create a set of users to assign resource permissions. For example, you could create a security
group for each department so that certain folders could only be accessed by a single department.
Hardening Microsoft Windows 2000
Windows 2000 includes workstation and several server versions. Windows 2000
provides a Windows Update icon on the Start menu, which allows you to
connect to the Microsoft website and automatically download and install
updates. A large number of security updates are available for Windows 2000—
make sure they’re applied.
Some of the more attack-prone services include IIS, FTP, and other common
web technologies. Make sure these services are disabled if they aren’t needed,
and keep them up-to-date with the most recent security and service packs.
Microsoft implemented a directory service called Active Directory (AD) with
Windows 2000. AD is the backbone for all security, access, and network
implementations. AD allows full control of resources by administrators. AD
functions are managed by one or more servers. These servers are connected in
a tree structure that allows information to be shared or controlled through the
entire AD structure.
Group policies, security templates, and security groups are also available in
Windows 2000.
Hardening Microsoft Windows 2000
Event Viewer enables you to
view certain events that occur
on the system.
Event Viewer maintains three
log files:
One for system processes
One for security information
One for applications
The security log records
security events, and is
available for viewing only by
administrators. For security
events to be monitored, you
must enable auditing.
Another important security
tool is Performance Monitor.
This tool can be a lifesaver
when you’re troubleshooting
problems and looking for
resource-related issues.
Hardening Unix/Linux
Over a dozen different versions of Unix are available; the most popular is a free version derivative called
Linux. Linux and Unix, when properly configured, provide a high level of security.
The product designers took an open-systems approach, meaning that the entire source code for the
operating system was readily available, which allowed programmers, computer scientists, and systems
developers to tinker with and improve the product.
Unix can run almost every protocol, service, and capability designed. You should run a script during system
startup to configure the protocols and determine which services are started.
All Unix security is handled at the file level. Files and directories need to be established properly to ensure
correct access permissions. The file structure is hierarchical by nature, and when a file folder access level is
set, all subordinate file folders usually inherit this access. This inheritance of security is established by the
systems administrator or by a user who knows how to adjust directory permissions.
Keeping patches and updates current is essential in Unix.
Linux also provides a great deal of activity logging, essential in establishing patterns of intrusion.
An additional method of securing Linux systems is accomplished by adding TCP wrappers, low-level logging
packages designed for Unix. Wrappers provide additional detailed logging on activity using a specific
protocol. Each protocol or port must have a wrapper installed for it. The wrappers then record activities
and deny access to the service or server.
Hardening Novell NetWare
Novell was one of the first companies to introduce a network operating system (NOS) for
desktop computers, called NetWare, which provided the ability to connect PCs into
primitive but effective LANs.
The most recent version of NetWare, version 6.5, includes file sharing, print sharing,
support for most clients, and fairly tight security.
NetWare version 6.x is primarily susceptible to denial of service (DoS) types of attacks, as
opposed to exploitation and other attacks. Novell support packs fix known problems with
the OS and occasionally add additional functionality
NetWare security is accomplished through a combination of access controls, user rights,
security rights, and authentication.
The heart of NetWare security is the Novell Directory Service (NDS) or eDirectory (for
newer Novell implementations). NDS and eDirectory maintain information about rights,
access, and usage on a NetWare-based network.
Newer versions of NetWare support TCP/IP natively and are susceptible to the same
types of attacks.
Hardening Apple Macintosh
Macintosh systems seem to be the most vulnerable to physical access attacks targeted
through the console. The network implementations are as secure as any other operating
system.
Macintosh security breaks down in its access control and authentication systems.
Macintosh uses a simple 32-bit password encryption scheme that is relatively easy to
crack. The password file is located in the Preference folder; if this file is shared or is part
of a network share, it may be vulnerable to decryption.
Macintosh systems have implemented TCP/IP networking as an integral part of the
operating system.
To secure the system, verify that it is not configured to automatically log in a user at
startup. Require a username and password in order to gain access to the Mac itself, as
well as to the network. Configure a screensaver that requires a password to resume a
session.
OS X, the successor to Macintosh, is a descendant of BSD-based Unix. As such, the
information described in “Hardening Unix/Linux” applies.
Hardening Filesystems
File Allocation Table (FAT)
FAT is a Microsoft file system that provides share-level and user-level
access privileges.
If a user has the appropriate permission to a drive or directory, the user
can access any file in that directory.
The FAT file system offers the least security and is especially unsecure in
an Internet environment.
The New Technology File System (NTFS)
NTFS is a Microsoft file system that uses access control lists (ACLs) to
configure permissions for users and groups.
Each file, directory, and volume can have an assigned ACL. Each entry in
the ACL can specify the access type granted.
Encrypting File System (EFS) can also be used to encrypt data stored on
the hard disk.
Microsoft strongly recommends that all network shares be established
using NTFS.
Hardening Filesystems
Novell NetWare Storage Services
NSS is Novell’s newest filesystem. It’s a
proprietary environment for servers.
NSS allows complete control of every file
resource on a NetWare server.
The NSS file system provides security, high
performance, large file storage capacities, and
uses the NDS or eDirectory to provide
authentication for access.
Unix Filesystem
The Unix filesystem is a completely hierarchical
filesystem.
Each file, filesystem, and subdirectory has
complete granularity of access control.
The three primary attributes in a Unix file or
directory are Read, Write, and Execute.
The ability to individually create these
capabilities, as well as to establish inheritance to
subdirectories, gives Unix the highest level of
security available for commercial systems.
NTFS is based on this method of file
organization.
Hierarchical file structure used in Unix and
other operating systems
Hardening Filesystems
Network File System (NFS)
NFS is the Unix standard for remote file systems.
NFS allows computers to mount the file system from a remote location,
thereby enabling the client system to view the server storage as part of
the local client.
Apple File Sharing (AFS)
AFS was intended to provide simple networking for Apple Macintosh
systems.
AFS allows the file owner to establish password and access privileges,
similar to the Unix filesystem.
OS X, the newest version of the Macintosh operating system, has more
fully implemented a filesystem that is based on the Unix model.
The major weakness of the operating system involves physical control of
the systems.
Updating Your Operating System
Application Patch Management (5:21)
Patch Management (4:16)
Hotfixes
A hotfix makes repairs to a computer during its normal operation so that the computer can continue to
operate until a permanent repair can be made. It usually involves replacing files with an updated version. A
hotfix can also be referred to as a bug fix.
Hotfixes are, typically, small and specific-purpose updates that alter the behavior of installed applications
in a limited manner.
These are the most common type of update.
A hotfix is related to a service pack and should be deployed with this in mind.
Service Packs and Support Packs
A service pack is a major, crucial update for the OS or application for which it is intended, and consists of a
collection of all hotfixes and patches released to date since the OS or product was shipped. A service pack
is mandatory for all users, addresses a new vulnerability, and should be deployed as soon as possible.
Service packs are the least common type of update, often requiring extensive testing to ensure against
service failure in integrated network environments before application.
A support pack is another term used for service packs.
Patches
A patch is a temporary workaround of a bug or problem in code that is applied manually. Once more data is
known about an issue, a service pack or hotfix may be issued to fix the problem on a larger scale.
A patch should be installed on a server only after it has been tested on a non-production server and by the
computing community.
A common method for hackers to infect your systems is to send an official-looking e-mail about software
that you need. The only way to ensure that a patch or service pack comes from the vendor is to go to the
vendor’s Web site. This ensures that you are obtaining the security patch directly from the vendor.
Updating Network Devices
As a security administrator, you should make sure that
software for devices such as routers and switches is kept
up-to-date. These devices usually contain a ROM-based
(read-only memory) OS and applications.
Routers have become increasingly complex, as have
firewalls and other devices in your network. If they aren’t
kept up-to-date, they will become vulnerable to new
attacks or exploits.
Updating network switch firmware to newest versions,
putting passwords on all remote-configurable network
hardware, and locking down all unused ports on the
firewall will contribute to network hardening.
Configuring Routers and Firewalls
Access Control Lists (1:57)
Routers and firewalls are your front line of defense against attacks being
launched from outside the company network.
Access control list (ACL) mechanisms are implemented in many routers,
firewalls, and other network devices.
You can configure and apply access control lists to the interfaces of routers to
filter out unauthorized traffic. Through ACLs, you can design and change
network security to counter specific security threats.
ACLs can be configured on router interfaces for inbound and outbound packets.
ACLs deployed on a router will improve network security by confining sensitive
internal data traffic to computers on a specific subnet.
An ACL can also be used to exclude a particular system, IP address, or user.
The following can be configured in an ACL:
Source and/or destination IP address
Source and/or destination protocol number
Source and/or destination port number
The most essential operational aspects of network device hardening involve
ensuring that your network devices run only necessary protocols, services, and
access control lists.
Hardening Applications
Application Configuration Baselining and Hardening (4:10)
Application hardening includes default application
administration accounts, standard passwords, and
common services installed by default should also
be reviewed and changed or disabled as required.
Applications must be maintained in an updated
state through the regular review of hotfixes,
patches, and service packs.
Hardening Web Servers
Web servers are favorite areas for attackers to exploit. Every service and
capability supported on a website is potentially a target for exploitation.
Make sure they’re kept to the most current software standards.
You must also make certain that you’re allowing users to have only the
minimal permissions necessary to accomplish their tasks.
If users are accessing your server via an anonymous account, then make
certain the anonymous account has only the permissions needed to view
web pages and nothing more.
Filters allow you to limit the traffic that is allowed through. Limiting
traffic to only that which is required for your business can help ward off
attacks.
Executable scripts, such as Common Gateway Interface (CGI) scripts,
often run at elevated permission levels. Under most circumstances this
isn’t a problem, however, if the user can break out of the script while at
the elevated level then you have a problem.
The best course of action is to verify that all scripts on your server have
been thoroughly tested, debugged, and approved for use.
Hardening E-Mail Servers
An e-mail server is a middle man in the
delivery of the message.
The primary firewall to protect you from
e-mail viruses would be e-mail servers
with active virus scanners.
E-mail servers detect the viruses in the
messages received from various sources
and send warnings to the recipient to
warn him/her of the risky mail. This
server has the necessary means to
reject infected mail content.
SMTP is the primary protocol used in email. An SMTP virus filter checks all
incoming and outgoing e-mails for
suspicious code. If a file is potentially
infected, the scanner notifies the
originator and quarantines the file.
E-mail virus scanner on an e-mail server
Hardening FTP Servers
FTP servers provide user access to upload or download files
between client systems and a networked FTP server.
FTP servers include many potential security issues,
including anonymous file access and unencrypted
authentication. Always disable the anonymous user
account.
In most environments, FTP sends User IDs and password
information unencrypted. This makes these accounts
vulnerable to network sniffing.
Most FTP servers allow you to create file areas on any drive
on the system. You should create a separate drive or
subdirectory on the system to allow file transfers. If
possible, use virtual private network (VPN) or Secure Shell
(SSH) connections for FTP-type activities.
Hardening DNS Servers
DNS (2:04)
DNS is one of the most popular directory services in use today.
DNS can identify an individual computer system on the Internet. DNS
maps IP addresses to domain names and to individual systems.
Because DNS servers usually store a vast quantity of information on the
network and its configuration, they are also typically targeted by
network footprinting attacks, which attempts to gather information on
your network.
To protect your DNS servers from network footprinting attacks, ensure
that all information on the network, which gets stored in external DNS
servers, are kept at a minimum.
Limiting the registration of name and IP address to authorized clients
prevents an unauthorized entry from being created on the DNS server’s
zone database file.
Hardening DNS Servers
The Windows 2000 DNS version implements DNS security. This assists in preventing DNS
spoofing, and ensures that client systems access the proper DNS server.
You should set up DNS servers so that they only perform zone transfers to specific
secondary DNS servers.
For the perimeter network, use a separate DNS server. This server should not contain
information which you do not want public users to access.
DNS Poisoning
Query results that are forged and returned to the requesting client or recursive DNS
query can poison the DNS records.
Use a version of DNS that includes the correction for preventing DNS cache poisoning, or
alternatively, obtain the relevant security patch to address this issue.
ARP poisoning
Because ARP does not require any type of validation, as ARP requests are sent, the
requesting devices believe that the incoming ARP replies are from the correct devices.
This can allow a perpetrator to trick a device into thinking any IP address is related to any
MAC address.
Hardening File and Print Servers and Services
Determine whether file and print sharing is really needed. If it isn’t, unbind NetBIOS
from TCP/IP. By doing so, you effectively disable Windows SMB file and print sharing
reducing the risk of intruders being able to access any files on the hard drive.
Unprotected network shares are easy targets and a top security exploit.
Never share the root directory (C:) of a disk. If an attacker penetrates the root directory,
all the subdirectories under the root are vulnerable.
Depending on your operating systems in use, there are two areas to look at:
Server Message Block (SMB) file-sharing protocol
Common Internet File System (CIFS).
User education and mandatory settings can go a long way toward making sure that file
sharing is not enabled unless needed.
Network share
connection
Hardening File and Print Servers and Services
Print servers pose several risks, including possible security breaches in
the event that unauthorized parties access cached print jobs or sensitive
printed material.
DoS attacks may be used to disrupt normal methods of business, and
network-connected printers require authentication of access to prevent
attackers from generating printed memos, invoices, or any other manner
of printed materials.
Securing file and print sharing:
Use an antivirus product that searches for CIFS worms
Run intrusion testing tools
Filter traffic on UDP/TCP ports 137, 138. 139, 445
On Unix systems, make sure port 111, the Remote Procedure Call (RPC)
port, is closed
Install proper firewalls
Hardening DHCP Services
Dynamic Host Configuration Protocol (DHCP) is used in many
networks to automate the assignment of IP addresses to
workstations. DHCP services can be provided by routers,
switches, and servers.
In a given network or segment, only one DHCP server should be
running. An exception would be if you are implementing
redundant DHCP services without overlapping scopes.
DHCP-enabled clients can be serviced by a Network Address
Translation (NAT) server. DHCP usage should be limited to
workstation systems.
If the OS in use does not support DHCP server authentication,
attackers may also configure their own DHCP servers within a
subnet, taking control of the network settings of clients and
obtaining leases from these rogue servers. Microsoft’s Active
Directory requires that DHCP servers be authorized.
Working with Data Repositories
Directory services are tools that help organize and
manage complex networks. They allow data files,
applications, and other information to be quickly
and easily relocated within a network.
In addition to creating and storing data, directory
services must publish appropriate data to users.
Security for directory services is typically
accomplished by using both authentication and
access control.
Working with Data Repositories
Lightweight Directory Access Protocol
LDAP is a standardized directory access protocol that
uses TCP/IP and allows queries to be made of
directories (specifically, a pared down X.500-based
directory). This is the computer equivalent of a
phone book.
LDAP (6:09)
If a directory service supports LDAP, you can query
that directory with an LDAP client.
An LDAP directory is defined as a tree-like structure
with entries, each of which consists of named
attributes with values.
Services, such as repository and distribution of
digital certificates, can be handled by external
servers running the LDAP protocol.
LDAP servers are external repositories. Therefore,
the primary concern is the availability of systems,
and the secondary consideration involves
maintaining the confidentiality and integrity of
information stored on such systems.
LDAP, by default, uses TCP port 389.
Directory structure showing unique identification of a user
Working with Data Repositories
Active Directory
Microsoft implemented a directory service called Active Directory (AD) with
Windows 2000. AD is the backbone for all security, access, and network
implementations.
AD gives administrators full control of resources. It provides services for other
directory services, such as LDAP.
One or more servers manage AD functions; these servers are connected in a
tree structure that allows information to be shared or controlled through the
entire AD structure.
In conjunction with Active Directory, LDAP uses four different name types:
A Distinguished Name (DN) exists for every object in AD. These values can’t be
duplicates and must be unique. This is the full path of the object, including any
containers.
A Relative Distinguished Name (RDN) doesn’t need to be a wholly unique value
as long as there are no duplicates within the organizational unit (OU). As such, an
RDN is the portion of the name that is unique within its container.
A User Principal Name (UPN) is often referred to as a friendly name. It consists of
the user account and the user’s domain name and is used to identify the user (think
of an e-mail address).
The Canonical Name (CN) is the DN given in a top-down notation.
Working with Data Repositories
X.500
The International Telecommunications Union (ITU) implemented the
X.500 standard, which was the basis for directory structures such as
LDAP.
The major problem implementing a full-blown X.500 structure revolved
around it’s complexity.
Novell was one of the first manufacturers to implement X.500 in its
NetWare NDS product.
eDirectory
eDirectory is the backbone for new Novell networks.
It stores information on all system resources and users and any other
relevant information about systems attached to a NetWare server.
eDirectory is an upgrade and replacement for NDS, and has gained wide
acceptance.
Databases and Technologies
The primary tool for data management is the database.
The relational database is the most common approach. It allows data to be
viewed in dynamic ways based on the user’s or administrator’s needs.
The most common language used to speak to databases is called Structured
Query Language (SQL). SQL allows queries to be configured in real time and
passed to database servers. This flexibility causes a major vulnerability when it
isn’t implemented securely.
Database servers suffer from all the vulnerabilities discussed so far.
To improve system performance and the security of databases, companies have
implemented the tiered model of systems:
One-tier model The database and application reside on one system. The one-tier
model is usually used to host a stand-alone database.
Two-tier model In the two-tier and three-tier model, the application being run by
the client PC or system accesses a database hosted on a different server.
Three-tier model A middle-tier server receives and verifies requests from clients,
before passing it to the server on which the database resides. After the request is
processed by the database server, the server passes the information to the middletier server, who then passes the data to the client. The middle-tier server provides
additional security.
The End