LDAP Directory services are used to store and retrieve information about objects, which are managed by the service.. LDAP is a protocol that enables clients to access information within
Trang 1As seen in Figure 9.15, two events are occurring as credentials are pre-sented (password, Smart Card, biomet-rics) to the KDC for authentication This is due to the dual role of the KDC
It acts as both an Authentication Server and as a Ticket Granting Server First, the authentication credential is pre-sented to the KDC where it is authen-ticated using the Authentication Server mechanism Second, the KDC issues a Ticket Granting Ticket (TGT) through the Ticket Granting Server mechanism that is associated with the access token while you are actively logged in and authenticated This TGT expires when you (or the service) disconnect or log off the network, or after it times out The Kerberos administrator can alter the expiry timeout as needed to fit the organizational needs, but the default is one day (86,400 s) This TGT is cached locally for use during the active session Figure 9.16 shows the process for resource access in a Kerberos realm It starts by presenting the previously granted TGT to the authenticating KDC The authenticating KDC returns a session ticket to the entity wishing access
to the resource This session ticket is then presented to the remote resource server The remote resource server, after accepting the session ticket, allows the session to be established to the resource
Kerberos uses a time stamp and we need to understand where and when the time stamp is used The time stamp is used to limit the possibility
FIGurE 9.15
Authentication Path
for Logon Access in a
Kerberos Realm.
FIGurE 9.16 Resource Access in Kerberos Realms.
Trang 2of replay or spoofing of credentials Replay is the capture of information,
modification of the captured information, and retransmission of the
modi-fied information to the entity waiting to receive the communication If
unchecked, this allows for impersonation of credentials when seeking
access Spoofing is the substitution of addressing or authentication
infor-mation to try to attain access to a resource based on inforinfor-mation acceptable
to the receiving host, but not truly owned by the sender The initial time
stamp refers to any communication between the entity requesting
authen-tication and the KDC Normally, this initial time period will not be allowed
to exceed 10 minutes if it is based on the MIT Kerberos software default
Microsoft’s Kerberos implementation has a five-minute time delta If
clocks are not synchronized between the systems, the credentials (tickets)
will not be granted if the time differential exceeds the established limits
Session tickets from the KDC to a resource must be presented within this
time period or they will be discarded The session established between the
resource server and the requesting entity is also time-stamped but generally
lasts as long as the entities logon credential is valid This can be affected by
system policies like logon hour restrictions, which are defined in the
origi-nal access token TGT tickets are not part of the default five-minute period,
rather they are cached locally on the machine and are valid for the duration
of the logged-on session
LDAP
Directory services are used to store and retrieve information about objects,
which are managed by the service On a network, these objects can include
user accounts, computer accounts, mail accounts, and information on
resources available on the network Because these objects are organized in
a directory structure, you can manage them by accessing various properties
associated with them For example, a person’s account to use the network
would be managed through such attributes as their username, password,
times they’re allowed to logon, and other properties of their account By
using a directory service to organize and access this information, the objects
maintained by the service can be effectively managed
The concept of a directory service can be somewhat confusing until you
realize that you’ve been using them for most of your life A type of directory
that has been around longer than computers is a telephone directory, which
organizes the account information of telephone company customers These
account objects are organized to allow people to retrieve properties such as
the customer’s name, phone number, and address
Directory services shouldn’t be confused with the directory itself The
directory is a database that stores data on the objects managed through
Trang 3directory services To use our telephone directory example again, consider that the information on customer accounts can be stored in a phonebook
or electronically in a database Regardless of whether the information is accessed through an operator or viewed online using a 411 service, the directory service is the process of how the data is accessed The directory service is the interface or process of accessing information while the direc-tory itself is the reposidirec-tory for that data
Directory services are used by many different network OSs to organize and manage the users, computers, printers, and other objects making up the network Some of the directory services that are produced by vendors include the following:
Active Directory, which was developed by Microsoft for networks
■
■ running Windows 2000 Server, Windows 2003 Server, or Windows 2008
eDirectory, which was developed by Novell for Novell NetWare
net-■
■ works Previous versions for Novell NetWare 4.x and 5.x were called
Novell Directory Services (NDS).
OpenLDAP, which was developed by Apple for networks running
■
■ Mac OS X Servers
To query and modify the directory on TCP/IP networks, the LDAP can be used LDAP is a protocol that enables clients to access information within
a directory service, allowing the directory to be searched and objects to be added, modified, and deleted LDAP was created after the X.500 directory specification that uses the Directory Access Protocol (DAP) Although DAP
is a directory service standard protocol, it is slow and somewhat complex LDAP was developed as an alternative protocol for TCP/IP networks because
of the high overhead and subsequent slow response of heavy X.500 clients, hence the name lightweight Because of the popularity of TCP/IP and the
speed of LDAP, the LDAP has become a standard protocol used in directory services
LDAP services are used to access a wide variety of information that’s stored in a directory On a network, consider that the directory catalogs the name and information on every user, computer, printer, and other resource
on the network The information on a user alone may include their user-name, password, first user-name, last user-name, department, phone number and extension, e-mail address, and a slew of other attributes that are related
to the person’s identity The sheer volume of this data requires that LDAP directories are effectively organized so that the data can be easily located and identified in the directory structure
Trang 4LDAP Directories
Because LDAP is a lightweight version of DAP, the directories used by LDAP
are based on the same conventions as X.500 LDAP directories follow a
hier-archy, much in the same way that the directories on your hard drive are
organized in a hierarchy Each uses a tree-like structure, branching off a root
with containers (called organizational units in LDAP, analogous to folders on
a hard drive) and objects (also called entries in LDAP’s directory, analogous
to files on a hard drive) Each of the objects has attributes or properties that
provide additional information Just as a directory structure on a hard disk
may be organized in different ways, so can the hierarchy of an LDAP
direc-tory On a network, the hierarchy may be organized in many ways,
follow-ing the organizational structure, geographical location, or any other logical
structure that makes it easy to manage the objects representing users,
com-puters, and other resources
Because LDAP directories are organized as tree structures (sometimes
called the Directory Information Tree [DIT]), the top of the hierarchy is
called the root The root server is used to create the structure of the directory,
with organizational units and objects branching out from the root Because
the directory is a distributed database, parts of the directory structure may
exist on different servers Segmenting the tree based on organization or
division and storing each branch on separate directory servers increase
the security of the LDAP information By following this structure, even if
one directory server is compromised, only a branch of the tree (rather than
the entire tree) is compromised
organizational units
The hierarchy of an LDAP directory is possible because of the various objects
that make up its structure These objects represent elements of the network,
which are organized using containers called organizational units (OUs) Each
OU can be nested in other OUs, similar to having subfolders nested in
fold-ers on your hard disk In the same way, the placement of foldfold-ers on your hard
disk makes a directory structure, the same occurs with OUs and objects in
an LDAP directory
The topmost level of the hierarchy generally uses the DNS to identify
the tree For example, a company named Syngress might use syngress.com
at the topmost level Below this, organizational units are used to identify
different branches of the organization or network For example, you might
have the tree branch off into geographical locations, such as PARIS,
LON-DON, and TORONTO, or use them to mimic the organizational chart of
the company and create OUs with names such as ADMINISTRATION,
Trang 5RESEARCH, TECHNOLOGY, and so forth Many companies will even use
a combination of these methods and use the OUs to branch out by geo-graphical location, and then create OUs for divisions of the company within the OUs representing locations
To identify the OUs, each has a name that must be unique in its place
in the hierarchy For example, you can’t have two OUs named PRINTERS
in a container named SALES As with many elements of the directory, it is analogous to the directory structure of a hard disk where you can’t have two subfolders with the same name in the same folder You can, however, have OUs with the same name in different areas of the hierarchy, such as having
an OU named PRINTERS in the SALES container and another OU named PRINTERS in an OU named SERVICE
The structure of the LDAP directory is not without its own security risks, as it can be a great source of information for intruders Viewing the placement of OUs can provide a great deal of information about the network structure, showing which resources are located in which areas
of the organization If an administrator followed a particular scheme of designing the hierarchy too closely, a hacker could determine its struc-ture by using information about the organization For example, compa-nies often provide their organizational charts on the Internet, allowing people to see how the company is structured If an administrator closely followed this chart in designing a hierarchy, a hacker could speculate how the LDAP directory is laid out If the hacker can gain access to the direc-tory using LDAP queries, he or she could then use this information to access objects contained in different OUs named after departments on the chart Using naming conventions internal to the company (such as calling a London base of operations DISTRICT1) or using some creativity
in naming schemes (such as calling an OU containing computer accounts
WK instead of WORKSTATIONS) will make the hierarchy’s structure less obvious to outsiders Although using the organizational chart of a com-pany and geographical locations can be used as a basis for designing the hierarchy, it should not be an easy-to-guess blueprint of the directory and network infrastructure
objects, Attributes, and the schema
As mentioned, entries in the directory are used to represent user accounts, computers, printers, services, shared resources, and other elements of the network These objects are named, and as we discussed with organiza-tional units, each object must have a name that’s unique to its place in the namespace of the hierarchy Just as you can’t have two files with the same name in a folder on your hard disk, you can’t have two objects with the same name in an OU The name given to each of these objects is
Trang 6referred to as a common name, which identifies the object but doesn’t
show where it resides in the hierarchy
The common name is part of the LDAP naming convention Just as a
file-name identifies a file, and a full pathfile-name identifies its place in a directory
structure, the same can be seen in the LDAP naming scheme The common
name identifies the object, but a distinguished name can be used to identify
the object’s place in the hierarchy An example of a distinguished name is
the following, which identifies a computer named DellDude that resides in
an organizational unit called Marketing in the tacteam.net domain:
DN: CNDellDude,OUMarketing,DCtacteam,DCnet
The distinguished name is a unique identifier for the object and is made
up of several attributes of the object It consists of the relative distinguished
name, which is constructed from some attribute(s) of the object, followed
by the distinguished name of the parent object
Each of the attributes associated with an object is defined in the schema
The schema defines the object classes and attribute types and allows
admin-istrators to create new attributes and object classes specific to the needs of
their network or company For example, a “supervisor” attribute in a user
account might contain the name of the user’s manager while a “mail”
attri-bute would contain the user’s e-mail address Object classes define what the
object represents (that is, user, computer, and so forth) and a list of what
attributes are associated with the object
Because LDAP is binary, to view the attributes of an object, the information
can be represented in LDAP Data Interchange Format (LDIF) LDIF is used
to show directory entries in an easy-to-follow format and used when requests
are made to add, modify, or delete entries in the directory The following is an
LDAP directory entry with several attributes represented in LDIF:
dn: cnJohn Abraham, dcsyngress, dccom
cn: John Abraham
givenName: John
sn: Abraham
telephoneNumber: 905 555 1212
ext: 1234
employeeID: 4321
mail:jabraham@ssyngress.com
manager: Gary Byrne
objectClass: organizationalPerson
Trang 7As you can see by this entry, the attributes provide a wide degree of information related to the person represented by the object By looking at this information, we can see contact information, employee identification numbers, the person’s manager, and other data Other attributes could include the person’s Social Security Number or Social Insurance Number, home address, photo, expense account numbers, credit card numbers issued
to the person, or anything else the company wished to include Although this example reflects a user account, a similar wealth of information can
be found in objects representing computers and printers (which would include IP addresses) and other resources on the network As stated earlier, while useful to authorized users, it is also useful for unauthorized intruders who could use the information for identity theft, hacking specific comput-ers, or any number of other attacks
securing LDAP LDAP is vulnerable to various security threats, including spoofing of direc-tory services, attacks against the databases that provide the direcdirec-tory ser-vices, and many of the other attack types discussed in this book (for example, viruses, OS and protocol exploits, excessive use of resources and DoS, and so forth.) This isn’t to say that LDAP is completely vulnerable LDAP supports
a number of different security mechanisms, beginning from when clients initially connect to an LDAP server
LDAP clients must authenticate to the server before being allowed access to the directory Clients (users, computers, or applications) connect
to the LDAP server using a distinguished name and authentication cre-dentials (usually a password) Authentication information is sent from the client to the server as part of a “bind” operation, and the connection is later closed using an “unbind” operation Unfortunately, it is possible for users
to make the connection with limited or no authentication, by using either anonymous or simple authentication LDAP allows for anonymous clients
to send LDAP requests to the server without first performing the bind oper-ation Although anonymous connections don’t require a password, simple authentication will send a person’s password over the network unencrypted
To secure LDAP, anonymous clients should be limited or not used, ensuring that only those with proper credentials are allowed access to the informa-tion Optionally, the connection can use TLS to secure the connection and protect any data transmitted between the client and server
LDAP can also be used over SSL, which extends security into the Inter-net LDAPS is Secure LDAP, which encrypts LDAP connections by using SSL or TLS Some of these types of services integrate as objects, such as Public Key Infrastructure (PKI) certificates, in the authentication process
Trang 8using Smart Card technologies and in the extended properties of account
objects so that they can support extra security requirements To use SSL
with LDAP, the LDAP server must have an X.509 server certificate In
addi-tion, SSL/TLS must be enabled on the server
Another issue that can impact the security of LDAP is packet sniffing
As we discussed earlier in this chapter, packet sniffers are software that can
capture packets of data from a network and allow a person to view its
con-tents If the information traveling over LDAP is unencrypted, the packets of
data could be captured and analysis of the packets could provide
consider-able information about the network In addition to using encryption, ports
can be blocked to prevent access from the Internet LDAP uses TCP/UDP
port 389 and LDAP over SSL (LDAPS) uses port 636 By blocking these
ports from the Internet, it will prevent those outside of the internal network
from listening or making connections to these ports
The challenge with using a protocol such as LDAP is that the connectivity
must be facilitated through a script or program These types of scripts must
indicate the location of the objects within the directory service to access
them If the administrator wants to write a quick, simple script, this means
that the name of the directory service and the names and locations of the
objects that are being accessed must each be placed in the script and known
prior to the script being written If they need to access a different object, they
usually need to rewrite the script or develop a much more complex program
to integrate the directory services Even so, compare scripting to native access
with queries and interactive responses, and the value of a homogenous
net-work with a single directory service is revealed In a homogenous netnet-work,
there is no need to logically connect two directory services with a script This
greatly reduces the time and effort involved in administering the network
Homogenous networks are unusual at best With multiple types of
net-work OSs, desktop OSs, and infrastructure OSs available today, it is likely
that there will be multiple systems around It follows that they all must be
managed in different ways
LDAP-enabled Web servers can handle authentication centrally, using
the LDAP directory This means users will only need a single login name
and password for accessing all resources that use the directory Users
ben-efit from SSO to allow access to any Web server using the directory, or any
password-protected Web page or site that uses the directory The LDAP
server constitutes a security realm, which is used to authenticate users.
Another advantage of LDAP security for Web-based services is that
access control can be enforced based on rules that are defined in the LDAP
directory instead of the administrator having to individually configure the
OS on each Web server
Trang 9There are security programs available, such as PortalXpert Security, which can be used with LDAP to extend enforcement of the security policies that are defined by the LDAP directory to Web servers that are not LDAP enabled and provide role-based management of access controls
PAP
PAP is the simplest form of authentication for a remote access This method was used earlier to authenticate users using username and passwords User provides username and passwords for authentication, which is received by
the access server, and upon successful validation, the server sends an ack for acknowledgement or a nack for failed authentication This method is also known as a two-way handshake.
PAP transmits the username and password in ASCII without any encryp-tion PAP was replaced with CHAP to provide more security
CHAP
One of the methods that can be used to protect information when using remote access to a resource is the CHAP CHAP is a remote access authenti-cation protocol used in conjunction with PPP to provide security and authen-tication to users of remote resources You will recall that PPP replaced the older Serial Line Internet Protocol (SLIP) PPP not only allows for more secu-rity than SLIP but also does not require static addressing to be defined for communication PPP allows users to use dynamic addressing and multiple protocols during communication with a remote host CHAP is described in RFC 1994, available at www.ietf.org/rfc/rfc1994.txt?number=1994 The RFC describes a process of authentication that works in the following manner: CHAP is used to periodically verify the identity of the peer using a three-way handshake This is done upon initial link establishment and may be repeated anytime after the link has been established
1 After the link establishment phase is complete, the authenticator
sends a “challenge” message to the peer
2 The peer responds with a value calculated based on an ID value, a
random value, and the password using a “one-way hash” function such as MD5
Note
For more detailed information about LDAP security issues, see the white paper titled “Introduction to Security of LDAP Directory Services” by Wenling Bao at the SANS Institute Web site at http://www.giac.org/certified_professionals/practicals/gsec/0824.php.
Trang 103 The authenticator checks the response against its own calculation
of the expected hash value If the values match, the authentication
is acknowledged; otherwise the connection should be terminated
4 At random intervals, the authenticator sends a new challenge to
the peer and repeats steps one to three
CHAP operates in conjunction with PPP to provide protection of the
credentials presented for authentication and to verify connection to a valid
resource It does not operate with encrypted password databases, and
there-fore is not as strong a protection as other levels of authentication The
shared secrets may be stored on both ends as a cleartext item, making the
secret vulnerable to compromise or detection CHAP may also be
config-ured to store a password using one-way reversible encryption, which uses
the one-way hash noted earlier This provides protection to the password
because the hash must match the client wishing to authenticate with the
server that has stored the password with the hash value CHAP is better
than PAP, however, because PAP sends passwords across the network in
cleartext
TACACS/TACACS+
RADIUS is not the only centralized RAS TACACS is also used in
authenti-cating remote users TACACS has gone through three major “generations,”
TACACS, XTACACS, and TACACS+
tACACs
As stated previously, TACACS is the “old man” of centralized remote access
authentication TACACS was first developed during the days of ARPANet,
which was the basis for the Internet TACACS is detailed in RFC 1492, which
can be found at http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc1492.html
Although TACACS offers authentication and authorization, it does not
offer any accounting tools As mentioned earlier, a good RAS must fit all the
criteria of the AAA model Similar to RADIUS, a dial-up user connects to
a RAS that prompts the user for their credentials The credentials are then
passed to the TACACS server, which either permits or denies access to the
network
tACACs+
Cisco has developed a proprietary version of TACACS known as
TACACS+.
The driving factor behind TACACS+ was to offer networking
profession-als the ability to manage all remote access components from a centralized