Secure Strategies

Information Security Magazine - June 2000

A year-long series on the fundamentals of information systems security

A practical primer for securing enterprise directory servers.

BY DENNIS SZERSZEN

As directories become essential tools for streamlining management and enforcing access control policies, it’s important to know how to keep them secure. As with any data repository, the information maintained in a directory is only as useful as it is accurate and protected.

The threats to a directory are many, and if appropriate safeguards are not maintained, a company may not even know when a directory has been compromised. The primary threats include theft, destruction and alteration of information (including user privileges). The potential result of a data loss or alteration ranges from the merely embarrassing, to the libelous (if competitive information is exposed), to the expensive (if the company is held liable for the exposure). Even less-sensitive breaches can have an enormous impact on consumer confidence in a company if the exposure is public (such as a cracker defacing a corporate Web site).

Security should be considered from the beginning of design and implementation of directory services, not as an afterthought. And, because threats are con- stantly changing, security needs to be an ongoing concern, with regular auditing of security controls and practices. After identifying the potential threats to your directory servers, you must define and initiate steps to minimize these risks.

Know Your Users

The majority of threats to data in your directory stem from some form of unauthorized access. This may sound like a simple problem to solve ("Great, I just need to authenticate my users-I already do that"). But if your company plans to offer users access to directory servers over the Inter-net, you’ll eventually need a stronger authentication scheme beyond that provided by standard userID/password combinations. In particular, as wireless devices proliferate-offering "anytime, anywhere" access to Web resources-more robust authentication will be required to maintain secure directory data, especially given the growing variety of attack tools on the Web that can be used to gain unauthorized access.

Most commercial directories today support several options for authentication, which vary considerably in terms of security strength, cost and administration complexity.

Username and password.

A username and password combination is the most basic form of authentication to implement, and it adds some measure of security. However, user ID/password schemes do nothing to protect the data (including the password information) traveling between clients and the directory. The information travels along the wire in plaintext, and as such can be intercepted and read in transit. So, while this type of authentication might suffice for granting employees access to an online address book, for example, it would not be adequate for providing access to more sensitive information.

Username and password over SSL.

A more secure solution is to secure the user’s ID and password credentials using the Secure Sockets Layer (SSL) protocol. Using SSL ensures that all information is encrypted during transit, making it difficult to eavesdrop on the content of the transmission. While SSL increases security, it also adds overhead, since all information must be encrypted and decrypted, which consumes server processor capacity and bandwidth. If the performance impact is severe enough-say, for thousands of simultaneous SSL sessions-some directories, such as Netscape Directory Server, support the addition of a cryptographic hardware accelerator, which offloads the "heavy math" of SSL from the server processor itself. Another requirement that SSL introduces is that users must access the directory from an SSL-enabled client.

Secret-key authentication with Kerberos.

Kerberos-based secret-key systems, such as the one built into Windows 2000, are an ideal choice for organizations that intend to centrally administer users and servers. These systems employ an online server that contains all user and server secret keys, which can be changed "on the fly." Because all secret keys are stored in a single database, however, this server requires enhanced security to ensure that it’s protected from misuse and attack.

A final consideration with password-based options is that users, if left to their own devices, tend to pick easy-to-remember passwords. Unfortunately, these passwords are also easy to guess or crack. Freeware tools such as L0phtcrack or Crack can determine passwords through brute-force dictionary matching. Some of these programs are relatively sophisticated, and can look for passwords that contain common words, capitalization or variations on the user’s name. While privacy policies may prohibit you from running one of these programs internally in your company, it’s imperative that you know what would happen if someone else were to do so.

Establishing and enforcing password security policies-such as requiring combinations of letters and numbers of minimum lengths-will greatly improve the security of your direc- tory resources. The key is to establish a policy that requires passwords that are not easy to guess, but can be easily remembered by end-users.

SSL with digital certificates. For stronger authentication, you can implement SSL with digital certificates. Though this option provides a high degree of security, it also carries a high price tag in terms of traffic performance and management overhead. Digital certificates enable you to strongly authenticate clients and assure the integrity and privacy of transmitted data. A certificate-based system can also enable nonrepudiation, allowing you to prove that a transaction initiated by a certain user actually came from that user-not someone pretending to be him or her.

Keep in mind that there are significant administration and cost issues involved in utilizing a public-key infrastructure (PKI)-based authentication system. A certificate-based system is recommended only for highly sensitive data, which, if compromised, would result in significant financial and/or legal repercussions.

Biometrics and other third-party authenticators.

It’s also possible to integrate other authentication "form factors" with your directory. Biometric technologies, soft and hard tokens, smart cards and USB tokens all offer another layer of authentication. For even greater security, many of these authentication options can be combined, such as digital certificates with smart cards or layered biometric applications.

Access Control

Of course, the reason to authenticate clients is to enable them to access company resources. This is especially true as companies use directories to serve Internet users-known employees and partners, as well as larger populations. However, a solid access control policy is important even if your directory is only being accessed behind the firewall by your own employees. According to several recent sur- veys, the most damaging security breaches come from known or internal users.

Designing your access control policy is one of the most important steps to securing your directory. Your access control policy defines which clients (users or applications) have access to which directory resources. There are currently no industry standards to define an access control model for LDAP-enabled directories.

The major directory vendors-Netscape, Novell, Microsoft and IBM-all support their own access control model. The Internet Engineering Task Force (IETF) is currently developing standards for access control for LDAP. However, these are still in draft form and will not be finalized for some time. In the meantime, you’ll need to work within the access control model of the directory you’ve selected.

Regardless of the directory you choose, the most important goal in developing an access control policy is to keep it simple. You can take advantage of the hierarchical structure of the directory namespace and inheritance properties to set policy for a large number of resources simultaneously.

To streamline and segment your user population, you can designate user groups and roles. For instance, employees in the HR department ("HR group") can be restricted to only HR-related data in the directory structure. This will greatly simplify administration and reduce the chances for mistakes.

Design Considerations

During the design phase, it’s important to examine the topology of your network and where your directory, its replicas and clients will reside. Will they be behind the firewall and connected by private lines only? Most likely not. Will you enable access to the Internet? Where does the information in your directory come from? How secure is that source from tampering? These are a few of the questions to consider when determining which secu-rity threats to address.

Eavesdropping and tampering.

If users access the directory over your internal network or the Internet without using encryption, you’re vulnerable to eavesdropping (sniffing) or connection hijacking. Another possible attack is a "man-in-the-middle" attack, in which the attacker positions himself or herself between the directory client and the server, and is able to intercept and/or change both the client’s directory request and the directory response. If this kind of attack is not detected, a company could suffer loss of both data privacy and data integrity without even knowing it.

A connection-level encryption protocol, such as SSL, can help protect against these types of threats by authenticating users and encrypting data while it’s in transit. Consequently, someone who attempts to eavesdrop or hijack data is not able to access any immediately useful information. Using digital signatures provides even stronger protection. It is equally important to look at connections between the master directory and your replicas. If this connection traverses the network, the types of precautions discussed for client connections are equally applicable.

You also need to consider the security of the information that resides in the directory: Where does the data come from? Is it uploaded over a secure connection? For example, if the information is uploaded from an HR database, that database should be as strongly protected as the directory. A security policy is only as strong as its weakest link, so it’s important to implement security for the entire lifecycle of the information being protected.

Denial-of-service attacks.

Another threat to consider when designing your directory is denial-of-service (DoS) attacks. These don’t have to come from 19-year-old hackers to be of major concern; indeed, DoS can be caused by bugs or misconfigured client software, too. You can reduce this risk by limiting the number of resources a client can access, as well as by maintaining thorough auditing and logging practices (more on this below).

Physical security.

Physical access to a directory server is another threat to its security. A person can gain unauthorized access privileges by logging onto a trusted terminal, or unplugging the drive that contains the data and walking off with it. If the motive is to be destructive, someone can simply take the machine down…literally.

While this may sound obvious, it bears mentioning as organizations sometimes get careless about physical security when there is no perceived immediate threat. And since intruders rarely call to make an appointment and disgruntled employees don’t often announce their intentions, this threat can lead to problems if company policy does not require simple physical security measures, such as keeping critical production servers in locked rooms with limited access.

Auditing and Authorization

Once you have securely deployed your directory, you can leverage this investment to implement security policies for a wide range of network resources. Several products are available to provide user access control management for Web and other network resources. These include the SecureWay Policy Director from Tivoli (www.tivoli.com), SiteMinder from Netegrity (www.netegrity.com), getAccess from enCommerce (www.encommerce.com) and SecureControl from Securant Tech-nologies (www.securant.com).

These products work with a variety of authentication mechanisms right out of the box. Most of the products are also able to leverage access control information to provide personalization services. Because these products vary in architecture as well as directory and resource support, you need to determine platform, resource and user requirements when evaluating them.

While these products provide security and ease of administration, there is an upfront cost in planning and design. Larger installations should seek professional services during the planning and design phases, rather than waiting to bring in help for deployment. For instance, it took a large financial institution of 5,000 internal users nearly a year to deploy one of these administration solutions because they made directory design changes late in the deployment. Meanwhile, a manufacturing organization of roughly the same size was able to deploy in about one-third the time.

Reaching Out

Directory services play an indispensable role in enabling businesses to reach out to new customers, business partners and suppliers by tying all sorts of information together-and by making that data available quickly and securely. While security technologies have kept pace with e-business trends, the use of these technologies has lagged behind the adoption of directory services. Implementing appropriate security measures for e-business projects-including those that use directory services- is best accomplished in the planning and design phases. Waiting until after the project is deployed exposes the enterprise to unnecessary security risk and privacy breaches, and can make security deployment far more costly.

--------------------------------------------------------------------------------

DENNIS SZERSZEN is director of security strategies at Hurwitz Group (www.hurwitz.com), a Framingham, Mass.-based analyst firm specializing in e-business applications.