Practical UNIX Security LDAP - Essay Example

? Table of Contents What is LDAP? --------------------------------------------------------------------------------- 2-3 LDAP Account Management ----------------------------------------------------------------- 3 LDAP Synchronization Issues ---------------------------------------------------------------- 3-5 LDAP Directory Services --------------------------------------------------------------------- 5-6 Solutions ----------------------------------------------------------------------------------------- 6-7 ACL on LDAP ---------------------------------------------------------------------------------- 7-8 LDAP Auditing Features ---------------------------------------------------------------------- 8 SMF type-83 ------------------------------------------------------------------------------------ 8 LDAP Vulnerabilities -------------------------------------------------------------------------- 8 Conclusions ------------------------------------------------------------------------------------- 9 References --------------------------------------------------------------------------------------- 10 What is LDAP? The Light Weight Directory Access Protocol is a communication standard that provides a communication channel for the clients within a directory service. A comprehensive definition of LDAP is defined as “Lightweight Directory Access Protocol, a protocol which helps find people, computers and other resources on a network. Designed to work with existing address-book standards and improve compatibility between widely differing systems, the ldap standard was adopted by the ietf in 1997 and now forms the basis of many white-page directories on the web. It has also been incorporated directly into some software programs and operating systems, making it possible to find e-mail addresses without visiting a directory site” (Ldap. 2003). LDAP was established after X.500 protocol, which was also a directory service standard protocol. However, X.500 incorporated high overhead and consequent dawdling response due to heavy X.500 clients. Consequently, keeping in mind the overheads of X.500 slow response, Light Weight Directory Access Protocol (LDAP) was created. LDAP is implemented for both Microsoft Windows and Linux / Unix clients. In order to make LDAP operational for Linux / Unix, windows active directory configuration is required. Active directory is “an implementation of LDAP directory services by Microsoft for use in Windows environments. Active Directory allows administrators to assign enterprise-wide policies, deploy programs to many computers, and apply critical updates to an entire organization. An Active Directory stores information and settings relating to an organization in a central, organized, accessible database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects” (Active Directory. 2007). Few checklists are applicable including the network connectivity testing and raising the Active directory domain functional level to Windows 2003. Moreover, for Linux / UNIX, ‘identity management module’ installation is required on the domain controller along with the configuration of NIS server. LDAP Account Management In order to manage account in the UNIX network environment, the Unix systems are configured with Microsoft Active directory for centralized management of user accounts. Moreover, it also solidify network security by integrating role based access and Kereberized authentication. Consequently, the operational cost is minimized, for the management of UNIX accounts. Moreover, UNIX contains various features for authentication and authorization. The authentication is concerned with user authenticity and authorization is related to ensure that users have been granted to perform tasks. However, there are some issues associated with UNIX account management: Synchronization is not properly conducted Vulnerabilities related to NIS Operating on LDAP services without multiple platform support Standardized management for password files which results in security issues LDAP Synchronization Issues As the infrastructure of UNIX is flexible, in common, UNIX systems operate on the most fundamental authorization and authentication methods i.e. password files created locally. Likewise, every system maintains a user account in a file locally at ‘/etc/passwd’. Moreover, the file having group information is maintained at ‘/etc/group’. In a corporate network environment, where the workstations are more than 200, this approach is vulnerable. If a new workstation is connected to the network requiring access to all workstation, the 400 passwords and group file must be amended to configure the new user. In order to eliminate this issue, network administrators can implement scripts or synchronize these password and group files. Moreover, if the network is too large, and the synchronization process is too complex, this would lead to users to maintain these password files, which are accessible to them. In addition, if any user has more than one account and access to several systems, user may write down the entire password list for remembrance. As this process is too complex to handle, in some organizations, network administrators grant access to all users on service accounts, which is called a root superstar account. However, granting access on super star account highlights on some disadvantages, as every user knows the password for superstar account. Due to some reasons, if a network administrator modifies the root password, nobody can access the account. The network administrator cannot track if anything goes wrong because everyone is using the root user. More often, network administrators implement synchronization procedures with the help of tools. However, synchronization also supports some flaws. The process requires a password from a password file that can be vulnerable. Moreover, synchronization tools save password rather than the hashes, due to different hashes on different systems, resulting in a vulnerable password file. Furthermore, during the synchronization process, any system that is under the repairing or upgrading phase, will be skipped, and will remain vulnerable(, Unix Account Management ). NIS (Network Information Services) defined, as “Network Information Services (NIS), developed by Sun Microsystems with an original name of Yellow Page, is a network naming and administration system to centralize management of UNIX systems. NIS+ is a later version that provides additional security and other facilities. It has now essentially become an industry standard. All major UNIX like systems (Solaris, HP-UX, AIX, Linux, NetBSD, OpenBSD, FreeBSD, etc) support NIS (and NIS+)” (, NIS and NIS+: Network Information System). The Network Information Service is associated with the Client / Server architecture and communicates with the Remote Procedure Call (RPC), which is defined as “a protocol for requesting a service from a program located in a remote computer through a network, without having to understand the underlayer network technologies. RPC presumes the existence of a low-level transport protocol, such as TCP or UDP, for carrying the message data between communicating programs” (Remote Procedure Call. 2007). It is a service to share password files, which are locally present at each UNIX workstation. The significant difference of using NIS is that, is allows configuration of passwords on a single password file, rather than all the files available at each workstation. The NIS clients take updates by communicating to NIS server in order to configure password files. Whenever, the workstation requires passwords, NIS client extracts the password from the NIS server over the network. On the other hand, NIS implementation contains some flaws, as NIS incorporates encryption technique called as DES hashes which is not utilized in modern standard capacity. If an attacker establishes a brute force attack from NIS client, and breaks the DES hash encryption, he will gain access to the password file stored on the server. However, NIS + updates version for NIS, provides more security and features as compared to the previous version, is not implemented to the mark due to complex implementation and configuration(, Unix Account Management ). LDAP Directory Services LDAP is proficient in terms of accessing directory information due to integration of a designed database. The architecture integrates the security protocols including Kerberos that is defined as “An access control system that was developed at MIT in the 1980s. Turned over to the IETF for standardization in 2003, it was designed to operate in both small companies and large enterprises with multiple domains and authentication servers. The Kerberos concept uses a "master ticket" obtained at logon, which is used to obtain additional "service tickets" when a particular resource is required” (, Kerberos Definition from PC Magazine Encyclopedia). Kerberos provides authentication and authorization. Moreover, LDAP services provide, automated imitation of information to multiple workstations, providing towering performance, redundancy and elevated availability. In order to provide elasticity wile storing data, extensible schemas are incorporated. The protocols including Kerberos and LDAP are compatible to various system platforms due to standardization (, Unix Account Management). However, LDAP implementations with vendor-defined directories are not efficient with the Windows environments, resulting in management of several directories and store identifications. Integration of UNIX account management with LDAP is conducted by UNIX RFC 2307, ( which is an approach to implement LDAP as a network service (Rose 1992)) and object classes along with attributes to save account information in UNIX, by utilizing the attributes and accessible object classes, for storing accounts data in UNIX. Organizations with scalable environment implement LDAP with UNIX to perform UNIX account management to more than 120 various platforms. Solutions LDAP gives all the answer for UNIX accounts management by the integration of UNIX environment with Microsoft Active directory. It is a most secure and reliable solution with approved credibility due to Kerberos key distribution center, effective in the domain of authentication. Whereas, LDAP operates effectively for access control and UNIX account management. Moreover, it also eradicate the local password file management and security issues, which may occur due to the management of users and groups in Microsoft Active Directory in the similar way for both platforms. Every user is granted user credentials including One User ID and Password for login to both Windows and UNIX platforms. Furthermore, the Microsoft Active Directory credentials are applicable to each user. The allocation of users will be in groups, eliminating the superstar user issue. As mentioned earlier, regarding the synchronization issues, Microsoft Active directory has an integrated synchronization tool, which is of enterprise class. It synchronizes passwords on a regular basis for a secure environment. This is helpful as some computers might deal with hardware, software or network failure. Moreover, the issues related to NIS and NIS + are also eliminated due to strong Kerberos authentication protocol, because it identifies the data transmission of users on a non-secure network and hence, supporting over 120 platforms including UNIX / LINUX, MAC OS etc (, Unix Account Management). ACL on LDAP In order to access directive grant access for the set of entries or attributes via more or more than one application characteristics. The option parameter ‘control’ represents an exit condition for each element ‘Who’, and if the element is not available, the value stops. For a ‘slapd.conf’ file, more than one access to the directives might be included to access directives o either ‘global’ sections or DIT. If the directive access is defined in the section named as ‘global’ it is applicable to any access control list in all the following DIT. The directives are operational by initially matching the ‘What’ condition. If the evaluation matches, the process increases further with ‘Who’ element. Moreover, if any available condition matches the optional, ‘Control’ is executed and the access control list is implemented (, Chapter 6 LDAP Configuration). LDAP Auditing Features SMF type-83  The ‘SMF type-83’ log record entries for LDAP events. These log files are uploaded by RACF SMF data unload tool, in order to analyze them further by auditing tools. The audit levels that are supported in SMF type-83 are (, No Title): ALL: Generation of Audit logs due to specified operations ERROR: Generation of Audit logs due to failure of specified operations NONE: No generation of Audit logs for specified operations LDAP Vulnerabilities As per the ‘www.cisco.com’ vulnerabilities related to LDAP authentication server are illustrated as : “The Lightweight Directory Access Protocol (LDAP) authentication bypass vulnerabilities are caused by a specific processing path followed when the device is setup to use a Lightweight Directory Access Protocol (LDAP) authentication server. These vulnerabilities may allow unauthenticated users to access either the internal network or the device itself.” Conclusions As compared to the other account management options available, none of them is up to the mark of Lightweight Directory Access Server. The support for multiple platforms, access control list, auditing along with strong Kerberos security makes LDAP server the best choice, to deploy in a multi-platform network environment. Consequently, due to strong encryption, there are fewer threats as compared to the other methods. References Active Directory. 2007. Network Dictionary, , pp. 21-21. Ldap. 2003. Essential Internet, , pp. 121-121. , NIS and NIS+: Network Information System | NetworkDictionary . Available: http://www.networkdictionary.com/software/nis.php [3/19/2011, 2011]. Remote Procedure Call. 2007. Network Dictionary, , pp. 410-410. , Kerberos Definition from PC Magazine Encyclopedia . Available: http://www.pcmag.com/encyclopedia_term/0,2542,t=Kerberos&i=45748,00.asp [3/19/2011, 2011]. ROSE, M.T., 1992. The little black book: mail bonding with OSI directory services Englewood Cliffs, N.J.: Prentice Hall. , Unix Account Management . Available: http://www.likewise.com/products/likewise_enterprise/unix-account-management.php [3/19/2011, 2011]. , Chapter 6 LDAP Configuration . Available: http://www.zytrax.com/books/ldap/ch6/ [3/19/2011, 2011]. , No Title . Available: http://publib.boulder.ibm.com/infocenter/zvm/v6r1/index.jsp?topic=/com.ibm.zvm.v610.kill0/audit.htm [3/19/2011, 2011]. , Cisco Security Advisory: LDAP and VPN Vulnerabilities in PIX and ASA Appliances - Cisco Systems . Available: http://www.cisco.com/en/US/products/products_security_advisory09186a0080833166.shtml [3/19/2011, 2011].  Read More