Authenticating iOS Devices to Join the Active Directory Domain - Literature review Example

November 30, Authenticating iOS devices to join the Active Directory Domain Introduction Network environments are characterized by heavy traffic of users seeking to accomplish different objectives. This could be requests for access to common or personal files or to a network printer. The requests are often numerous and simultaneous requiring that the network be fast and robust enough to sustain its functions. However, some users would be having intentions of accessing personal files of other users, corrupting public files or denying users access to printers forcing us to think carefully about network integrity. Contemporary society cannot allow us to continue using a centralized service delivery system where people crowd around one terminal to receive services. The rigor of maintaining wired systems coupled with the obvious challenge of ensuring convenient access to services render such networks inefficient and thus undesirable. Fortunately, technology offers invaluable tools with which we can establish network systems that deliver services to its users with unparalleled convenience and security. With wireless connection technologies (Wi-Fi), users are able to access personal files, public folders and printers on their school, hospital or office networks from wherever they are at any time. A system to offer the above functionality clearly requires far more than ownership of a device that can wirelessly access network resources. This project seeks to establish a network that provides all the desirable features aforementioned using a server-client model. Given that the client required is any iOS device with networking capabilities – which are available on the market – emphasis remains on creating a server system. Basically, the project suggests the use of Microsoft Active Directory to identify users and resources on the network. Closely associated with this is the Lightweight Directory Access Protocol (LDAP) which will be employed to utilize its security and access features. With the understanding that the network will require wireless access, this paper gives the means through which such connections can be secured to assure integrity- the 802.1x is preferred. The overall objectives of this network are first: to allow iOS users to securely access resources on networks at their learning institutions or workplaces from any point within and without the premises and second, to cut down on costs of having to wire buildings with network cables. As a result convenience concerns are averted and comfort during access to services in the institution is attained. Lightweight Directory Access Protocol (LDAP) Background information LDAP is an open network protocol standard created to provide access to distributed directories so that information can be retrieved or modified (Thompson). Information stored exist in a directory information tree (DIT) and could be about users, printers, applications, files or other network resources. LDAP itself does not provide APIs to implement access to these resources but rather serves as guidance in building distributed systems. Directories are different from databases in several ways thus they require different means of accessing information stored in them. Unlike databases that can handle updates and transactions quite reliably, directories are more inclined to providing read-only access. In distributed environments, directories experience problems with updates coming from several users in different locations on the network. The need to query directories, explains Thompson, came about during the X.500 and Directory Access Protocol (DAP). The X.500 technology allowed directories entries to be defined in a hierarchical namespace that was then contained in a DIT. DAP – built upon the Open System Interconnection (OSI) stack – was then used to search the DIT. To improve on directory access methods, LDAP was designed as a simple yet highly functional protocol for directory access and manipulation. LDAP has been adopted in various APIs. It is a standard developed by the Internet Engineering Task Force (IETF) and has been implemented by various institutions including Microsoft, IBM, Netscape and University of Michigan. LDAP is described by four models: Informational model – describes the structure of information in the directory information tree. It provides standards for creating enterprise-level directories. Naming model – provides guidance on how information is organized and referenced in the DIT. Functional model – defines actions that can be performed on the stored information. Security model – describes how to protect information stored in DIT. Mechanisms for secure access of this information can thus be developed. Understanding LDIF file format LDIF refers to LDAP Data Interchange Format. It is an internet standard that describes file formats so that batch export and import actions can be carried out on directories that conform to LDAP (Thompson). Directories entries in LDIF can be entered via a file where records are entered with each starting with dn and records separated by empty lines (Qadeer et al.). A record could be entries to the directory or a set of modifications to an already existing entry in the directory. The LDIF has a command line utility, LDIF Directory Exchange (LDIFDE), with which various administrative activities can be performed like adding, deleting, renaming and modifying directory objects. In Windows 2000 Server the utility is available when LDIFDE command is run from the command prompt while Windows 2000 Professional would require the installation of ldifde.exe before the utility is made available on the command line (Thompson). LADP Utility (ldp.exe) ldp.exe is a graphical tool used to carry out LDAP operations on directories that conform to LDAP such as the Active Directory. Using this utility actions such as search, connect, bind, delete, modify can be performed on the LDAP-compatible directories (Thompson). Windows 2000 Server has ldp.exe prepackaged in it as a Resource Kit and on top of the functions mentioned above, Active Directory administrators can use it for troubleshooting by viewing information together with their metadata. Ldp.exe authentication APIs Authentication in LDAP occurs any time a client connects to Directory Server Agent (DSA) so as to access information. A DSA is a computer that hosts a network directory thus acting like a LDAP server. Three basic functions are studied: Ldap_open_s(), Ldap_bind_s(), Ldap_unbind_s(). Ldap_open_s() creates, initializes and opens a connection to a LDAP server. It returns a session handle as a pointer to a LDAP data structure in case it executes successfully otherwise it returns a null pointer. Ldap_bind_s() is used to authenticate a client before they are connected to a LADP server and returns a message ID of the operation initiated in case of success. The function takes various parameters including the session handle, a name to bind to, user credentials and method to be used in authentication. Ldap_unbind_s() function is used to terminate connection between client and LDAP server freeing all resources that had been assigned to a session. Upon successful return from call, it gives a success value and an error code in case it fails to execute successfully. It takes a single parameter: the session handle of the connection to unbind. Ldp.exe interrogation APIs Interrogation APIs are used to query the LDAP directory for information. Under these are functions Ldap_search_s() and Ldap_compare_s(). Ldap_search_s() searches the LDAP directory and returns a set of attributes matching the searched items. On successful execution, it returns message ID of the search operation and -1 in case it fails. Ldap_compare_s() is used to determine whether an attribute for a given entry holds a known value. Ldp.exe update APIs APIs enable user to modify information stored in the DIT. Using the functions under this category, users can create new entries, modify or delete existing ones. Ldap_add_s() is used to add an entry to the DIT Ldap_modify_s() is used to change an existing entry in the DIT where deleting, adding and modifying attributes to entries can be performed. Ldap_modrdn_s() function changes the relative distinguished name of an entry in the LDAP directory. Ldap_delete_s() function is used to remove a leaf entry from a DIT. Issue without LDAP Salim, Akhtar and Qadeer explain that services without LDAP authentication would experience a number of challenges. First, the service will have an added work load of having to authenticate users besides its usual task of delivering services. In cases where there is a lot of traffic (so many requests at a go), the performance of the service is adversely affected. Second, given that LDAP authorization techniques are well managed and definitely superior to service based methods, not using it would mean the services are not adequately secure. Microsoft Active Directory as a LDAP implementation Active Directory (AD) Fundamentals Advancements in Microsoft NT NOS saw the introduction of Active Directory which is a directory service that utilizes LDAP and X.500 standards. Although they share some concepts, they differ greatly in functionality, features and scalability. Active Directory is a better option in LDAP. In fact, some of services like Windows NT Domain Controllers and Backup Domain Controllers have been replaced with Active Directory Domain Controllers (Desmond et al. 4). Objects storage and identification in AD Data in AD is organized hierarchically just like in normal file systems. Entries, referred to as objects, exist in two types; containers and non-containers (leaf nodes). Containers branch off into other containers or leaf nodes while non-containers do not branch further. Within the AD, there is need to uniquely identify objects when storing them in large numbers. AD assigns a Global Unique ID (GUID) to objects upon creation thus identifying each from others (Desmond et al. 17-18). Though resilient, GUID are not easy to remember, consequently an alternative approach is used that utilizes distinguished names (DN). Here hierarchical paths to objects in the AD are used to uniquely identify an object. The distinguished names are generated based on the LDAP naming standards. Domains and Domain Trees A domain basically consists of four components: A hierarchical structure of objects and containers that follow X.500 standards. A Domain Name that uniquely identifies the object A security service for authenticating access requests Policies that dictate functionality within a domain A domain tree comprises of a root domain and sub-domains branching from it. A Domain Controller exists that prohibits creation of more than one domain in it. Trees enhance access and management of resources in the AD. Forests A forest is comprised of one or more domain trees that are connected via ‘transitive trust’ (Desmond et al. 22). Forests are important when independent business units need to be isolated but still maintain some kind of connection. In Active Directory such isolation is achieved by placing the units in separate forests. Users and Groups Security in the AD requires that users of the network resources be well known to the directory before they can be allowed to access any resources. Creating accounts for users becomes a necessity in this implementation. When creating a user in Windows NT or 2000 servers, it is important to note mandatory attributes as they are key in defining how that user operates within the Active Directory domain. Microsoft Active Directory environment allows creation of simple user accounts as well as full-featured accounts. Utilities exist like Windows 2000 Resource Kit’s Addusers utility that help create users but one can also create command-line utilities or web based interfaces to add users to the AD. Upon creation administrative functions can be carried out like modifying user accounts and unlocking passwords (Desmond et al. 578). Like user accounts, groups can also be created in the Active Directory domain. Groups are important for allocating resources and permissions. Users with similar characteristics are grouped together and assigned to resources collectively. This way management actions can be easily performed on them. The Active Directory allows creation of groups, adding, deleting members from such groups and checking memberships through specific methods (Desmond et al. 583). Active Directory Security (Authentication) Permissions and Auditing Definition of permissions in the Active Directory employs methods used in NTFS file systems. Security Descriptors (SDs), Access Control Lists (ACLs) and Access Control Entries (ACEs) are used in this regard. Desmond gives a detailed look at the four main interfaces used in Active Directory to manipulate and iterate over permissions and auditing entries for objects (587-618). The four interfaces are: IADsAccessControlEntry IADsAccessControlList IADsSecurityDescriptor IADsSecurityUtility Advanced authentication Kadlec, Jaros and Kuchta suggested an authentication method that relied on five factors to fully authenticate a user. The factors are outlined as follows: Something you know – password or PIN Something you have – token or smart card (two-factor authentication) Something you are – biometrics, such as a fingerprint (three-factor authentication) Where you are - position information (four-factor authentication) When you are – time information (five factor authentication) Based on this criterion, an authentication method has been designed to run on Windows Vista’s Credential Security Service Provider (CredSSP). CredSSP allows user login credentials to be send from the client to the target server in conformity to some client policies. In Windows Vista, credential providers present a user with a Logon User Interface where the user supplies their credentials and then the information is presented for authentication. The credential providers do not enforce any security rather they only gather and serialize the user credentials and presents for authentication. Authorization is performed against users created within the Active Directory domain. iOS devices will then connect to the configured LDAP servers. On iOS devices, options for providing account information of the LDAP server of interest are available and users can easily connect to the servers and access resources once the servers have been correctly set up and running (‘Gracion Software’). Wireless Security Understanding 802.1x to secure connection 802.1x is a Microsoft and industry standard Extensible Authentication Protocol (EAP) that provides network port authentication for 802.11 WLANs (Brawn, Koan and Caye). 802.1x alone does not fully satisfy the authentication requirements that 802.11 WLANs require therefore it relies on other methods for authentication like the PEAP, TTLS, TLS, token cards, one-time passwords and certificate-based authentication. This specification does not however bind one to use a specific authentication method. A setup of the components that facilitate use of 802.1x in securing wireless fidelity networks include the supplicant (client), the authenticator (access point) and the authenticating server (mostly used is RADIUS). No direct communication occurs between the supplicant and the authentication server, rather the authenticator is used as a link between the two. The access point has the responsibility of fetching information from the client and presenting it to the RADIUS server and vice versa. Authentication servers first ensure that the client is authentic before allowing a client to access any services available. This set-up does not require the authenticator to be powerful and more intelligent because all the authorizations are done at the RADIUS server. This favors Wi-Fi networks whose access points simply act as pass ways for clients and servers. In addition, RADIUS server is compatible with Active Directory as it carries out authentication based on LDAP protocol (Brawn, Koan and Caye). Brawn, Koan and Caye provide reliable documentation on how to configure workstations to work with 802.1x. In their paper, an outline of how Windows XP Workstation, Windows 2000 Workstation and Windows ME Workstation. 802.1x versus 802.11 802.11 is an earlier standard for securing wireless connections that uses two predefined authentication types and an encryption protocol (Craiger). WEP, SSID and MAC address filtering are some of the security mechanisms employed in 802.11. The biggest challenge of this standard was that its security containers were hugely flawed making connections insecure. 802.1x is an IEEE standard that has been accepted as an improvement of 802.11 and attempts to fix the many problems of 802.11. Unlike 802.11 that has its own authentication and encryption protocols, 802.1x only provides guidance on how to secure connections while offering liberty to choose authentication methods. This way potential risks posed by use of flawed 802.11 security methods are eliminated. 802.1x uses a centralized authentication of users a fact that makes the resulting network scalable and easy to control access (Craiger). Works Cited Craiger, Philip. 802.11, 802.1x, and Wireless security. Sans Institute, 23 Jun. 2002. http://www.sans.org/reading-room/whitepapers/wireless/80211-8021x-wireless-security- 171 Desmond, Brian, et al. Active Directory. Safari Books Online. O’Reilly Media, 2009. Print http://dl.e-book-free.com/2013/07/active_directory_4th_edition.pdf Jaroslav Kadlec, David Jaros, Radek Kuchta, "Implementation of an Advanced Authentication Method within Microsoft Active Directory Network Services," icwmc, pp 453-456, 2010 6th International Conference on Wireless and Mobile Communications, 2010. Print. https://www.dropbox.com/s/znbycv2xx6qgy10/Implementation%20of%20an%20Advanc ed%20Authentication.pdf?dl=0 J. Michael Tarn , Muhammad A. Razi , Noelle Wiley , Jeffrey Hsu. “Staying secure in an insecure world” Exploring user perception of wireless campus, International Journal of Mobile Communications, v.5 n.6, p.710-730, June 2007. Print. https://www.dropbox.com/s/ahfmpqoivjdpnuk/Staying%20Secure%20in%20an%20Insec ure%20World.pdf?dl=0 Mohammad Salim, M. Sana Akhtar, Mohammed A. Qadeer, "Data Retrieval and Security Using Lightweight Directory Access Protocol," wkdd, pp.685-688, 2009 Second International Workshop on Knowledge Discovery and Data Mining, 2009. Print. https://www.dropbox.com/s/qkuvj73l6nmoza9/Data%20Retrieval%20and%20Security% 20using%20Lightweight%20Directory%20Access%20Protocol.pdf?dl=0 Qadeer, Mohammed, et al. “Profile Management and Authentication using LDAP” 2009 International Conference on Computer Engineering and Technology. Zakir Hussain College of Engineering & Technology. Print. https://www.dropbox.com/s/pdyy552duc89sxf/Profile%20Management%20and %20Authentication%20using%20LDAP.pdf?dl=0 Thompson, Dan. "Understanding LDAP." (2000): Microsoft Corporation. Print. https://www.dropbox.com/s/2qx6uhup7hw34yn/understand%20LDAP.doc?dl=0 ‘What is LDAP’. Gracion. N.p, n.d. Web. 30 Nov 2014. http://www.gracion.com/server/whatldap.html Read More