What Is a LDAP

advertisement
LDAP Security
Peter Shipley
Chief Security Architect
pshipley@kpmg.com
+1 650 404 3292
©Copyright 1999 Peter Shipley
Outline
 What
is a LDAP
 Why do we need LDAP
 What uses dose it have
 What are the potential dangers
 Methods of attacks
©Copyright 1999 Peter Shipley
What Is a LDAP
X.500 is a model for Directory Services in the
OSI model. The DAP (Directory Access
Protocol) runs over the OSI network
protocol stack.It’s fairly "heavyweight".
Therefore, University of Michigan developed
the "lightweight” version of DAP and called
it LDAP.
©Copyright 1999 Peter Shipley
What Is a LDAP
A directory is essentially a database but tends
to contain more descriptive, attribute based
information. The information in an LDAP
directory tends to be read more than it is
written so LDAP has been designed to be
more read-optimized
©Copyright 1999 Peter Shipley
What kind of information can
be stored in the directory?
The LDAP directory service model is based
on entries. An entry is a collection of
attributes that have a name, called a DN
(distinguished name).
©Copyright 1999 Peter Shipley
What kind of information can
be stored in the directory?
The DN is used to refer to the entry
unambiguously. Each of the entry's
attributes has a type and one or more
values. The types are typically mnemonic
strings, like "cn" for common name, or
"mail" for email address. The values
depend on what type of attribute is it.
©Copyright 1999 Peter Shipley
What Operating Systems
support it ?
Since many of these packages come with
source, its really available under
any operating system.
©Copyright 1999 Peter Shipley
What software is out there
 OPENLDAP
 UMICH's
original LDAP server
 Netscape Directory Server
 Sun's LDAP server
and even Microsoft is jumping on the LDAP
bandwagon with Win2000 and Active
Directory
©Copyright 1999 Peter Shipley
What applications are there
Not only are there are a lot of servers out
there, there are also a lot of applications
that are LDAP-enabled.
Being LDAP-enabled essentially means that
the application is able to retrieve
information via LDAP.
©Copyright 1999 Peter Shipley
What applications are there
Examples of LDAP-enabled applications
would be:
 Netscape Messaging Server
 Netscape Calendar
 Sun's SIMS mail server
 sendmail (with ldapx extensions)
©Copyright 1999 Peter Shipley
What are people using LADP
for?
 Personal
directory services
 Mail routing
 login / password authentication
 PKI
 IP address distribution (linking with the
DNS and DHCP protocols)
©Copyright 1999 Peter Shipley
What are people using LADP
for
Because of the push for centralization of
information, don't be surprised if nearly
every new network application that comes
to market in the near future will support
LDAP.
©Copyright 1999 Peter Shipley
What are people using LADP
for
Within companies like Intel and Motorola,
which are based around X.500 and DAP,
there is a big push for having DAP->LDAP
gateways put in place and, ultimately,
relying on LDAP for everything.
This includes HR records, badging systems,
etc.
©Copyright 1999 Peter Shipley
What are the Dangers?
Eggs in one basket
New/Untested technology
Inexperienced administrators / contractors
History repeating itself (YP/NIS, DNS (v2),
“Registry” services etc..)
©Copyright 1999 Peter Shipley
What are the Dangers?
 Because
of DAP being in a lot of places,
there are very insecure and poorly coded
DAP->LDAP gateways out there.
 Default permissions for LDAP are very
insecure. (ACL's etc)
 Single "control all" Directory Manager user
that, in all of the current API's, is there in
plain text. Very little work on real
authentication methods.
©Copyright 1999 Peter Shipley
What are the Dangers?
 Code
exploits are already being discovered
and published.
 DOS attacks are coming into use
• Flooding the server with (simple) queries
• Flooding the server with (expensive operations)
 The
service is only as secure as the server it
runs on.
©Copyright 1999 Peter Shipley
What are the Dangers?
 Data
Harvesting
• Spammers harvesting email addresses
• System crackers harvesting account names and
passwords
 Data
Modification
• There are no automated data/content integrity
auditing tools (yet)
• Commercial auditing products to not address
LDAP (yet)
©Copyright 1999 Peter Shipley
How one can locate a LDAP
server
portscan:
nmap -P0 -p 636,389 192.168.0.0/24
Firewalling the best protection as does log
monitoring.
©Copyright 1999 Peter Shipley
How one can locate a LDAP
server
DNS:
SVR records (rfc 2052)
ldap.<domain>.com
companies seem to name servers after there
purpose
A large number of sites are beginning to use
rfc 2052
©Copyright 1999 Peter Shipley
How one can locate a LDAP
server
Referals:
URLs and x.500 server links
By doing a file tree walk a “bot” can search
and locate external referrals for later data
harvesting
©Copyright 1999 Peter Shipley
How Bad is it?
A random survey of ldap enabled sites on the
Internet found a relatively large number had
sensitive information available via
anonymous authentication.
©Copyright 1999 Peter Shipley
How Bad is it?
The same survey of ldap enabled sites on the
Internet found a relatively large number did
not utilize SSL secured connections. And
thus utilized “simple Passwords” as a
primary authentication method.
Do to the high transaction speed of LDAP
servers one can attempt a dictionary attack
with relatively high speed.
©Copyright 1999 Peter Shipley
How Bad is it?
Data found on such systems were email
access passwords (cleartext), Full
usernames and semi-personal info such as
office and home phone numbers, postal
addresses, employee status, encrypted login
passwords.
This personal information led to the speedy
cracking of most of the encrypted login
passwords.
©Copyright 1999 Peter Shipley
What can be done
Use strong authentication.
Dedicate a server (don’t bundle services )
©Copyright 1999 Peter Shipley
What can be done
LDAP generally comes with several
authentication methods for securing data:
•
•
•
•
•
Anonymous Authentication
Simple Passwords
SSL (with simple passwords)
SSL (with certificate authentication)
Kerberos
©Copyright 1999 Peter Shipley
Anonymous Authentication
This method of authentication refers to nonauthenticated connections and is useful for
data making non-restricted data available
(e.g.: phone/office numbers, finger
information, et el.)
©Copyright 1999 Peter Shipley
Simple Passwords
This authentication method relies on the use
of simple clear-text passwords (similar to
telnet).
This is considered the most insecure
authentication method, is it also the most
used.
©Copyright 1999 Peter Shipley
SSL (with simple passwords)
This authentication method relies on the use
of simple passwords over a
secured/encrypted link).
This is a most secure authentication method,
but it is also simple to attack with brute
force methods.
©Copyright 1999 Peter Shipley
SSL (with certificate
authentication)
This is one of the more secure methods since
the user cryptographically authenticates
themselves with a digital certificate.
The down point for this method is cost and
scalability.
©Copyright 1999 Peter Shipley
Kerberos
Kerberos is also a certificate based
authentication scheme, that provides for
scalability as well as cost effective.
Kerberos can be the most complex to setup.
©Copyright 1999 Peter Shipley
Other References
 “Understanding
and Deploying LDAP
Directory Services”
Howes, Smith and Good, ISBN 1-57870-070-1
 “LDAP Programming
Directory-Enabled
Application with Lightweight Directory
Access Protocol”
Howes and Smith, ISBN 1-57870-000-0`
©Copyright 1999 Peter Shipley
Other References
 http://www.geek-girl.com/bugtraq
• Bugtraq searchable archives
2052 - “A DNS RR for specifying
the location of services” - Paul Vixie
 LDAP related RFCs 1777-1779 and
2251-2256
 RFC 2222 - “Simple Authentication and
Security Layer”
 RFC
©Copyright 1999 Peter Shipley
LDAP Security
Peter Shipley
Chief Security Architect
pshipley@kpmg.com
+1 650 404 3292
©Copyright 1999 Peter Shipley
Download