X.500 is a standard developed by ITU-T and partnered by ISO, the standards is on electronic directory services, it was developed to the requirements of X.400 and for storing information about objects, such as organizations, persons, distribution lists, groups, certification authorities, etc.
This standard provides a structure model protocols for inter-directory communication between different systems and this allows directory information of each servers in the network to be distributed.
There are a number of protocols defined by X.500, it includes:
DAP (Directory Access Protocol)
DSP (Directory System Protocol)
DISP (Directory Information Shadowing Protocol)
DOP (Directory Operational Bindings Management Protocol)
These standards was developed with the reference to the OSI model and to allow clients from the internet to access x.500 using TCP/IP, LDAP was created as a alternative for DAP
The primary concept of X.500 is that there is a single Directory Information Tree (DIT), a hierarchical organization of entries which is distributed across one or more servers, called Directory System Agents (DSA). An entry consists of a set of attributes, each attribute with one or more values. Each entry has a unique Distinguished Name, formed by combining its Relative Distinguished Name (RDN), one or more attributes of the entry itself, and the RDNs of each of the superior entries up to the root of the DIT. As LDAP implements a very similar data model to that of X.500, Security
http://www.x500standard.com/index.php?n=X500.X500
Wednesday 11 January 2012
Microsoft’s Active Directory Security Feature
Active directory is directory service created by microsoft for domain model network in windows servers operating system.
Active Directory serves as a central location for network administration and security. It is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network and installing or updating software on network computers.
This standard also uses LDAP like the X.500 standard, DNS and kerberos
In Active directory, security is enforced using trust inside the domain structure
One-way trust
One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
Two-way trust
Two domains allow access to users on both domains.
Trusting domain
The domain that allows access to users from a trusted domain.
Trusted domain
The domain that is trusted; whose users have access to the trusting domain.
Transitive trust
A trust that can extend beyond two domains to other trusted domains in the forest.
Intransitive trust
A one way trust that does not extend beyond two domains.
Explicit trust
A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust
An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Shortcut
Joins two domains in different trees, transitive, one- or two-way
Forest
Applies to the entire forest. Transitive, one- or two-way
Realm
Can be transitive or nontransitive, one- or two-way
External
Connect to other forests or non-AD domains. Nontransitive, one- or two-way
Active Directory serves as a central location for network administration and security. It is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network and installing or updating software on network computers.
This standard also uses LDAP like the X.500 standard, DNS and kerberos
In Active directory, security is enforced using trust inside the domain structure
One-way trust
One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
Two-way trust
Two domains allow access to users on both domains.
Trusting domain
The domain that allows access to users from a trusted domain.
Trusted domain
The domain that is trusted; whose users have access to the trusting domain.
Transitive trust
A trust that can extend beyond two domains to other trusted domains in the forest.
Intransitive trust
A one way trust that does not extend beyond two domains.
Explicit trust
A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust
An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Shortcut
Joins two domains in different trees, transitive, one- or two-way
Forest
Applies to the entire forest. Transitive, one- or two-way
Realm
Can be transitive or nontransitive, one- or two-way
External
Connect to other forests or non-AD domains. Nontransitive, one- or two-way
LDAP Security Feature
LDAP aka Lightweight Directory Access Protocol is a application protocol specified by IETF to use for accessing and distribute directory service data over the internet using the TCP/IP model
With such a concentration of data in the directory, security becomes very important. Anyone who could modify the data could give themselves access to vast numbers of machines at a stroke. Some data needs to be protected from unauthorised viewing: although all passwords are hashed, anyone who can read the hashes can mount a dictionary attack. More subtly, anyone who can hijack a client-server connection can feed bogus data to an individual client, or use the client's privileges to modify server data. All these things can be protected against, and LDAP now has most of the tools needed to do it.
Access control list
Control over who may read what and who may change what is exercised with Access Control Lists (ACLs).
Client authentication
The simplest form of client authentication is to bind to the server using a cleartext password. This is the method normally used by pam_ldap for checking login passwords. For security, this method should only be used with encrypted connections.
A more secure method is to use one of the SASL authentication mechanisms, such as DIGEST-MD5[4]. This is based on a secret known to both the client and the server, allowing for a simple challenge-response scheme. SASL is also capable of negotiating data encryption to protect subsequent operations.
LDAP also supports encryption and authentication using Transport Layer Security[5]. TLS is closely related to the older SSL scheme, and uses the same certificate-based methods. In its simplest form, TLS provides proof of server identity and protection of data in transit so it is useful where plaintext passwords might be passed across the net. The same mechanism can also be used to prove the identity of the client to the server, where the client has been issued with a suitable X.509 certificate.
http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html
With such a concentration of data in the directory, security becomes very important. Anyone who could modify the data could give themselves access to vast numbers of machines at a stroke. Some data needs to be protected from unauthorised viewing: although all passwords are hashed, anyone who can read the hashes can mount a dictionary attack. More subtly, anyone who can hijack a client-server connection can feed bogus data to an individual client, or use the client's privileges to modify server data. All these things can be protected against, and LDAP now has most of the tools needed to do it.
Access control list
Control over who may read what and who may change what is exercised with Access Control Lists (ACLs).
Client authentication
The simplest form of client authentication is to bind to the server using a cleartext password. This is the method normally used by pam_ldap for checking login passwords. For security, this method should only be used with encrypted connections.
A more secure method is to use one of the SASL authentication mechanisms, such as DIGEST-MD5[4]. This is based on a secret known to both the client and the server, allowing for a simple challenge-response scheme. SASL is also capable of negotiating data encryption to protect subsequent operations.
LDAP also supports encryption and authentication using Transport Layer Security[5]. TLS is closely related to the older SSL scheme, and uses the same certificate-based methods. In its simplest form, TLS provides proof of server identity and protection of data in transit so it is useful where plaintext passwords might be passed across the net. The same mechanism can also be used to prove the identity of the client to the server, where the client has been issued with a suitable X.509 certificate.
http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html
Wednesday 4 January 2012
GPRS Security Feature, Threats and Solution
GPRS (General Packet Radio Service) is a mobile data service standard for the GSM cellular network, it was started by ETSI but now it is maintained by 3GPP. By using time division multiple access (TDMA), this standard can provie moderate speed up to 114 kbit/second data transfer.
A topology map of a cellular system, GPRS resides in the IP packet switched data network.
As seen in the topology map above, GPRS is normally deployed with a voice network in order to provide both voice service and internet services to base stations.
GPRS features
GPRS extends the GSM Packet circuit switched data capabilities and makes the following services possible:
- SMS messaging and broadcasting
- "Always on" internet access
- Multimedia messaging service (MMS)
- Push to talk over cellular (PoC)
- Instant messaging and presence—wireless village
- Internet applications for smart devices through wireless application protocol (WAP)
- Point-to-point (P2P) service: inter-networking with the Internet (IP)
- Point-to-Multipoint (P2M) service: point-to-multipoint multicast and point-to-multipoint group calls
GPRS Threats
Security Threats in GPRS systems
- Denial of Service (DOS)
- A particular victim Mobile host gets terminated
- Malicious party gets to see all traffic directed to particular Mobile host
- Session Stealing/Spoofing
- Eavesdropping and floods the Mobile host with bogus traffic
- Intercepting packets destined to Mobile host
- Incompetent Translator
- Attacker gains physical access via unattended network socket by exercising
- some ARP requests to DHCP and gets access to IP host and floods the network
- Simple attack through Intranet to GGSN's Gi interface
- Attack through GPRS Tunneling Protocol (GTP)
GSM Security Feature, Threats and Solution
Global System for Mobile communication (GSM) standardized by ETSI is a widely used digital mobile telephone system mainly in Europe but also in other parts of the world. GSM technology uses the Time Division Multiple Access (TDMA) technique to digitize data and compress it, and send data using 2 channels. GSM operates in the 900MHz, 1800MHz, or 1900Mhz frequency bands, but in Singapore our telcos only uses the 900MHz and 1800Mhz band.
The GSM logo is used to identify compatible handsets and equipment
Security threats
Eavesdropping
The capability of an intruder to intercept traffic and
signaling information associated to other users. The
required equipment is a modified mobile phone.
Impersonation of a user
This is the capability of sending rogue data and/or
signaling messages to the network with the intent of
making them appear from another user. This again only
requires a modified mobile phone.
Impersonation of the network
This is the capability of sending rogue data and/or
signaling messages to another user with the intent of
making them appear from a genuine network. This
requires a modified BTS.
Eavesdropping
The capability of an intruder to intercept traffic and
signaling information associated to other users. The
required equipment is a modified mobile phone.
Impersonation of a user
This is the capability of sending rogue data and/or
signaling messages to the network with the intent of
making them appear from another user. This again only
requires a modified mobile phone.
Impersonation of the network
This is the capability of sending rogue data and/or
signaling messages to another user with the intent of
making them appear from a genuine network. This
requires a modified BTS.
MITM – Man-In-The-MiddleThis is the capability of an attacker to put itself between
the network and the legitimate user in order to eavesdrop,
modify, delete, re-order, re-play and spoof signaling data
between the two parties. This requires a modified BTS in
conjunction with a modified mobile phone.
Network Authentication Compromise
The intruder possesses a compromised authentication
vector (challenge-response pairs, cipher keys, integrity
keys, etc.)
The GSM standard provides a number of security features that solves some of the security flaws
Authenticationnetwork operator can verify the identity of the subscriber
making it infeasible to clone someone else’s mobile phone
making it infeasible to clone someone else’s mobile phone
Confidentialityprotects voice, data and sensitive signalling information (e.g.
dialled digits) against eavesdropping on the radio path
Anonymity
protects against someone tracking the location of the user or
identifying calls made to or from the user by eavesdropping on
the radio path
Subscribe to:
Posts (Atom)