eDirectory Security - PowerPoint PPT Presentation

1 / 54
About This Presentation
Title:

eDirectory Security

Description:

Title: PowerPoint Presentation Last modified by: Pekka Lindqvist Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show Other titles – PowerPoint PPT presentation

Number of Views:392
Avg rating:3.0/5.0
Slides: 55
Provided by: nucfFies
Category:

less

Transcript and Presenter's Notes

Title: eDirectory Security


1
eDirectory Security
  • Alan Mark
  • Chief Security Strategist

2
Agenda
  • How do you protect yourself?
  • Overview of eDir security components
  • What crackers can do
  • Audit trails with real-time alerting
  • Whats next for you?

3
How Do You Protect Yourself?
4
Spending to Secure Assets Rising
Security Software Purchases
( millions)
Source Gartner, Inc.
5
The Problem
Level of Executive concern for disaster recovery
and business continuity
IT budget allocation
6
Why Monitor?
70 of all computer-related theft happens inside
the firewall Source Information Security
Magazine, 2000
A survey five hundred corporations had 75 of
computer-related theft happened inside the
firewall Source CSI/FBI 2001 Study
90 of all security violations were attributed to
insiders Source Exodus Communications, 2000
7
Survey of NetWare Users
  • Do you use auditing to troubleshoot your
    network?
  • Is an auditing tool required in your
    organization?
  • Is auditing used on a full-time basis?

YES 73
YES 18
YES 4
Source Novell, February 2002
8
Where Is Your Protection Weakest?
Biometrics
Perimeter/network sec.
Assessment
Audit
Firewalls
eCommerce security
Smart cards
Hardware lockdown
Forensics
Intrusion detection
Cryptographic tools
Password security
Wireless security
Encryption
E-mail security
Database security
Penetration testing
Log analysis
Web access ctrl
Vulnerability assessment
Authentication
Secure ID/password
OS/app hardening
Physical access ctrl
Non-firewall access ctrl
Software/servers
PKI/cert. handling
VPNs
Access control
Network security appliances
Pre-event
Post-event
9
Concentric Barriers of Security
Physical Security
10
How the crackers do it
Dont give this to your children
11
Knowing where to start
  • Physical access to a component automatically
    lowers a security rating
  • Given enough time, a cracker can break into
    secure systems
  • Determine your most valuable systems
  • Are they physically secured?
  • Who has admin access?
  • Are they redundant?

12
More Info
  • See Novell Connections articles from January
    (Rethinking Security) and April 2002 (Disaster
    Recovery)
  • http//www.nwconnection.com/

13
Open standards and their risks
  • Many Novell products use open standards
  • LDAP, IP, SNMP, Java, SMTP, POP3
  • Many novell products use standard services
  • JVM, Tomcat, Apache
  • Therefore most attacks and vulnerabilities
    affecting them also affect Novell products
  • Future standards need protection
  • SOAP, UDDI, SAML

14
Current Hacks - Some Examples
Unnecessary Information Leakage
/perl/samples/env.pl - via Apache/Novonyx
/nsn/env.bas - via Apache/Novonyx
/servlet/SessionServlet - NW5.1 only
/servlet/SnoopServlet - NW6 only
15
Current Hacks - Some Examples
Denial of Service
Overflow in Netbasic module name
/nsn/AAA...230 totalAAA (Novonyx only)
iManage - enter a DN gt 256 characters
16
Invading Supervisor (NetWare only)
  • Brute Force Attacks
  • KNOCK, NWPCRACK will attack brute force against a
    bindery account.
  • Dictionary Attack
  • Pandoras Intruder will dictionary attack using
    stealth methods.

17
Console Attacks (NetWare only)
  • Monitor Lock Bypass
  • Other Debugger Attacks
  • Rogue NLMs
  • Setpwd
  • Setpass

18
Console Attacks (cont.)
  • Remote Console
  • Password is decrypted in server RAM
  • Trivial to decrypt if NCF file captured
  • Rconsole sessions are in plaintext
  • Bindfix or DSRepair can store backup files that
    are accessible by others
  • NCF files lead to info

19
eDirectory security
  • Partly dependent on OS/NOS
  • NetWare, Unix, NT/W2K, Solaris
  • eDirectory is built to retrieve data
  • But who should be able to retrieve it?
  • Poorly-configured LDAP access is a big hole
  • Knowledge is dangerous
  • Surfing a tree leads to lots of information
  • Default installation can leave holes

20
Pandora v4
  • Offline Password Cracking
  • Online Server Attacks
  • Full GUI - point, click, and attack
  • Open Source Freeware
  • Developed with 100 Freeware
  • GUIs for Win 95/98/NT and X (Linux only)

21
Pandora v4 Online
  • Denial of Service
  • Auto-gathering of Detailed System Information
  • User account discovery
  • Dictionary Password Attacks with Lockout
    Detection
  • Packet Signature Spoofing

22
Pandora v4 Offline
  • Complete Netware 4.x 5.x Password Auditor
  • Dictionary and Brute Force Attacking
  • Will Read BACKUP.DS and DSREPAIR.DIB Files
  • Multi-threaded for Multiple Account Cracking

23
Understanding eDirectory Security
24
IRF
  • Inherited Rights Filters
  • Can prevent Admin from seeing lower containers
    and objects
  • Allows creation of hidden objects

25
Security Objects
  • Security container
  • Login methods
  • KAP
  • W0
  • Certificate Server
  • Importance of first server
  • Certificates

26
Trustee Rights
  • Access to NetWare volumes
  • Beware public and root
  • NFAP
  • CIFS crackers can break hash (brute force)
  • Unix NFS monitor for new vulnerabilities
  • AFP no problems that I know of

27
Nici
  • Uses signed modules
  • Modules loaded from
  • server startup volume
  • System area

28
SecretStore
  • Used in SecureLogin and other products
  • Stores credentials to other services
  • Locked if admin changes users password

29
(No Transcript)
30
Controlling authentication and access
  • The key to eDir security
  • LDAP
  • Cleartext option
  • Rights to objects defines what will be seen
  • Portals
  • Main page hard to protect
  • Old users still exist?

31
Auditing - the forgotten child
32
Auditing
  • Compliance
  • Banking and finance FDIC, OCC Regulations, GLB
  • Government C2 or common criteria
  • Healthcare HIPAA
  • Other issues
  • For legal liability and protection of assets
  • Troubleshooting the network
  • Provides a detailed analysis of activity

33
Auditing your network
  • Blue Lance LT Auditor
  • Visual Click DSMeter
  • NetVision Policy Management Suite
  • NAAS

34
Novell Auditing Architecture
35
eDirectory NetWare Monitors
  • Logins and logouts
  • All intruder login attempts
  • NDS schema updates
  • NDS partition changes
  • RCONSOLE access
  • Trustee assignments
  • Volume mount/dismount
  • Modules being loaded
  • eDirectory changes
  • File deletions and modifications
  • Creation and deletions of users and groups
  • Security equivalences assigned or revoked
  • Password changes

36
Policies
  • Filter policies
  • Login, eDirectory/NDS, file/directory and server
    filters
  • Granular filtering capability
  • Set up real-time alerting for sensitive events
  • Configure as per organizational security policies

37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
Policies (cont.)
  • Security policies
  • Authorized users
  • Levels of access control for authorized users
  • Audit LT Auditor
  • Police the Policeman

42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
What next?
Are you hating life?
47
Whats Next for You?
Biometrics
Perimeter/network sec.
Assessment
Audit
Firewalls
eCommerce security
Smart cards
Hardware lockdown
Forensics
Intrusion detection
Cryptographic tools
Password security
Wireless security
Encryption
E-mail security
Database security
Penetration testing
Log analysis
Web access ctrl
Vulnerability assessment
Authentication
Secure ID/password
OS/app hardening
Physical access ctrl
Non-firewall access ctrl
Software/servers
PKI/cert. handling
VPNs
Access control
Network security appliances
48
Better Identification
  • Advanced authentication
  • Something you know
  • Something you are
  • Something you have

49
Updates and patches
  • PatchLink Update 3.0
  • Patches automatically
  • Scans the network
  • Notifies via email
  • Multi-platform agent support
  • Software distribution
  • Content replication
  • Scripted Task execution

50
Patchlink Update
  • www.patchlink.com

51
Disaster Recovery
Clustered Servers Offsite Failover
Clustered Servers Offsite Replica
Function
Tape back-up offsite
Tape back-up
Cost / Data Importance
52
eDir backup
eDirectory on NT (secondary)
eDirectory on NetWare (primary)
DirXML
DirXML
eDirectory on Solaris (secondary)
eDirectory 8.6.1 or later. Live, continuous
backup changes replicated in real-time
53
Novells New Security Approach
  • On confirming a security hole, Novell issues a
    notice until a fix/workaround is available
  • This approach carries a risk
  • More hackers/script kiddies will be aware of
    issues.
  • If administrators dont bother patching..

54
What Can We Do to Help?
SPREAD THE WORD!!!!
  • Security issues posted http//support.novell.com/
    security-alerts
  • Self-subscription distribution list
    http//www.novell.com/info/list
  • Moderated news group novell.support.securit
    y-alerts
  • Submissions (alternative to website HTML Form)
    security_at_novell.com

55
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com