InformationTechnology:Security:Access

Contents 1 Navigation 2 Related categories 3 About this page 4 Access control - LDAP, RADIUS, SSGD Terminal Server and SSO 5 LDAPV3 standard RFCs 6 LDAP resources 7 LDAP tools 8 LDAP implementations 9 LDAP vulnerabilities 10 Active Directory resources 11 Remote Authentication Dial In User Service (RADIUS) 12 RADIUS Standard RFC 13 Radius implementations 14 Radius implementations vulnerabilities 15 Sun Secure Global Desktop 16 Single Sign On (SSO) 17 SSO Implementations

Navigation

Related categories

About this page

We apologize for the little information we provide, this page is still under construction. Please stay tuned.

Access control - LDAP, RADIUS, SSGD Terminal Server and SSO

Restricting user access to sensitive information, according to access profiles, is paramount to the security governance. Users attempting to access these resources need to be authenticated, authorized for access and then audited for actions they perform on data. This process is known as AAA (Authentication, Authorization and Accounting). Many technical means exist to achieve this functionality but the most widely used are LDAP for storing users' credentials and access profiles and RADIUS for the AAA functionality. In the Microsoft world the Active Directory technology, derived from LDAP, is being used instead. LDAP itself is a lightweight alternative to the ISO standard X.500. Because of the many AAA layers in modern enterprise IS-IT systems it is often desirable to give users a single point of authentication. This is usually achieved through a technology named Single Sign On (SSO). To further restrict direct access of authenticated users to those systems physically holding the sensitive data, it is desirable to let them indirectly access the applications, through a Terminal Server. Well known terminal server solutions are those from Cytrix or those from Sun (Sun Secure Global Desktop or SSGD).

LDAPV3 standard RFCs

• LDAPv3 Technical Specification (RFC 3377) [1]
• LDAPv3 Protocol (RFC 2251) [2]
• LDAPv3 Attribute Syntax Definitions (RFC 2252) [3]
• Authentication Methods for LDAP (RFC 2829) [4]
• LDAPv3 String Representation of LDAP Search Filters (RFC 2254) [5]
• LDAPv3 URL Format (RFC 2255) [6]
• A Summary of the X.500(96) User Schema for use with LDAPv3 (RFC 2256) [7]
• LDAPv3 UTF-8 String Representation of Distinguished Names (RFC 2253) [8]
• LDAPv3 Extension for Transport Layer Security (RFC 2830) [9]
• IANA Considerations for LDAP (RFC 3383) [10]

LDAP resources

• LDAP Schema Design - case study [11]
• IBM Red-book LDAP Implementation Cookbook [12]
• IBM Red-book Understanding LDAP [13]
• Managing LDAP Directories [14]
• Introduction to LDAP [15]
• LDAP Theory and Management [16]
• LDAP Implementation HOWTO [17]
• Mapping Object Model to LDAP Schema [18]
• Integrating LDAP with Perl and Apache [19]
• Practical LDAP on Linux [20]
• User management using LDAP directories [21]
• Mozilla standards pages [22]
• LDAP Directories overview [23]
• Understanding Solaris™ 9 Operating Environment Directory Services [24]

LDAP tools

• LDAP Explorer Tool: a multi platform LDAP browser and editor [25]
• JXplorer - an open source ldap browser [26]
• LDAP web-based management tools
  • John's LDAP Web Interface, part of HP Open Source initiative
  • phpLDAPadmin (aka PLA) - a PHP web-based LDAP client with multilingual support for LDAP server administration

LDAP implementations

• OpenLDAP [27]
• Apple’s OpenDirectory, based on OpenLDAP
• Novell eDirectory [28] [29]
• IBM’s iSeries LDAP directory [30]
• The Sun ONE (former iPlanet) directory server [31] [32]

LDAP vulnerabilities

LDAP in itself has vulnerabilities that might be exploited by hackers. One of these is the LDAP injection, a technique of exploiting web applications that use client-supplied data in LDAP statements without first cleaning-up the request from illegal character sequences. The so-called Remote EXploit, also enabled by not cleaning-up the portion of the request to be validated against LDAP, relies on the ability to cause a buffer overflow and execute arbitrary code on behalf of the LDAP daemon running on the remote system.

• LDAP Injection explained [33]
• WebApp Security Consortium article on LDAP injection and HP Security Center white-paper on the same topic
• Open-LDAP remote exploit [34]
• Apache mod-rewrite remote exploit [35]

Active Directory resources

• Active Directory LDAP Compliance [36]
• Active Directory Bible [37] [38] local copy

Remote Authentication Dial In User Service (RADIUS)

RADIUS ias an AAA [39] protocol, originally intended to be used by NAS servers for checking the access credentials of the would-be users. Intependently of the Authentication and AUthorization functions, a RADIUS server can be configured for doing accounting, e.g. enabling the auditing of all user accesses.

RADIUS is being used by IP Telephony providers for providing AAA functionality to SIP Registrar servers. In this context RADIUS is sometimes used to collect CDR information. RADIUS can be configured to validate login credentials using a variety of sources including LDAP, PAM, RSA SecurID [40].

The mapping between RADIUS attribute-value pairs and an LDAP directory structure is realized through an LDAP-RADIUS mapping and, for instance, in the case of FreeRadius the LDAP schema corresponding to the RADIUS attributes is RADIUS-LDAPv3.schema [41].

RADIUS is commonly being used in WLAN access control architectures, either embedded in intelligent AP's or provided by dedicated access servers. RADIUS messages are composed of sets of attribute-value pairs. Each RADIUS implementation has its own dictionary of attribute-value pairs. For a rather extensive list of RADIUS dictionaries see [42] the Cisco ACS compatibility addendum. RADIUS is however extensible and each vendor or new version of software can add new dictionary elements.

RADIUS uses UDP ports 1812 or 1645 for Authentication and 1813 or 1646 for Accounting. The defaults are different among different implementations

The planned replacement for RADIUS is the DIAMETER [43] protocol, which uses SCTP[44] or TCP rather than UDP as the transport layer. The RADIUS protocol works according to a shared-secret mechanism which is used for signing and encrypting fields in the RADIUS packets.

RADIUS Standard RFC

• Main RFCs
  • RFC2865 [45] Remote Authentication Dial In User Service (RADIUS)
  • RFC2866 [46] RADIUS Accounting

• Extensions for Tunneling
  • RFC2867 [47] RADIUS Accounting Modifications for Tunnel Protocol Support
  • RFC2868 [48] RADIUS Attributes for Tunnel Protocol Support
  • RFC2809 [49] Implementation of L2TP Compulsory Tunneling via RADIUS

• Other RADIUS RFCs
  • RFC2869 [50] RADIUS Extensions
  • RFC2548 [51] Microsoft Vendor-specific RADIUS Attributes

• Related RFCs
  • RFC2194 [52] Review of Roaming Implementations
  • RFC2486 [53] The Network Access Identifier

• RADIUS and SNMP
  • RFC2618 [54] RADIUS Authentication Client MIB
  • RFC2619 [55] RADIUS Authentication Server MIB
  • RFC2620 [56] RADIUS Accounting Client MIB
  • RFC2621 [57] RADIUS Accounting Server MIB

Radius implementations

• The FreeRADIUS Server Project [58]
• The OpenRADIUS implementation [59]
• GnuRADIUS [60]
• Cistron RADIUS [61]
• Open System Consultants Radiator [62]
• Cisco Secure ACS server [63]

Radius implementations vulnerabilities

Many of the vulnerabilities reported with different Internet-exposed applications are related to programming errors related to insufficient validation of the input parameters. Illegal character sequences or greater-than-allowed-size blocks of data may trigger unpredictable behavior result in in crashes or even execution of malicious, remotely-injected code. As an example, two vulnerabilities enabling DOS attacks, are known to exist in many RADIUS implementations [64]

• Digest calculation buffer overflow, enabling even remote code execution,if the shared secret is compromised to an attacker
• Lack of validation for malformed vendor-specific attribute-value pairs causing again buffer overflows or exceptions

Sun Secure Global Desktop

The Sun Secure Global Desktop (SSGD) [65], Formerly Tarantella, is a terminal server solution allowing secure access to published applications and desktops running on Windows, Unix or mainframe servers. It delivers much more than the Citrix [66] solution, which targets strictly the Windows server market. The SSGD principle is simple. It renders remote applications' screens, either graphical or character-based, on virtual screens hosted by the SSGD server. These virtual screens are then propagated to the user's access workstation screen, either through a thick client or through an thin' Web=based client which is a web-start applet. The user interactions (key-presses and mouse actions) are propagated to the original applications. An optimized, encrypted, image-compression protocol is being used between the SSGD server and the clients. On the backend side, rendering on the virtual screens relies on standard protocols like SSH, X11 or RDP. SSGD allows granular access rights to remote applications, according to user profiles, through its object manager. Detailed access logs are provided for security-auditing purposes.

More information:

• Official Product Documentation for Secure Global Desktop 4.3 [67]
• Sun Desktop Virtualisation Blueprint [68]

Single Sign On (SSO)

Single Signon (SSO) is a technology allowing a single point of authentication for users accessing applications each oane having its own authentication schema. Altough SSO solutions exist for accessing resources through command line or thick clients, most of today's SSO solutions target authentication through web-portals. There are several solutions to the problem:

• Referring all authentication requests to a central, trusted server, through the use of SSO clients built into applications. An example is JA-SIG Central Authentication Service (CAS) [69]
• Storing an authenticated session parameters' in a shared environment accessible by all authenticationg applications. An example is CoSign [70]
• Auto-login, i.e. intercepting authentication prompts and filling them in with already-authenticated credentials. An example is Enterprise single sign-on (E-SSO) [71]
• Interception of requests to web resources, through a special mechanism (e.g. rev-proxy) and retrieving the session cookie. Examples are LemonLDAP [72]
• Ticket-based mechanism, where users sign-in to an external authentication servers and are granted access tickets to all applications registered with the authentication server. An example is the Kerberos protocol [73].
• Web-service based federation [74] across security domains, through delegation of trust, thus enabling inter-domain business interaction. Specific XML-based protocols are developed by the industry to this avail and federations already exist [75]:
  • Security Assertion Markup Language (SAML) [76] [77] [78], implemented by the Shibboleth middleware [79] [80]
  • IBM's Web Services Federation Language [81] [82]
• Light-weight,SSO mechanism, based on a decentralized identity-check schema and using URL-encoded credentials, an example being OpenID [83] [84]
• LDAP-based, platform-neutral frameworks like Java Open Single Sign-On (JOSSO) [85], exposing SSO web-services to non-java applications

SSO Implementations

• Oracle SSO, based on an Apache SSO interceptor (mod_osso) and programmable in web applications, e.g. using PHP [86].
• OpenSSO project ([87]), based on Sun Java System Access Manager and at the core of Sun's Access Manager and Federation Manager products
• LemonLdap, providing SSO to Web based applications running on Apache servers through and Apache Handler [88] [89]
• OpenID [90] [91] is a light-weight, i-broker [92] based decentralized SSO mechanism, supported, among others by Microsoft and AOL
• JOSSO (Project, Wiki Page) is a J2EE-based software SSO framework implementing Java Authentication and Authorization Service (JAAS) [93]
• JA-SIG Central Authentication Service (CAS) [94]
• Shibboleth middleware [95]
• CoSign Central Authentication Service (CAS) [96] developed at University of Michigan and supported by the National Science Foundation (NSF) []
• Oracle's mod_osso, at the base of Oracle Single Sign-on architecture and being used in the Application Server 10g
• OpenID - a free, open and decentralized framework for user-centric digital identity across the Internet. According to NY Times, it already has more than 500 million registered users. OpenID replaces the cumbersome passwords with a lean system of PIN-protected digital identity information-cards.