Tuesday, 10 January 2012

Microsoft’s Active Directory Security Feature


Microsoft’s Active Directory Security Feature

Active Directory is the terminology that associates with Microsoft servers and desktops. It originated and developed in 1996 and was the first to be implemented in a Windows 2000 machine. In short, active directory hierarchical directory structure which was used to store information and data that is related to Networks and Domains.


Some of the new security features supported by Active Directory that includes atomic permissions, extended right sets that supports groups of many attributes and ACL inheritance. Permissions can be inherited which is also known as Inherited Permission that can be found from Active Directory’s Access Control. Child object can be applicable when a Access Control List (ACL) is set on a parent object. Inherited Permission functionality is very useful as there are many in understanding exactly whereby Microsoft implemented this feature in Active Directories. Active Directory’s permissions is not dynamic and is based on static inheritance, in static inheritance, ACL copied each and every child object whereas dynamic inheritance does not copied all the changes that is made to the objects.    

Some of the best practices of Active Directory Security are that it uses forwarders instead of secondary ones, by doing so it ensures that the Domain Controllers are highly restricted, stabilized password policies, account lockout, regular monitoring and maintain revised.



References:


http://www.activedirectorysecurityonline.com/
Posted by at 1 comment:

LDAP Security Feature


LDAP Security Feature

Lightweight Directory Access Protocol (LDAP) is a software protocol that enables anyone to locate individuals, organizations and other resources such as files and devices in a network, whether on the public internet or on a corporate intranet. Since its first version LDAP has undergone significant changes, and many of them concern security. LDAP is another Internet alternative to X.500 Directory Access Protocol, it was originated to use LDAP as the only way to access the X.500 directory via LDAP gateway. Functionality of LDAP was extended which enables LDAP version 3 to be used for both the client and the server model to update and read the access protocol.  



Features of LDAP security would include the followings:
-          Using basic authentication or Microsoft Windows NT LAN Manager NTLM as a limited access to authorized users
-          It also supports Negotiation method
-          Secure Socket Layer (SSL) protocol that ensure data is not sniffed by outsiders or hackers using physical access to network
-          RootDSE – LDAP version 3 as server maintains a supportedLDAP version attribute in the root DSE that identifies LDAP versions for implementations
-          RootDSE – Extension  refers to server maintains a supportedExtension attribute in the rootDSE that enables extended operations



References:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F65%2F17493%2F00806992.pdf%3Farnumber%3D806992&authDecision=-203
                                  
http://msdn.microsoft.com/en-us/library/aa913688.aspx

http://searchmobilecomputing.techtarget.com/definition/LDAP

http://support.novell.com/techcenter/articles/img/dnd1998070201.gif

Posted by at No comments:

X.500 Security Feature


X.500 Security Feature 

X.500 Directory Service is a standard way to develop an electronic directory that people in an organization so that it can enhance into a global directory available to anyone in the world with Internet access. It is also a commonly used name that is used to joint ISO/IEC and ITUT-T standard that specify a distributed directory service, it automatically assumes an underlying OSI protocol stack.

Some of the core services of X.500 are Directory System Agent (DSA), it is a core directory server, a single DSA holds a part of the data in the total directory that is available. Directory User Agent (DUA) is the client process that accesses information in the directory that allow the users to be used as a user interface or embedded in another application. Directory Access protocol (DAP) is the protocol which a DUA uses to access one or more DSAs. Hence, this allows a client server model of X.500 directory. Directory System Protocol (DSP) is the protocol that DSAs used to talk to each other and it also carries the same operations as DAP along with some DSA control information. X.500 specifies powerful security features which allows strong authentication using access control to information on various levels which includes Administrative Area, public key cryptosystems, Attribute Value, Attribute and Entry. All aspects of organization security policy should be easily configurable on each and every of DSAs, users can either use through simple plain text editing of configuration files or a specialized tool.    


References:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F65%2F17493%2F00806992.pdf%3Farnumber%3D806992&authDecision=-203

http://books.google.com.sg/books?id=DyrLV0kZEd8C&pg=PT89&lpg=PT89&dq=X.500+Security+Feature&source=bl&ots=c5eGt-Tce6&sig=YRX5TMnCJvnzHT7l3i31A6Wor-g&hl=en&sa=X&ei=A8sKT4Uvw9itB4WlhfQP&ved=0CFcQ6AEwBg#v=onepage&q=X.500%20Security%20Feature&f=false

http://searchnetworking.techtarget.com/definition/X500
Posted by at No comments:

Thursday, 5 January 2012

GPRS Security Feature, Threats and Solution

GPRS Security


GPRS Security Threats

Availability
The most common type of attack on availability is a denial of service (DOS) attack. There are several types of denial of service attacks that are possible on the Gp interface

  • Spoofed GTP PDP Context Delete – An attacker with the appropriate information, can potentially craft a GTP PDP Context Delete message which will remove the GPRS Tunnel between the SGSN and GGSN for a subscriber. Some of the information that must be known can be learned by crafting other types of network traffic. If an attacker doesn’t care about whom they are denying service, they can send many PDP Context Delete messages for every tunnel ID that might be used.
  • Bad BGP Routing Information – An attacker who has control of a GRXs routers or who can inject routing information into a GRX operators route tables, can cause an operator to lose routes for roaming partners thereby denying roaming access to and from those roaming partners.
  • DNS Cache Poisoning – It may be possible for an attacker to forge DNS queries and/or responses that causes a given users’ APN to resolve to the wrong GGSN or even none at all. If a long Time To Live (TTL) is given this can prevent subscribers from being able to pass data at all..
Authentication & Authorization

• Spoofed Update PDP Context Request – An attacker can use their own SGSN or a compromised SGSN to send an Update PDP Context Request to an SGSN, which is handling an existing GTP session. The attacker can then insert their own SGSN into the GTP session and hijack the data connection of the subscriber.

Integrity & Confidentiality

Should an attacker be in a position to access GTP or DNS traffic they can potentially alter it mid-stream or discover confidential subscriber information.
  • Capturing a subscriber’s data session – Because GTP and the embedded T-PDUs are not encrypted, an attacker who has access to the path between the GGSN and SGSN such as a malicious employee or cracker who has compromised access to the GRX can potentially capture a subscriber’s data session. This is generally true of traffic on public networks and subscribers should be advised to utilize IPSec or similar protection.

Posted by at 1 comment:

GSM Security Feature, Threats and Solution



Global System for Mobile Communications (GSM) security features include authentication, confidentiality and anonymity. Authentication means that the network operator can validate the identity of the subscriber and find out who is the person that is using the system for purposes like billing. The network authenticates the SIM to prevent against duplicate. Confidentiality prevents eavesdropping and loss of information on the radio path while protecting data, voice and signaling information that are sensitive such as dialed digits. Anonymity helps to identify the calls made to or from the user by wiretapping on the radio path or protects the users from being tracked down.

Some of the GSM threats include the system operator hopes to issue the bills to the correct person and the services cannot be compromised. In addition the customer needs some privacy in prevention of traffic being overheard. Hence, the solutions are to make the radio path secure which denotes confidentiality and anonymity to prevent information from being leaked out. In order to prevent the operator against billing fraud, it needs to have strong authentication. Man-in-the-middle is potential whereby the intruder sits itself in the middle of both the target user and a real network which has the capability of eavesdropping, delete, re-order, modify, replay and spoof signaling and between the two parties there is a user data messages exchange. The equipment that is required is to modify the BTS in conjunction with a modified MS.

References
www.cs.huji.ac.il/~sans/students_lectures/GSM%20Security.ppt
www.jazi.staff.ugm.ac.id/IC3-Royal%20Holloway/IC30304pt7.ppt
www.blackhat.com/presentations/bh-asia-01/gadiax.ppt
http://www.ee.iastate.edu/~russell/cpre537xf00/Projects/weizhang.pdf
http://www.brookson.com/gsm/gsmdoc.htm
http://t2.gstatic.com/imagesq=tbn:ANd9GcTekc5WSp1P8vZ1Cj2YwjP2Ve6pevTphBiLHdDUusSAVinZyYuB
Posted by at 8 comments:
Subscribe to: Posts (Atom)