1 / 16

Registry Services Security

This presentation discusses the use of the LDAP-based registry for authentication, attribute information, and the security measures in place. It covers the data items stored in the registry and the access controls implemented. The presentation also explains the governance and selection process for data items in the registry.

emayes
Download Presentation

Registry Services Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Registry Services Security LDAP-based Attributes and Authentication

  2. Presentation Goals • Describe • The Registry • Its use for authentication • Its use for attribute information • Security of Registry information

  3. The Registry • A database exposed through LDAP protocols • Populated from both authoritative and other sources • Failure-tolerant architecture • Looks like a directory with more data items • But it’s NOT the “white pages”

  4. What Data Items? • Names, addresses, phone numbers • Affiliations, positions, locations, groups • E-mail routing • Passwords and certificates • Entitlements • Optional information • Standards-based items

  5. LDAP Cluster IT Computing Services SNAP SES HRIS Extraction Replication Replication Load balancing Load balancing directory.northwestern.edu registry.northwestern.edu White Pages Registry Note: schematic – not an engineering representation

  6. Access to Data Items • Access is controlled in four ways: • Anonymous bind to registry is reserved to known e-mail hosts • User binding restricted by IP address • Attribute retrieval protected by application credentialing and Access Control Lists • White pages is an extract of registry data

  7. Anonymous Binding Outlook ?? • Appropriate for white pages lookup • Fast – no encryption • Program binds, then queries by indexed attribute • Return is defined by ACL Relay Eudora LDAP Service

  8. User Binding SNAP • The only means to check username and password validity • Restricted by IP address to avoid brute-force attacks • Encrypted via SSL • Will eventually be isolated from the application by SSO • Return is defined by ACL Hecky SES LDAP Service

  9. Attribute Retrieval Binding VPN • Application presents assigned credentials to bind as itself • Queries and receives return defined by unique ACL • Encrypted via SSL • Ex: from NetID get DN NUTV Course Mgmt LDAP Service

  10. ACLs Registry Data IP Address Restrictions • Restriction of LDAP protocols by IP address is performed by ITCS firewall • Request-specific ACL limits exposure of data items LDAP Registry

  11. Use of Bindings • Anonymous binding is used by e-mail clients • Access to Registry is strictly controlled • Passwords and private attributes are protected via SSL Bindings

  12. Typical Three-Step Scenario • Binding with DN and password is IP-restricted and isolated from application coding • Binding as an application presents credentials defining returned attributes Web Server Application Server Transaction data including NetID (SSL) LDAP Plug-in LDAP Plug-in • Bind as web server, search by NetID for DN, then • Bind by DN to validate password 3. Bind as application Key: NetID Return: attributes (SSL) (SSL) Registry

  13. White Pages is a Separate Service • White pages (directory.northwestern.edu) is a separate service on separate hardware: • To increase performance • To separate the Registry for better security • To expose only the relevant data items to potential compromise

  14. How is Registry Access Governed? • Due to the protections in place, access must be requested through NUIT. • Requests must be approved by the custodian(s) of the data. • NUIT then assigns the appropriate ACL to restrict access to only the approved data items.

  15. How are Data Items Selected? • Registry data items fall into categories: • Those entrusted by SES and HRIS • Those necessary for e-mail routing and selective access to network services as defined by NUIT • Those historically available in the white pages

  16. New Data Items • Requests to include new items must be reviewed by NUIT and the source • Additional reviews by administrative offices may be required • New data items are not automatically exposed to existing ACLs

More Related