eDirectory Security

1
eDirectory Security

• Alan Mark
• Chief Security Strategist

2
Agenda

• How do you protect yourself?
• Overview of eDir security components
• What crackers can do
• Audit trails with real-time alerting
• Whats next for you?

3
How Do You Protect Yourself?
4
Spending to Secure Assets Rising
Security Software Purchases
( millions)
Source Gartner, Inc.
5
The Problem
Level of Executive concern for disaster recovery
and business continuity
IT budget allocation
6
Why Monitor?
70 of all computer-related theft happens inside
the firewall Source Information Security
Magazine, 2000
A survey five hundred corporations had 75 of
computer-related theft happened inside the
firewall Source CSI/FBI 2001 Study
90 of all security violations were attributed to
insiders Source Exodus Communications, 2000
7
Survey of NetWare Users

• Do you use auditing to troubleshoot your
  network?
• Is an auditing tool required in your
  organization?
• Is auditing used on a full-time basis?

YES 73
YES 18
YES 4
Source Novell, February 2002
8
Where Is Your Protection Weakest?
Biometrics
Perimeter/network sec.
Assessment
Audit
Firewalls
eCommerce security
Smart cards
Hardware lockdown
Forensics
Intrusion detection
Cryptographic tools
Password security
Wireless security
Encryption
E-mail security
Database security
Penetration testing
Log analysis
Web access ctrl
Vulnerability assessment
Authentication
Secure ID/password
OS/app hardening
Physical access ctrl
Non-firewall access ctrl
Software/servers
PKI/cert. handling
VPNs
Access control
Network security appliances
Pre-event
Post-event
9
Concentric Barriers of Security
Physical Security
10
How the crackers do it
Dont give this to your children
11
Knowing where to start

• Physical access to a component automatically
  lowers a security rating
• Given enough time, a cracker can break into
  secure systems
• Determine your most valuable systems
• Are they physically secured?
• Who has admin access?
• Are they redundant?

12
More Info

• See Novell Connections articles from January
  (Rethinking Security) and April 2002 (Disaster
  Recovery)
• http//www.nwconnection.com/

13
Open standards and their risks

• Many Novell products use open standards
• LDAP, IP, SNMP, Java, SMTP, POP3
• Many novell products use standard services
• JVM, Tomcat, Apache
• Therefore most attacks and vulnerabilities
  affecting them also affect Novell products
• Future standards need protection
• SOAP, UDDI, SAML

14
Current Hacks - Some Examples
Unnecessary Information Leakage
/perl/samples/env.pl - via Apache/Novonyx
/nsn/env.bas - via Apache/Novonyx
/servlet/SessionServlet - NW5.1 only
/servlet/SnoopServlet - NW6 only
15
Current Hacks - Some Examples
Denial of Service
Overflow in Netbasic module name
/nsn/AAA...230 totalAAA (Novonyx only)
iManage - enter a DN gt 256 characters
16
Invading Supervisor (NetWare only)

• Brute Force Attacks
• KNOCK, NWPCRACK will attack brute force against a
  bindery account.
• Dictionary Attack
• Pandoras Intruder will dictionary attack using
  stealth methods.

17
Console Attacks (NetWare only)

• Monitor Lock Bypass
• Other Debugger Attacks
• Rogue NLMs
• Setpwd
• Setpass

18
Console Attacks (cont.)

• Remote Console
• Password is decrypted in server RAM
• Trivial to decrypt if NCF file captured
• Rconsole sessions are in plaintext
• Bindfix or DSRepair can store backup files that
  are accessible by others
• NCF files lead to info

19
eDirectory security

• Partly dependent on OS/NOS
• NetWare, Unix, NT/W2K, Solaris
• eDirectory is built to retrieve data
• But who should be able to retrieve it?
• Poorly-configured LDAP access is a big hole
• Knowledge is dangerous
• Surfing a tree leads to lots of information
• Default installation can leave holes

20
Pandora v4

• Offline Password Cracking
• Online Server Attacks
• Full GUI - point, click, and attack
• Open Source Freeware
• Developed with 100 Freeware
• GUIs for Win 95/98/NT and X (Linux only)

21
Pandora v4 Online

• Denial of Service
• Auto-gathering of Detailed System Information
• User account discovery
• Dictionary Password Attacks with Lockout
  Detection
• Packet Signature Spoofing

22
Pandora v4 Offline

• Complete Netware 4.x 5.x Password Auditor
• Dictionary and Brute Force Attacking
• Will Read BACKUP.DS and DSREPAIR.DIB Files
• Multi-threaded for Multiple Account Cracking

23
Understanding eDirectory Security
24
IRF

• Inherited Rights Filters
• Can prevent Admin from seeing lower containers
  and objects
• Allows creation of hidden objects

25
Security Objects

• Security container
• Login methods
• KAP
• W0
• Certificate Server
• Importance of first server
• Certificates

26
Trustee Rights

• Access to NetWare volumes
• Beware public and root
• NFAP
• CIFS crackers can break hash (brute force)
• Unix NFS monitor for new vulnerabilities
• AFP no problems that I know of

27
Nici

• Uses signed modules
• Modules loaded from
• server startup volume
• System area

28
SecretStore

• Used in SecureLogin and other products
• Stores credentials to other services
• Locked if admin changes users password

29
(No Transcript)
30
Controlling authentication and access

• The key to eDir security
• LDAP
• Cleartext option
• Rights to objects defines what will be seen
• Portals
• Main page hard to protect
• Old users still exist?

31
Auditing - the forgotten child
32
Auditing

• Compliance
• Banking and finance FDIC, OCC Regulations, GLB
• Government C2 or common criteria
• Healthcare HIPAA
• Other issues
• For legal liability and protection of assets
• Troubleshooting the network
• Provides a detailed analysis of activity

33
Auditing your network

• Blue Lance LT Auditor
• Visual Click DSMeter
• NetVision Policy Management Suite
• NAAS

34
Novell Auditing Architecture
35
eDirectory NetWare Monitors

• Logins and logouts
• All intruder login attempts
• NDS schema updates
• NDS partition changes
• RCONSOLE access
• Trustee assignments
• Volume mount/dismount
• Modules being loaded

• eDirectory changes
• File deletions and modifications
• Creation and deletions of users and groups
• Security equivalences assigned or revoked
• Password changes

36
Policies

• Filter policies
• Login, eDirectory/NDS, file/directory and server
  filters
• Granular filtering capability
• Set up real-time alerting for sensitive events
• Configure as per organizational security policies

37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
Policies (cont.)

• Security policies
• Authorized users
• Levels of access control for authorized users
• Audit LT Auditor
• Police the Policeman

42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
What next?
Are you hating life?
47
Whats Next for You?
Biometrics
Perimeter/network sec.
Assessment
Audit
Firewalls
eCommerce security
Smart cards
Hardware lockdown
Forensics
Intrusion detection
Cryptographic tools
Password security
Wireless security
Encryption
E-mail security
Database security
Penetration testing
Log analysis
Web access ctrl
Vulnerability assessment
Authentication
Secure ID/password
OS/app hardening
Physical access ctrl
Non-firewall access ctrl
Software/servers
PKI/cert. handling
VPNs
Access control
Network security appliances
48
Better Identification

• Advanced authentication
• Something you know
• Something you are
• Something you have

49
Updates and patches

• PatchLink Update 3.0
• Patches automatically
• Scans the network
• Notifies via email
• Multi-platform agent support
• Software distribution
• Content replication
• Scripted Task execution

50
Patchlink Update

• www.patchlink.com

51
Disaster Recovery
Clustered Servers Offsite Failover
Clustered Servers Offsite Replica
Function
Tape back-up offsite
Tape back-up
Cost / Data Importance
52
eDir backup
eDirectory on NT (secondary)
eDirectory on NetWare (primary)
DirXML
DirXML
eDirectory on Solaris (secondary)
eDirectory 8.6.1 or later. Live, continuous
backup changes replicated in real-time
53
Novells New Security Approach

• On confirming a security hole, Novell issues a
  notice until a fix/workaround is available
• This approach carries a risk
• More hackers/script kiddies will be aware of
  issues.
• If administrators dont bother patching..

54
What Can We Do to Help?
SPREAD THE WORD!!!!

• Security issues posted http//support.novell.com/
  security-alerts
• Self-subscription distribution list
  http//www.novell.com/info/list
• Moderated news group novell.support.securit
  y-alerts
• Submissions (alternative to website HTML Form)
  security_at_novell.com

55
(No Transcript)