Sunday, 15 January 2012

Microsoft’s Active Directory Security Feature

Security Features




Delegation Of Control wizard



Administrators must be able to protect their directory from attackers and users, while delegating tasks to other administrators where necessary. This is all possible using the Active Directory security model, which associates an access control list (ACL) with each container, object, and object attribute within the directory.


This high level of control allows an administrator to grant individual users and groups varying levels of permissions for objects and their properties. Administrators can even add attributes to objects and hide those attributes from certain groups of users. Nonmanagers would not even know that the attribute existed.


A concept new to Windows 2000 Server is delegated administration. This allows administrators to assign administrative tasks to other users, while not granting those users more power than necessary. Delegated administration can be assigned over specific objects or contiguous subtrees of a directory. This is a much more effective method of giving authority over the networks; rather than granting someone the all powerful Domain Administrator permissions, he or she can be given permissions for just those systems and users within a specific subtree. Active Directory supports inheritance, so any new objects inherit the ACL of their container.


There is no distinction between one-way and two-way trusts because all Active Directory trusts are bidirectional. Further, all trusts are transitive. So, if Domain A trusts Domain B, and Domain B trusts Domain C, then there is an automatic implicit trust between Domain A and Domain C.



Windows 2000 Server trusts are bidirectional and transitive.



Another Active Directory security feature is auditing. Just as you can audit NTFS partitions, objects and containers within Active Directory can be audited. This is a useful way to determine who is attempting to access objects, and whether or not they succeed.
Posted by at No comments:

Saturday, 14 January 2012

LDAP Security Feature



Security Perspective


LDAP Security Feature

Access Control
Control over who may read what and who may change what is exercised with Access Control Lists (ACLs). This is one of the non-standardised areas of LDAP, and it varies a lot from one server to another.

Client Authentication
The simplest form of client authentication is to bind to the server using a cleartext password. This is the method normally used by pam_ldap for checking login passwords. For security, this method should only be used with encrypted connections.

Posted by at No comments:

X.500 Security Feature

What is X.500?
X.500 is an ISO (International Standards Organization) standard distributed directory system that's sometimes seen as a "competitor" to DNS

Featureas and functions X.500




  • X.500 can be use to retrieve address information for a particular host

  • X.500, as a directory service, supports many types of searching


  • X.500 is a full-blown distributed database meant to be used for a wide variety of applications

You can store the phone book in an X.500 database. You can store location data in an X.500 database. You can store information about all sorts of network devices and their attributes.



  • X.500 has security features involving credentials and the support of multiple encryption types
Posted by at No comments:

Thursday, 5 January 2012

GPRS Security Feature, Threats and Solution

What is GPRS?

GPRS stands for General Packet Radio Service. It is a wireless data service that extends GSM data capabilities for Internet access, multimedia messaging services, and early mobile Internet applications via the wireless application protocol (WAP), as well as other wireless data services.







GPRS system architecture






GPRS Security Feature
Security services are protections and assurances that provide mitigation against various threats. They are generally known as:





  • Integrity: Integrity is a security service that assures that data cannot be altered in an unauthorized or malicious manner.


  • Confidentiality: Confidentiality is the protection of data from disclosure to unauthorized third parties.


  • Authentication: Authentication provides assurance that a party in data communication is who or what they claim to be.


  • Authorization: Authorization is a security service that ensures that a party may only perform the actions that they’re allowed to perform.


  • Availability: Availability means that data services are usable by the appropriate parties in the manner intended.



GPRS Threats and Solution




  • Subscriber Identity Confidentiality
    It may lead an active attacker to pretend to be a new serving network, to which the user has to reveal his permanent identity.

  • Subscriber Authentication
    The authentication procedure is one-way, and, thus, it does not assure that a mobile user is connected to an authentic serving network. This fact enables active attacks using a false base station identity.

  • Data and Signalling Protection
    An important weakness of the GPRS security architecture is related to the fact that the encryption of signalling and user data over the highly exposed radio interface is not mandatory. Causing signalling and data traffic are conveyed in clear-text over the radio path.


Let's look at the solution.




  • Identity Confidentiality
    To limit the exposure of the permanent identities (IMSI) of mobile users over the vulnerable radio interface, the additional usage of two complementary temporary identities for each mobile subscriber that is attached to the network has been proposed


  • Signalling Protection
    To address the lack of security measures in the signalling plane of the GPRS backbone, we propose the incorporation of the Network Domain Security (NDS) features into the GPRS security architecture. NDS features, which have been designed for the latter version of UMTS, ensure that signalling exchanges in the backbone network, as well as in the whole wire line network are protected.



Reference


netscreen.com

Posted by at 1 comment:

Wednesday, 4 January 2012

GSM Security Feature, Threats and Solution

What is GSM?

GSM stands for Global System for Mobile Communications. It is a standard set developed by the European Telecommunications Standards Institute (ETSI) to describe technologies for second generation (2G) digital cellular networks.















GSM Security Feature

Security in GSM consists of the following aspects: subscriber identity authentication, subscriber identity confidentiality, and user and signaling data confidentiality.


  • Subscriber identity authentication
    It uses a challenge response protocol for which the fixed network authenticates the identity of mobile subscribers.

  • Subscriber identity confidentiality
    Subscriber identity confidentiality means that the operator tries to protect the user’s telephone number from unauthorized tapping, such that information is disclosed only to those who are authorized to view it.

  • User and signaling data confidentiality
    Signalling and data channels are protected over the radio path. Privacy of user-generated data is provided for both voice and non-voice transferred over the radio path on traffic channels. Privacy for user data transferred in packet mode over the radio path on dedicated signaling channels is also provided. Encrypted voice and data communication between the MS (Mobile Station) and the network is achieved through the ciphering algorithm A5.



GSM Threats and Solution



The table above summarizes the threats and their ranks. It is easily observable that the most serious threat is the denial of service attack.

So what are the solution to these problems?



  • Use secure algorithms for A3/A8 implementations
    This can thwart the dangerous SIMcard cloning attack

  • Use secure ciphering algorithms
    Operators can use newer and more secure algorithms such as A5/3 provided that such improvements are allowed by the GSM consortium.

  • Securing the backbone traffic
    Encrypting the backbone traffic between the network components can prevent the attacker to eavesdrop or modify the transmitted data.

  • End-to-end security
    The best, easiest, and most profitable solution is to deploy the end-to-end security or security at the application layer.



Reference

Academia.edu

VTT Research Notes
Posted by at 2 comments:
Subscribe to: Posts (Atom)