Keeping Your Guard Up With eDirectory
Novell Cool Solutions: Feature
By Bill Maxey
Digg This -
Posted: 30 Nov 2001
A lot of our reader mail of late has focused on a recurring theme: security. The events of September 11 have forced us all to have a renewed interest in this ever-present (and sometimes spooky) topic.
Regarding security and eDirectory, one of our readers posed these questions: "How is eDirectory protected against malicious attacks including denial of service? What about other attacks such as virus infection? How is eDirectory protected from being used as a tool to attack via e-mail, network or other service?"
While we're not sure of this reader's intentions, we thought we would look to our best and brightest for answers to his questions. Bill Maxey is Novell Consulting's Access & Security Service Line Manager. It's his job to deal with corporate security issues every day. Here's how he responded to our questions.
The common definition of a Denial of Service (DOS) is any action (or series of actions) that prevents any part of a system from functioning in accordance with its intended purpose. In this case eDirectory, as well as any other directory and database service, can be the target of a DOS.Examples of Direct Attacks:
- Directory Maintenance - Moving and the creation of large replicas over slow WAN links without having a properly maintained directory tree.
- Time - Declaring a new time epoch in the future.
- Partition - Downing or removing a master replica server in an unauthorized fashion.
- Buffer Overflow - A process running on the Dir server (Such as TCPIP NLM) that is expecting a limited amount of data and receives more then its boundaries allow. This type of an attack has been used by the "ping of death" to push the limits of an ICMP packet via Ping.
These are just a few examples of what can happen when there are no security policies in place.
The good news is that when teamed with physical and logical controls, the directory is one of the best tools available to prevent, deter, and recover from a DOS.
Prevention: Correctly designed and administered directory services can prevent access to resources that are "mission critical".
Deterrence: Implementing password policies within the directory that require strong or graded authentication. These policies could also limit the number of login attempts.
Recovery: Implementing disaster recovery policies that have addressed the redundancy for master replication and partition denial of service. i.e. if one location is down, how will users be able to access the system?
Is there a known virus that can attack eDirectory?
Not that we're aware of. Most viruses to date are targeted at executable and macros from the Wintel platforms. This doesn't mean to say that there is no threat. Just that the threat is minimized.
Are there any anti-virus products in this space?
Your typical packages such as McAfee, Norton, and various others that run on multiple platforms.
Can eDirectory be used as a conduit to attack parts of a network?
Theoretically yes. For instance: If you have a tree where user information is comprised of pictures and other large amounts of data, the user potentially could abuse this feature by loading large pictures or files of information in attributes within the directory.
What can be done to protect against the directory against attack?
Controls - Such as sizing and boundary information should be in place as a prevention. Also limiting access to authorized personal for picture entry is another control.
It's never a bad idea to commission a security audit. In general, I recommend a Security Risk Assessment and a Business Continuity Planning service to customers who are concerned with or especially vulnerable to attacks on their network's security. These services identify the threat potential, suggest countermeasures, define controls, monitoring and auditing processes, and assist in defining and implementing policies.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com