Thursday, 12 January 2012

Microsoft’s Active Directory

Active Directory (AD) is Microsoft’s implementation of directory services. It is based on various standards, but the most important standards are LDAP and X.500 ( a schema based on X.500).

In addition to compliance with LDAP, AD has a few additional features and compatibility such as the close integration of the directory services to Windows domains and Domain Name Service (DNS). The alliance of directory services to Windows domains is the main point to directory scalability. AD security, authentication, and access control are also provided by the combination of the domains to the directory. While this approach works well, the integration of AD to Windows domains forces the choice of Active Directory services when selecting the Windows 2000 operating system.

Security Feature

AD security is not a single setting; it is a compilation of settings that has a few phases and can become very complicated.

The default AD security settings does the basic control of objects, such as user accounts, group accounts, and computer accounts. In small companies, this default configuration might be enough. However, larger companies’ built-in security will be outgrown quickly and additional security settings and design is needed. In order to ensure a secure and stable IT infrastructure, regardless of the size of the company, a firm grasp of AD security settings is required.

During the design phase of AD, the security of AD objects should be considered and documented. The objects that need to be considered for security include:
  • Domain controllers
  • Servers
  • User accounts
  • Group accounts
  • Client computers
  • GPOs
  • OUs
The security design for AD must be fulfilled properly in order for it to be effective. Failure to follow the assigned design documents will result the AD to be vulnerable to attacks from both within and outside of the LAN. In addition, AD security is very difficult to audit and track if was not set up with precaution.

Another key aspect of AD security is management. The management phase is important as at this stage that ongoing AD security must be properly maintained. Whether it is giving users the ability to add members to groups or locking down computers that are located in the reception area, the management of the security for AD must be procedural and consistent.


Reference:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa746492(v=vs.85).aspx
Posted by at 1 comment:

Lightweight Directory Access Protocol

 LDAP has been positioned as an open standard for Directory Services. It is a standard way for client applications and Internet Web servers to access on-line directory services over the TCP/IP network. The main purpose is to allow users to have a quick and easy access directory of people and information such as user names, e-mail addresses, and telephone numbers.

LDAP Security Feature

LDAP and especially OpenLDAP have a number of security features which might seem to be a little daunting.

Diagram below provides a perspective of the problem before going into detail. It shows the different kinds of access interfaces and methods to an LDAP system and also, it describes some security issues and the availability of method to manage the risks involved. The reason of this exercise is to determine either a set of security policies or implementation priorities.


All numbers in the descriptions below refer to the Figure above:
  1. Remote Communications (1): Remote communication security may or may not be an issue. If you provide unlimited (anonymous) access to non-sensitive LDAP data then the security issue is undecided. 

If all LDAP communications can be guaranteed to happen within a trusted network then people may prefer to administer using a simple clear text password with no additional security.

The growing emphasis on run-time configuration (RTC) (a.k.a cn=config) and monitoring (cn=monitor) is increasingly becoming the norm that turning LDAP browsers into a remote consoles for administering LDAP servers due to their highly sensitivity of security.

  1. Passwords (2):  When hashed passwords are sent in a snoop-able data stream they can become accessible to a dictionary attack where, the attacker has the hashed form and runs a list of passwords (a dictionary) through the hashing algorithm until it is found.

Using salt (one or more octets - depending on the utilization- are added to the password before hashing and hence, be removed before comparison) substantially increases the security of hashed passwords. ACLs should be used to restrict access to passwords other than accurately authorized users. An example, a userPassword attribute the following ACL will only allow the attribute to be sent to the owner of the entry or a specific (admin) group of users:
access to attrs=userpassword
 by self       write
 by anonymous  auth
 by group.exact="cn=admin,ou=groups,dc=example,dc=com" write
 by *          none

  1. Data (3): The only way in keeping the data snoop-proof which comes from an LDAP server is by encrypting the whole data stream using SSL/TLS (with SASL or without SASL) or Kerberos (SASL). However, there is a disadvantage. Encryption, being a CPU’s comprehensive process and if resource usage or performance is a major consideration then the choice of bulk encryption methods available within the SSL/TLS suite becomes vital (configure SSL/TLS and configure SSL/TLS via SASL).
OpenLDAP provides two capabilities to generate audit information; overlay auditlog (more info use 'man slapo-auditlog') and overlay access log, where both provide features to log changes to the underlying DIT. Access log even provides capabilities to record binds and read/search access as well as save earlier contents of entries and even attributes.

  1. Local Access (4): Local access simply referring to any event that happened within the LDAP server or server cluster (or through secured remote access such as provided by the ssh) and including the config files(5) and locally issued commands (6).


References: http://www.tech-faq.com/ldap-security-issues.html
Posted by at No comments:

X.500 Security Feature

What is X.500?
The X.500 specification is a standard for how information about objects, like people, and application was being stored, maintained, update, interrogated and even deleted. Entries about objects are organised in a hierarchical structure reflecting the real life hierarchy.
Information in an X.500 directory may be distributed and/or replicated among different directory servers. A directory server is called a Directory System Agent (DSA). A client accessing an X.500 directory is called a Directory User Agent (DUA). A client may also be a Lightweight Directory Access Protocol (LDAP) client.

Security Features
·         Access control –has a standard that defines the security mechanisms to protect information in the directory and also restrict user access to it meaning the users are restrict from seeing it or even modifying the information.

·         Strong authentication – protect against replay and denial-of-service attacks but most importantly, is to build trust between the X.500 directory components which will validates the identity of directory users for access control.

·         Digital signature  a message encrypted by the private key can be decrypted by anyone holding a copy of the public key. If decryption is possible, only the holder of the private key could have sent this message. This technique is used to create digital signatures.

When a message is to be digitally signed, a hash of the message is created. The hash is encrypted using the private key and appended to the message as a digital signature. The receiver decrypts the signature using the public key. It then creates its own hash of the message. If the two hashes are identical, the receiver knows that the message has been transmitted unchanged and that the sender’s identity is known with a high level of certainty. This gives an end-to-end security also in a distributed environment.

Posted by at No comments:

Thursday, 5 January 2012

GPRS Security Feature, Threats and Solution

General Packet Radio Services (GPRS) that extends GSM data capabilities for Internet access is a packet-based wireless communication service that promises data rates from 56 up to 114Kbps and continuous connection to the Internet for mobile phone and computer users. GPRS is based in Global System for Mobile (GSM) communication. It i a second generation (2G) and third generation (3G) – or sometimes referred to as in-between both generation , 2.5G – wireless data service and complements existing services such circuit-switched cellular phone connections and the multimedia messaging services.

Security Threats and Solution

Attacks on the Mobile Device –unauthorized access to the GPRS network can be regularly retrieved using a stolen mobile device and assuming there is no security locking mechanism (such as password protection) is enabled on the stolen mobile device, an unauthorized user can request services on the GPRS network in disguise as the original owner.

Countermeasures include safeguarding the mobile device with a password or exploit the E-911 location functionality charged by the FCC. Let say a mobile device was stolen, the E-911 mandate requires carriers to implement the capability of location identification through triangulation. However, this functionality is currently being tested and has not been fully implemented.

Attacks on the Radio Path – The radio path make use of the open air, and hence, exposing itself to potential attackers from any outside party within a close enough perimeter to detect the signal. The greatest threat along the radio path is eavesdropping by an unauthorized party. Subscribers use GPRS services with the assumption that the information transmitted to and from their mobile is being safeguarded.


GPRS standards provide algorithms to generate session-unique encryption keys for the specific purpose of jumbling and alteration of the data packets being transmitted across the radio path between a mobile station and the SGSN. Each time an authorized GPRS enabled mobile device registers with the GPRS network, it establishes a session-unique encryption key that is used to encrypt any information which are being transmitted between the mobile station and the SGSN.


Attacks on the Cellular Network – Securing the digital cellular network involve protecting the following GSM network elements: Base Transceiver Subsystem; Base Station Controller;
Mobile Switching Center; Home Location Register; Visitors Location Register. 

Traditionally, these network elements were used strictly to support wireless voice services, but with the introduction of wireless non-voice services such as public Internet data services, these network components have been altered in order to make it possible for non-voice services to use the same network. Implementing these new configurations to support non-voice services not only increased the types of services available to subscribers, but also captivate new network threats.

Concentrating on threats directed specifically at the digital cellular network as contrary to threats coming from the GPRS network, physical security is of utmost importance. Having direct access to one or more of the GSM network elements listed above can result in significant negative business effects. 

Unauthorized access can lead to fraudulent activities, such as invalid and fictitious subscribers loaded into the HLR or VLR, or may lead to network outages (Denial of Service attack). Thus, securing the physical locations of these network elements is vital. It is also important, in knowing exactly who internally has access to these network elements. Access lists and logs should be closely scrutinized and reviewed for suspicious entries. Improving upon this would be implementing preventive security measures such as 24-hour monitoring of the facilities housing network equipment, enforcing valid access times during the day, and performing background checks on switch engineers and others who are hired in as field technicians.

Attacks on the GPRS, Public, and Corporate networks –  It can be distinguished as an attack on the GPRS network because both the public network and private corporate networks are external access points to the GPRS network.

Additional threats to the GPRS network can also come from roaming partner networks (intercarrier services). Attacks originating from the public Internet are becoming more and more experienced. Every day, public IP networks are constantly being interrogate and scanned by external parties. Mostly, tracing the originating path of a scan will reveal an innocent source unaware of the scan. This is being done through the use of IP-spoofing where an attacker can redirect data packets through a third-party’s network, or do some changes to the data packet addressing information. This increases the complexity of securing the GPRS IP-backbone and investigating detected network attacks. 

The first security measure all wireless operators must implement is a firewall at any point of entry to the GPRS network from an external network. Firewalls can be configured in order to allow only legitimate traffic into the GPRS network. However, simply implementing a firewall does not guarantee a full protection from all external attacks. Using network routing techniques, intrusion detection systems, and securing the tunnelling protocols, in addition to firewalls, it will enhance an operator’s ability to protect its GPRS network from external threats.
The same security risks pertaining to physical access from both internal and external parties described in the section, Attacks on the Cellular Network, exist for GPRS network elements (SGSN, GGSN) as well.






Reference: www.brookson.com/gsm/gprs.pdf
                 www.tml.tkk.fi/Opinnot/Tik-110.501/2000/papers/peng.pdf
                 yourfamily.o2.co.uk/assets2/PRODImages/PDF/security.pdf
                 
                 
Posted by at No comments:

GSM Security Feature, Threats and Solution

Global system for Mobile communication in short, GSM. It is a digital mobile telephony system and it uses a variation of time division multiple access (TDMA). It is mostly implemented in the three digital wireless telephony technologies (TDMA, GSM and CDMA). CDMA also known as Code Division Multiple Access and it refers to any protocol used in second-generation(2G) and the third-generation (3G) wireless communications.

GSM converts the data into digital form before compression it and finally sending them down a channel with two other streams of user data, each having its own time allocation. It operates at either 900 MHz or 1800 MHz frequency band.

GSM Security Objectives
Concerns
·         Operators – Billing in the right people, prevention of duplicity and protection of services
·         Customers - Privacy and a state of being anonymous.
·         Making the system at least secure as PSTN

 Security Goals
  • Prevention of operators from compromising of each others’ security which might cause any thoughtless and competition pressure
  • Confidentiality and Anonymity on the radio path
  • Strong client authentication in order to protect the operator against any billing fraud

Security Design Requirements
The security mechanism must not
·         Increase error rate
·         Add important overhead on call set up
·         Increase bandwidth of the channel
·         Add any unnecessary misunderstanding to the system.

Instead it should be a cost effective scheme and be able to define security procedures such as
·         Confidentiality of algorithms
·         Generation and distribution of keys
·         Exchanging of information between operators

GSM Security Mechanisms
Features
·         Key management is independency of equipment. An example is when subscribers wants to change physical parts of the equipment, they do not have to worry about the settings they have set earlier  
·         Subscriber identity protection is about the difficulty of  identifying the user of the system intercepting a user data
·         Detection of compromised equipment such as whether a mobile device was being compromised or not
·         Subscriber authentication meaning that the operator must have the authority to know the billing purposes  and also who is using the system
·         Signaling and user data channels must be protected over the radio path


GSM Mobile Station
·         Mobile Equipment (ME)
       Physical mobile device and Identifiers (IMEI – International Mobile Equipment Identity)

·         Subscriber Identity Module (SIM)
       Smart Card which comprises of keys, identifiers and algorithms
       Examples of Identifiers are:

  •    Ki – Subscriber Authentication Key
  •  IMSI – International Mobile Subscriber Identity
  • TMSI – Temporary Mobile Subscriber Identity
  •  MSISDN – Mobile Station International Service Digital Network
  • PIN – Personal Identity Number protecting a SIM
  • LAI – location area identity

Subscriber Identity Protection
TMSI – Temporary Mobile Subscriber Identity
Goals
  • TMSI is used instead of IMSI as an a temporary subscriber identifier
  • TMSI prevents an eavesdropper from identifying of subscribe
Usage
  • TMSI is assigned when IMSI is transmitted to AuC on the first phone switch on
  • Every time a location update (new MSC) occur the networks assigns  a new TMSI
  • TMSI is used by the MS to report to the network or during a call initialization
  • Network uses TMSI to communicate with MS
  • On MS switch off TMSI is stored on SIM card to be reused next
The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI

Authentication
 Goal
     Subscriber (SIM holder) authentication
     Protection of the network against the unauthorized use
     Create a session key

A3 – MS Authentication Algorithm
A8 – Voice Privacy Key Generation Algorithm
      Logical Implementation of A3 and A8
             Both A3 and A8 algorithms are implemented on the SIM
  •           Operator can decides which algorithm to us
    • Algorithms implementation is independent of hardware manufacturers and network    operators

COMP128 is used for both A3 and A8 in most GSM networks
COMP128 is a keyed hash function



A5 – Encryption Algorithm
    A5 is a stream cipher and is being implemented very efficiently on hardware and the design was never made public
    Variants:
A5/1 – the strong version
A5/2 – the weak version
A5/3 - GSM Association Security Group and 3GPP design, b

  • ased on Kasumi algorithm used in 3G mobile systems





    • References: 
    • www.gsm-security.net/gsm-security-papers.shtml
    •                       
    • www.blackhat.com/presentations/bh-asia-01/gadiax.ppt
      •
    •                       
      • en.wikipedia.org/wiki/GSM
    Posted by at 2 comments:
    Subscribe to: Posts (Atom)