Friday, January 13, 2012

Microsoft’s Active Directory Security Feature


Active Directory is Microsoft's trademarked directory service, an integral part of the Windows 2000 architecture. Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed. It is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network and installing or updating software on network computers.

Security

Domain Name System (DNS) is necessary to any Internet-connected organization. DNS provides name resolution between common names, such as mspress.microsoft.com, and the raw IP addresses that network layer components use to communicate. Active Directory makes extensive use of DNS technology and relies on DNS to locate objects within Active Directory. Windows and Internet domains are now completely compatible. A domain name will identify Active Directory domain controllers which responsible for the domain, so any client with DNS access can locate a domain controller. Active Directory clients can use DNS resolution to locate any number of services because Active Directory servers send a list of addresses to DNS using the new features of dynamic update. Active Directory servers provide the LDAP service for object location, and LDAP relies on TCP as the underlying transport-layer protocol.

 Reference

http://technet.microsoft.com/en-us/library/bb742424.aspx#XSLTsection125121120120
Posted by at No comments:

LDAP Security Feature


To lighten the load on clients to support Directory Access Protocol (DAP) and simplify the complexity of X.500 protocol, Lightweight Directory Access Protocol (LDAP) was developed. At first, LDAP was designed
to be an alternative to the client side protocol of X.500 (DAP). It allow clients to connect to intermediate servers using TCP/IP networks. These intermediate servers would then connect to X.500 servers using
DSP over OSI networks. The LDAP protocol was later expanded to also replace the server side (DSP) of the X.500 protocol.

Security

The LDAP protocol uses Simple Authentication and Security Layer (SASL) specification for identification and authentication. The SASL layer is flexible and allows other security mechanisms (such as Kerberos
or GSSAPI) to be implemented or plugged in. Since LDAP uses TCP/IP it can be transported over Secure Socket Layer (SSL) connections.

A typical LDAP session may proceed like the following:
  • Client: Connects and requests access to the server; this is called the Binding operation.
  • Server: Server authenticates the client and completes the binding operation.
  • Client: Requests a service from the server, such as search for an entry in the directory, and presents any parameter data.
  • Server: Performs service and communicates a response or a referral to another LDAP server.
  • Client: Receives response and unbinds or terminates the connection and may connect to a referred server.

Reference

http://www.collectionscanada.gc.ca/iso/ill/document/ill_directory/X_500andLDAP.pdf
Posted by at No comments:

X.500 Security Feature



The X.500 protocol was approved in 1988 before it got enhanced in 1993 under the International Telecommunications Union (ITU).The purpose is to provide an international standard for directory systems. The protocol consists of a Client-Server communicating via the Open Systems Interconnection (OSI) networking model. The Client is called the Directory Service Agent (DUA) and the Server is called the Directory System Agent (DSA).

Some of the protocol used in X.500 are:
  • LDAP - Lightweight Directory Access Protocol
  • DAP - Directory Access Protocol
  • DSP - Directory System Protocol
  • DISP - Directory Information Shadowing Protocol
 Security

The X.500 protocol uses the X.509 Public Key Infrastructure (PKI) specification (i.e. digital certificates) for authentication. The X.500 protocol provides for database replication. This means that directory data can be replicated or copies distributed to multiple servers for the purpose of load distribution and system contingency.
 
A typical X.500 session may proceed like the following:
  • Client: Connects and requests access to the server; this is called the Binding operation.
  • Server: Server authenticates the client and completes the binding operation.
  • Client: Requests a service from the server, such as search for an entry in the directory, and presents any parameter data.
  • Server: Performs service and may connect to another X.500 server then communicates a response.
  • Client: Receives response and unbinds or terminates the connection. 

Reference
http://www.collectionscanada.gc.ca/iso/ill/document/ill_directory/X_500andLDAP.pdf
    Posted by at 1 comment:

    Friday, January 6, 2012

    GPRS Security Features, Threats and Solution


    GPRS Security Features
    • Integrity
      •  A security service that ensure data is not modified-able in an unauthorized or malicious manner.
    • Confidentiality 
      • The protection of data from user that is confidential to third parties.
    • Authentication 
      • Give assurance in data communication whereby a party is who or what they claim to be.
    • Authorization 
      • It is a security service that ensures that a party may only perform the actions that they’re allowed to perform.
    • Availability 
      • It means that data services are usable by the appropriate parties in the manner intended.
    GPRS Security Threats

    Availability
    • DNS Flood
      • DNS servers can be flooded with either correctly or malformed DNS queries or other traffic that deny subscribers from the ability to locate the proper GGSN to use as an external gateway.
    Authentication and Authorization
    • Spoofed Update PDP Context Request
      • An attacker can use their own SGSN to send an Update PDP Context Request to an SGSN, while handling an existing GTP session. They will insert their own SGSN into the GTP session and hijack the data connection of the subscriber.
    Integrity & Confidentiality
    • Capturing a subscriber’s data session 
      • GTP and the embedded T-PDUs are not encrypted, an attacker with has access between the GGSN and SGSN can potentially capture a subscriber’s data session. This is generally true of traffic on public networks and subscribers should be advised to utilize IPSec or similar protection.
    GPRS Security Solution 

    Limit the traffic rate on the network as to ensure attacks from the Internet cannot disrupt mobile intranet services. Also, prevent the possibility of spoofed MS to MS data by blocking incoming traffic with the source addresses which are the same as those assigned to an MS for public network access.


    Reference
    1. http://www.it.iitb.ac.in/~kavita/GSM_Security_Papers/GPRS_Security_Threats_and_Solutions.pdf
      Posted by at 3 comments:

      Thursday, January 5, 2012

      GSM Security Features, Threats and Solution

      GSM Security Features

      Security methods for GSM system is very secure for the current standard available. It has moderate level of service security and it was designed to authenticate the subscriber using a pre-shared key and
      challenge-response. Communications are encrypted between the subscriber and base station and it uses a longer authentication key to provide better security. Calls within the network must be anonymity and private for the customer. It is to ensure the correct bills to the right customer and making sure no interference with each other accidentally or intentionally.

      GSM Security Threats
      • Eavesdropping
        • The intruder is able to intercept traffic and signal information from other users. Required a modified mobile phone.
      • Impersonation of a user 
        • The ability to send fake data or messages to the network and trick the user making them think that it is from another user. Required a modified mobile phone.
      • Impersonation of the network
        • The ability to send fake data or messages to the network and trick the user making them think that it is from the real network. Required equipment is modified BTS.
      • Man-in-the-middle 
        • The capability whereby the intruder puts itself in between the target user and a genuine network and has the ability to eavesdrop, modify, delete, re-order, replay, and spoof signalling and user data messages exchanged between the two parties. Required equipment is modified BTS in conjunction with a modified MS.
      • Network Authentication Compromise 
        • The intruder possesses a compromised authentication vector such as challenge-response pairs, cipher keys, integrity keys.

      GSM Security Solution

      Authentication is needed from subscriber so as to protect unauthorized user from entering the network. Using a stronger key encryption is recommended as it is harder to crack.

      References
      1. http://www.google.com.sg/url?sa=t&rct=j&q=gsm%20threats&source=web&cd=4&sqi=2&ved=0CD8QFjAD&url=http%3A%2F%2Fojs.academypublisher.com%2Findex.php%2Fjnw%2Farticle%2Fdownload%2F010618%2F655&ei=ob0FT9mLMI-yrAeNg8nWDw&usg=AFQjCNEsrXQwYigy8Q-ZrffzUEmwPdRPXw&cad=rja 
      2. http://uib.academia.edu/toorani/Papers/146481/Solutions_to_the_GSM_Security_Weaknesses
      3. http://www.hackcanada.com/blackcrawl/cell/gsm/gsm-secur/gsm-secur.html
      Posted by at 2 comments:
      Subscribe to: Posts (Atom)