Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory."— Presentation transcript:

1 Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

2 Agenda Directory services and virtual directories Threats to directory services Attack models for directory services –Preventing attacks on directory services Protecting information in directory services Future directions

3 Directory Services Localized data store containing information about objects –Users –Computers –Contacts, etc. Provide information to applications –Authentication and access control –Contact information –Group membership Use LDAP Communication Protocol –Lightweight Directory Access Protocol

4 Directory Services Data dn: cn=Joe User,dc=somedomain,dc=com cn: Joe User givenName: Joe sn: User telephoneNumber: 1 505 555 1212 postalAddress: 123 Main St. mail: juser@somedomain.com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top

5 Directory Services Popular Directory Services Implementations –Windows Server Active Directory –IBM Tivoli –Apple Open Directory –OpenLDAP –Fedora Directory Server –Sun JAVA System Directory Server

6 Virtual Directories Directory Servers Virtual Directory Server Client

7 Virtual Directories Directory Servers Virtual Directory Server Data Stores Synchronization

8 Threats to Sensitive Directory Information “Insider Threat Study: Illicit Cyber Activity in the Government Sector”, a study conducted by U.S. Secret Service and CERT (2008) found: –Most of the insiders had authorized access at the time of their malicious activities –Access control gaps facilitated most of the insider incidents, including: The ability of an insider to use technical methods to override access controls without detection System vulnerabilities that allowed technical insiders to use their specialized skills to override access controls without detection

9 Attack Models on Virtual Directories Authentication Attacks Cache Attacks Data Transformation Attacks Network Attacks Data Source Attacks

10 Authentication Attacks Destination Servers Virtual Directory Server Stored Credentials Stored Credentials Stored Credentials User Credentials

11 Preventing Authentication Attacks Require pass-through authentication –Use a surrogate pass-through directory if necessary User restricted accounts when stored credentials are required

12 Cache Attacks Directory Servers Virtual Directory Server High Speed Cache Client

13 Preventing Cache Attacks Do not use cache for high-risk information Require frequent consistency checks Require datastore connectivity before returning any data Protect cache on directory server

14 Data Transformation Attacks Directory Servers Virtual Directory Server Client Data Transformation 505-555-1212(505) 555-1212 US Citizen: NUS Citizen: Y

15 Preventing Data Transformation Attacks Protect transformation scripts on virtual directory server Do not allow transformation of sensitive data Double-check sensitive data sent to client machines Establish consistency checking on transformation scripts –Monitor for changes

16 Network Attacks Directory Server Virtual Directory Server Change Detected: Disable Account X Accounts: X Y Z

17 Network Attacks Directory Server Virtual Directory Server Change Detected: Disable Account X Accounts: X Y Z

18 Preventing Network Attacks Detect inconsistencies in data stores Require consistency checking at standard intervals Require consistency checking after network disruption Require transactions to be atomic and durable

19 Data Source Attacks Authoritative Data Store Virtual Directory Server Account Store AccountsEnabled XY YY ZN AccountsEnabled XY YY ZY AccountsEnabled XY YY ZN AccountsEnabled XY YY ZY Synchronization

20 Preventing Data Source Attacks Protect authoritative data sources Monitor sensitive data modifications Protect sensitive data

21 Protecting Sensitive Directory Information Personal Virtual Directory Service

22 Protecting and Delegating Access New Approach S – symmetric data encryption key K rw / K’ rw – public/private key pair for signing data K ux – data user public key K o / K’ o – data owner public/private key pair ID o – data owner identifier

23 Personal Virtual Directory Service Components

24 Advantages of PVDS Uses existing key management infrastructure Little client modification No user-based key protection Directory independent –Can be extended to protect databases as well Performance impact largely confined to clients utilizing PVDS capabilities

25 Future Directions Implement attack models to determine feasibility Explore attacks on various VDS implementations Identify additional attacks on virtual directory servers PVDS –Reduce the impact of working with encrypted attributes –Analyze impact to different types of data sources –Consider how security policies may conflict with using a virtual directory to manage security –Usability studies

26 Questions http://www.sandia.gov wrclayc@sandia.gov

Download ppt "Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory."

Similar presentations

Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.

Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure Thorsten Butschke & Dr. Martin Dehn.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Desktop Computing Strategic Project Sandia National Labs May 2, 2009 Jeremy Allison Andy Ambabo James Mcdonald Sandia is a multiprogram laboratory operated.

Desktop Computing Strategic Project Sandia National Labs May 2, 2009 Jeremy Allison Andy Ambabo James Mcdonald Sandia is a multiprogram laboratory operated.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Administering Active Directory

Administering Active Directory
What is Program Management?

What is Program Management?
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 DISTRIBUTED SYSTEMS.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

Similar presentations

Ads by Google