LDAP in DMZ
Application security, Biometrics, Database, DataCenter, Digital certificates, Encryption, Exchange, IBM/Tivoli, Identity & Access Management, Instant Messaging, provisioning, Secure Coding, Security, Security tokens, Single sign-on, Waveset/Sun Micro
We are using LDAP for Internal environment as an Enterprise directory having lot of application and user specific data. There is requirement to access LDAP from external network also. Bearing that in mind we shall have LDAP Server in DMZ to service external applications. Here we are using Sun Directory Server 5.2. What are the security consideration we shall make and what's the best approach to keep servers in DMZ. I can think of secure replication etc. but what are the rest of the things to make sure this will not be security loop hole.
Software/Hardware used:
Software/Hardware used:
ASKED:
June 24, 2005 6:44 PM
UPDATED:
June 29, 2005 4:02 AM
Answer Wiki:
Secure replication is a good solution. If you the outside access is limited to the "read -only". There are couple of other things which can help improve the logical access control and will help reduce the risk
1- Use logging to a syslog serverwhich is not in the same DMZ area
2- Use of software like "tripwire" on the DMZ server
3- You can also use port access control using iptables
Dharminder Dargan
To see all answers submitted to the Answer Wiki: View Answer History.
I would never put the actual LDAP in a DMZ. If you do, I would say you have a 100% chance of having any or all user information compromized within a year.
You should fromt end the LDAP with a reverse proxy server or some other product that just has the presentation layer stuff.
Peace
Remember that LDAP is not a thing, it is several protocols and objects. The rev proxy is a good start. The ldap RFCs specify available authentication and security extensions. There are several strong authentication methods that you can add-on. Use what is most appropriate (e.g., 2-factor tokens or kerberos are some of the options). Also, the ldap transport protocols will accept SSL add-on. The ldap RFCs are pretty easy to read (unlike most RFCs).
What is supported by the product(s) you use is another question.
If this external ldap is a “must-do”, you should require the authority for yourself to do what you must do – get management behind your activity first. This is not as simple as dumping a copy of the repository in a DMZ. Remember, the ldap is as valuable and critical as the internal dns, if not more.
YOu might also want to suggest a less-than-public DMZ (or “extranet”) for this. As long as the number of external parties accessing is known, then you could put requirements like VPN and strong authentication at the external firewall. Your ldap and other stuff would be on this protected segment, with another firewall between it and your internal network.
Actually the LDAP will be secured as this will be placed in shared DMZ area which will have firewalls on bith the sides. This shared DMZ will inturn service the individual/ isolated other DMZs. Also it will be slave LDAP Server with no write capabilities. It will be difficult for external users to cross these DMZs and do any hacking on LDAP Server. Also we shall enable only SSL port on that server which will further protect this.
Check out the replication mechanisms for your LDAP implementation to see if they offer “limited replication.” If they do you can replicate only the objects that need to be exposed on the DMZ to the DMZ system(s).