Application security
Digital certificates
Identity & Access Management
Instant Messaging
Microsoft Exchange
Secure Coding
Security tokens
Single sign-on
Waveset/Sun Micro
We are using LDAP for Internal environment as an Enterprise directory having lot of application and user specific data. There is requirement to access LDAP from external network also. Bearing that in mind we shall have LDAP Server in DMZ to service external applications. Here we are using Sun Directory Server 5.2. What are the security consideration we shall make and what's the best approach to keep servers in DMZ. I can think of secure replication etc. but what are the rest of the things to make sure this will not be security loop hole.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Secure replication is a good solution. If you the outside access is limited to the “read -only”. There are couple of other things which can help improve the logical access control and will help reduce the risk

1- Use logging to a syslog serverwhich is not in the same DMZ area
2- Use of software like “tripwire” on the DMZ server
3- You can also use port access control using iptables

Dharminder Dargan

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • SecGeek
    I would never put the actual LDAP in a DMZ. If you do, I would say you have a 100% chance of having any or all user information compromized within a year. You should fromt end the LDAP with a reverse proxy server or some other product that just has the presentation layer stuff. Peace
    0 pointsBadges:
  • ItDefPat1
    Remember that LDAP is not a thing, it is several protocols and objects. The rev proxy is a good start. The ldap RFCs specify available authentication and security extensions. There are several strong authentication methods that you can add-on. Use what is most appropriate (e.g., 2-factor tokens or kerberos are some of the options). Also, the ldap transport protocols will accept SSL add-on. The ldap RFCs are pretty easy to read (unlike most RFCs). What is supported by the product(s) you use is another question. If this external ldap is a "must-do", you should require the authority for yourself to do what you must do - get management behind your activity first. This is not as simple as dumping a copy of the repository in a DMZ. Remember, the ldap is as valuable and critical as the internal dns, if not more. YOu might also want to suggest a less-than-public DMZ (or "extranet") for this. As long as the number of external parties accessing is known, then you could put requirements like VPN and strong authentication at the external firewall. Your ldap and other stuff would be on this protected segment, with another firewall between it and your internal network.
    15 pointsBadges:
  • PankajAnand
    Actually the LDAP will be secured as this will be placed in shared DMZ area which will have firewalls on bith the sides. This shared DMZ will inturn service the individual/ isolated other DMZs. Also it will be slave LDAP Server with no write capabilities. It will be difficult for external users to cross these DMZs and do any hacking on LDAP Server. Also we shall enable only SSL port on that server which will further protect this.
    0 pointsBadges:
  • Amigus
    Check out the replication mechanisms for your LDAP implementation to see if they offer "limited replication." If they do you can replicate only the objects that need to be exposed on the DMZ to the DMZ system(s).
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: