X.500 Security Feature

X.500 Directory service is a standard way to develop an electronic directory of people in an organization making it possible for it to be part of a global directory available to anyone in the world with internet access. The main idea is for it to be able to look up people in a user friendly way by either name, department or organization.

Information in an X.500 directory may be distributed or replicated among different directory servers. In Fig 1.1 is a sample of X.500 infrastructure. In the diagram, a directory server is called a Directory Server Agent(DSA) and the client which is accessing an X.500 directory is called a Directory User Agent (DUA). Also, a client may be a LightWeight Directory Access Protocol (LDAP) client.

Fig 1.1

Security Features of X.500

X.500 offers different level of authentication in order to handle different security requirements. The X.500 protocol uses X.509 Public Key Infrastructure for authentication.

1)       It treats every computer and user as an object. It has a server, backup and a system admin. The database schema for each of them should be consistent. If there is a need to modify any of the schema to accommodate one of the data from one company that is not present, it won’t be able to do so.

2)      It standardize the storage of files regarding user attributes and permissions.

3)      They center on the individuals that wish to access to it rather than on a static list such as passwords.

 

Strong authentication

Establishes trust between X.500 directory components, authorize identity of directory users for access control and protects against denial of service attacks.

Reference

1.       http://searchnetworking.techtarget.com/definition/X500

2.       http://www.x500standard.com/

3.       http://csrc.nist.gov/archive/pki-twg/Archive/y1999/presentations/twg-99-26.pdf

LDAP Security Feature

LDAP provides a generic directory service. It is often used to store information of all sorts, from information that is about entities on the network, such as users, printers and computers, to location of file systems, to application configuration information. In LDAP servers, some systems are in place for controlling who can read and update the information in the directory.

LDAP authentication

In order to access the LDAP service, LDAP client must authenticate itself to the service first. It must tell the LDAP who is going to access the data so that the server can decide what the client is allowed to both see and do. If the client authenticates successfully to the server, and when the server subsequently receives a request from the client, it will check whether the client is allowed to perform the request. This process is also known as access control.

Security Features of LDAP

1)      Only supports basic authentication, Microsoft Windows NT LAN Manager (NTLM) and Negotiate

-          Using NTLM or negotiate because basic authentication uses password.

2)      Using Secure Socket Layer (SSL)

-          Protects data from sniffing by anyone with physical access to the network

Reference

1.       http://docs.oracle.com/javase/jndi/tutorial/ldap/security/

2.       http://www.zytrax.com/books/ldap/ch15/

Microsoft Active Directory Security Feature

Active Directory is a special-purpose database, however, it is not a registry replacement which many mistaken it as. It is designed to handle a big number of read and search options, and a small number of changes and updates. Active Directory data is hierarchical, replicated and extensible. As it is being replicated, the user does not need to store any data, or CPU performance. Examples of data stored in the directory includes printer queue data, user contact data and network & computer configuration data. The Active Directory database includes objects and attributes. They are stored inside the schema.

Active directory has three partitions : domain, schema and configuration. The domain partition contains users, groups, contacts, organizational units etc. As active directory is extensible, classes or attributes can be added. 

The figure below shows the Active Directory domain partition

Some examples of the Active Directory Feature include:

-          Object-oriented storage organization allowing easier access to information

-          Support for the X.500 standard for global directories

-          Specially designed to be both forward and backward compatible

-          Capability for network operation and extensions to the web

-          Single point access system administration provided by the hierarchical organization to reduce redundancy and errors.

-          Supports Lightweight Directory Access Protocol (LDAP) to enable inter-directory operability.

Reference

http://searchwindowsserver.techtarget.com/definition/Active-Directory

http://msdn.microsoft.com/en-us/library/windows/desktop/aa746492(v=vs.85).aspx

GPRS Security Feature, Threats and Solution

GPRS Security Features

Identify Confidentiality

Objective is to provide privacy to the subscriber. So that it will not be easy to identify the person from their signal over the radio and connections. In other words, it is the protection of data from disclosure to unauthorized third parties

Authentication

Provides assurance that a party in data communication is who or what they claim to be

Authorization

It is a security service which helps to ensure that a party may only perform the actions that they’re allowed to perform.

Availability

Means data services are always usable  by the appropriate parties in the intended manner

GPRS threats

Overbilling attacks

Such attack is being started by a mobile station that consists of malware and it hijacks an IP address of another mobile station and invokes a download from a malicious server on the internet. After the download starts, the malicious mobile station exits the session. The mobile station that is being under attack, will receive the download traffic, and gets charged for traffic that wasn't used. The same malicious party can also execute this attack for sending of broadcasts of unsolicited data towards subscriber’s cell phones. The outcome is the same, the subscriber will be paying data usage that they did not solicited and might not have needed or wanted. Such attacks are not limited to the Gp interface.

GPRS Solutions

Overbilling attack prevention- Enables the GTP firewall to notify the Gi firewall of an attack. The firewall is then able to terminate the “hanging” sessions or tunnels, thus cutting off the unwanted traffic. This helps to prevent the GPRS subscriber from exceeding the limit.

Reference
http://www.brookson.com/gsm/gprs.pdf

GSM Security Feature, Threats and Solution

GSM Security Features

Confidentiality
Protects voice, data and sensitive signalling information (e.g. dialled digits) and prevent them against eavesdropping on the radio path

Anonymity
Protects against someone tracking the location of the user or identifying calls made to or from the user by eavesdropping on the radio path

Authentication
Network operator can verify the identity of the subscriber making it tougher to clone someone else’s mobile phone.

GSM security threats

Unilateral authentication and vulnerability to man-in-the-middle-attack

Happens to the network that authenticate users. User’s network is not authenticated so the user can use a false BTS with the same mobile network code as the subscribers network to impersonate himself and perform a man-in-the-middle-attack. This allows the attackers to perform several scenarios to modify the exchanged data.

Denial of service attack

This happens when a single attacker is capable of disabling the entire GSM cell

Vulnerability to replay attacks

This allows the attacker to misuse the previously exchanged messages between subscriber and network. 

GSM security Solutions
Enabling User authentication
User authentication mechanisms generally available on most devices are PINs and passwords. While such knowledge-based authentication mechanisms are not foolproof, they are not the first barrier toward deterring unauthorized access to cell phones.


Avoid questionable actions
Malicious programs are spread to mobile phones mainly through communications channels such as multimedia messages or Bluetooth connections. Any messages or contacts received on a mobile phone from an unknown number or device should be treated with suspicion.




Reference

http://www.slideshare.net/Garry54/solutions-to-the-gsm-security-weaknesses

1.  

1.