344    Chapter 5 • Communication Security: Web Based Services

             ferent security mechanisms, beginning from when clients initially connect to an
             LDAP server.
                 LDAP clients must authenticate to the server before being allowed access to the
             directory. Clients (users, computers, or applications) connect to the LDAP server
             using a distinguished name and authentication credentials (usually a password).
             Authentication information is sent from the client to the server as part of a “bind”
             operation, and the connection is later closed using an “unbind” operation.
             Unfortunately, it is possible for users to make the connection with limited or no
             authentication, by using either anonymous or simple authentication. LDAP allows
             for anonymous clients to send LDAP requests to the server without first per-
             forming the bind operation.While anonymous connections don’t require a pass-
             word, simple authentication will send a person’s password over the network
             unencrypted.To secure LDAP, anonymous clients should be limited or not used,
             ensuring that only those with proper credentials are allowed access to the informa-
             tion. Optionally, the connection can use TLS to secure the connection, and protect
             any data transmitted between the client and server.
                 LDAP can also be used over SSL, which extends security into the Internet.
             LDAPS is Secure LDAP, which encrypts LDAP connections by using SSL or TLS.
             Some of these types of services integrate as objects, such as PKI certificates, in the
             authentication process using Smart Card technologies, and in the extended proper-
             ties of account objects so that they can support extra security requirements.To use
             SSL with LDAP, the LDAP server must have an X.509 server certificate.
             Additionally, SSL/TLS must be enabled on the server.
                 Another issue that can impact the security of LDAP is packet sniffing.As we
             discussed earlier in this chapter, packet sniffers are software that can capture packets
             of data from a network, and allow a person to view its contents. If the information
             traveling over LDAP is unencrypted, the packets of data could be captured, and
             analysis of the packets could provide considerable information about the network.
             In addition to using encryption, ports can be blocked to prevent access from the
             Internet. LDAP uses TCP/UDP port 389 and LDAPS uses port 636. By blocking
             these ports from the Internet, it will prevent those outside of the internal network
             from listening or making connections to these ports.
                 The challenge with using a protocol such as LDAP is that the connectivity
             must be facilitated through a script or program.These types of scripts must indicate
             the location of the objects within the directory service to access them. If the
             administrator wants to write a quick, simple script, this means that the name of the
             directory service and the names and locations of the objects that are being accessed
             must each be placed in the script and known prior to the script being written. If



          www.syngress.com