LDAP is a protocol that was derived from the old X500 DAP. In fact, Sun Microsystems has announced the end of life support for both NIS and NIS+. Sun Microsystems, the inventors of NIS, addressed this security problem with NIS+, but unfortunately, it was very complex to implement and never gained much traction. The main problem is that NIS is not secure because all passwords are transmitted in plaintext. Network Information Systems (NIS') have built-in scalability where you can have multiple slave servers receive automatic updates from the master host. The /etc/passwd and /etc/shadow system is time tested however, this quickly becomes an administrative nightmare once more than one server or application comes into play. This can be fairly secure if used exclusively via a local terminal, or remotely via SSH. However, the implementation of these types of systems is typically very expensive, so we limit our discussion to the “over-the-counter ”solutions that are available in all distributions. It is best to use more than one factor for authentication, such as biometrics combined with a password, or keyfabs such as SecureID combined with a fingerprint. When considering an identity management system from an open source perspective, you should be aware of how the authentication mechanisms that Linux uses stack up. It should not break because of a malformed authentication request. The system should be able to handle 100 percent of expected client requests.
The system should be designed to refuse authorization in the absence of authentication. The failure of an authentication system should force a failure to gain access to requested resource(s). They should only have to prove their identity once per session or period.
Ideally, users should not be aware that authentication is taking place. Because authentication is central to your security, it should exhibit the following characteristics: SecurityĪn attacker should not discover that authentication is the weak link in your security footprint, nor should network sniffing reveal plaintext passwords on the network. Auditing is the capture of authentication and authorization attempts, which can be successes, failures, or both. Authorization is usually in the context of authentication. Authorization is the process of determining (by evaluating applicable access control information) whether a user is allowed to have specified types of access to a particular resource. Authentication of a user is generally based on something the user knows (e.g., a password), is (e.g., eyes or fingerprints), or has (e.g., a key or ticket). Authentication is the process of verifying the identity, origin, or lack of modification of a subject or object.
In Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools, 2005 Enterprise Identity Management
0 kommentar(er)
