-----Original Message----- From: r s [mailto:richard.scottat_private] Sent: Tuesday, 28 January, 2003 14:46 To: secprogat_private Subject: Application to Application authentication models.... > What authentication mechanism, model, > architecture best allows applications legitimate access to LDAP schema to > obtain sensitive data such as connection credentials to database systems? The very first thing I would focus on is ensuring that the credentials your applications *do* have are sufficiently locked down so that if the system (and credentials) *are* compromised, the damage can be minimized. In the web world, your web application should not be using an ID that has the same privileges as a content manager. Similarly, access to database tables and the like should be restricted with views where necessary to ensure that the web application can only pull data it needs to display content to the user. The web application generally doesn't need access to workflow states, revision histories, etc. In other words, for a public-facing application, you should be comfortable if that application's back-end or database ID's had no passwords to begin with. If you feel that this approach would compromise the security of your application, then you might want to look into why that is (maybe you have too much business logic in your presentation layer, for instance). With that issue addressed, securing the application's credentials becomes less of a worry. You have to assume that if someone can break into your server and take control of it, the intruder can do everything that the application can do, including pulling credentials off of a separate LDAP database and using those to further their interests. While you can put speed bumps in their way by using SSL-encrypted LDAP sessions, stashing credentials directly in binaries, etc., I don't know that those solutions are going to buy you much more in the way of security. Though continuing on this trend, any sensitive traffic from your DMZ servers to your back-end systems should be SSL encrypted anyway, where "sensitive" includes traffic with usernames and passwords in any form. Sometimes the simplest way of approaching all of this is through the use of SSL certificates, authenticating *both* ends of a session. If you're going to use SSL anyway, why not use an authentication system built into SSL? (This includes access to databases, LDAP, etc.) And always keep in mind that you're just authenticating the system, which could always be under the control of someone else. My two cents, at least. David
This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 14:18:07 PST