RE: Application to Application authentication models....

From: NESTING, DAVID M (SBCSI) (dn3723at_private)
Date: Tue Jan 28 2003 - 14:12:25 PST

  • Next message: Steven M. Christey: "RE: malicious code"

    -----Original Message-----
    From: r s [mailto:richard.scottat_private]
    Sent: Tuesday, 28 January, 2003 14:46
    To: secprogat_private
    Subject: Application to Application authentication models....
    
    > What authentication mechanism, model, 
    > architecture best allows applications legitimate access to LDAP schema to 
    > obtain sensitive data such as connection credentials to database systems?
    
    The very first thing I would focus on is ensuring that the credentials your
    applications *do* have are sufficiently locked down so that if the system
    (and credentials) *are* compromised, the damage can be minimized.  In the
    web world, your web application should not be using an ID that has the same
    privileges as a content manager.  Similarly, access to database tables and
    the like should be restricted with views where necessary to ensure that the
    web application can only pull data it needs to display content to the user.
    The web application generally doesn't need access to workflow states,
    revision histories, etc.  In other words, for a public-facing application,
    you should be comfortable if that application's back-end or database ID's
    had no passwords to begin with.  If you feel that this approach would
    compromise the security of your application, then you might want to look
    into why that is (maybe you have too much business logic in your
    presentation layer, for instance).
    
    With that issue addressed, securing the application's credentials becomes
    less of a worry.  You have to assume that if someone can break into your
    server and take control of it, the intruder can do everything that the
    application can do, including pulling credentials off of a separate LDAP
    database and using those to further their interests.  While you can put
    speed bumps in their way by using SSL-encrypted LDAP sessions, stashing
    credentials directly in binaries, etc., I don't know that those solutions
    are going to buy you much more in the way of security.
    
    Though continuing on this trend, any sensitive traffic from your DMZ servers
    to your back-end systems should be SSL encrypted anyway, where "sensitive"
    includes traffic with usernames and passwords in any form.  Sometimes the
    simplest way of approaching all of this is through the use of SSL
    certificates, authenticating *both* ends of a session.  If you're going to
    use SSL anyway, why not use an authentication system built into SSL?  (This
    includes access to databases, LDAP, etc.)  And always keep in mind that
    you're just authenticating the system, which could always be under the
    control of someone else.
    
    My two cents, at least.
    
    David
    



    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 14:18:07 PST