January 24, 2011

Bullet Proofing UnboundID DS - part 2: Securing Connections

Rationale
the rationale is pretty straightforward here, you want to secure connections from clients to your infrastructure in an effort to reduce risk of compromising access.
The Meat
  The flow
This helps understand how we will secure the connection without compromising the user credentials: the credentials actually get transmitted through the connection AFTER it has been secured with TLS, which is the whole point honestly.


Now comes the trick: It means we cannot completely block out unencrypted connections or it will mean the startTLS extended operation cannot be transmitted. Because the connection has to be initially unsecure, what we can do though is to only allow a BIND to come in with the startTLS operation. Any thing else will bounce but the startTLS extended operation to secure the connection.
It will look like this:
Now the "secure" connection handler will allow any operation for an authenticated user over the secured connection.
  How


Here is how:
  1. create a "secure connection" connection criteria that will require secure-only communication, authentication through simple auth, sasl or internal and a secure-only authentication.
  2. create a "secure policy" client connection policy with a priority of 1 referring to the "secure connection" connection criteria
  3. update the the "default" client connection policy to only allow Bind and Extended operations and extended operation OID 1.3.6.1.4.1.1466.20037
Here is how to do it through our 3.0.0 GUI:




here is how to do it through our dsconfig CLI:







and finally, here are the dsconfig commands achieving the same result (from config-audit.log):

# Undo command: dsconfig delete-connection-criteria --criteria-name "secure connection"
dsconfig create-connection-criteria --criteria-name "secure connection" --type simple --set communication-security-level:secure-only --set user-auth-type:internal --set user-auth-type:sasl --set user-auth-type:simple --set authentication-security-level:secure-only


# Undo command: dsconfig delete-client-connection-policy --policy-name "secure policy"
dsconfig create-client-connection-policy --policy-name "secure policy" --set enabled:true --set evaluation-order-index:1 --set "connection-criteria:secure connection"


# Undo command: dsconfig set-client-connection-policy-prop --policy-name default --add allowed-operation:abandon --add allowed-operation:add --add allowed-operation:compare --add allowed-operation:delete --add allowed-operation:modify --add allowed-operation:modify-dn --add allowed-operation:search --remove allowed-extended-operation:1.3.6.1.4.1.1466.20037
dsconfig set-client-connection-policy-prop --policy-name default --remove allowed-operation:abandon --remove allowed-operation:add --remove allowed-operation:compare --remove allowed-operation:delete --remove allowed-operation:modify --remove allowed-operation:modify-dn --remove allowed-operation:search --add allowed-extended-operation:1.3.6.1.4.1.1466.20037

No comments:

Post a Comment