S 5.97 Protection of communications with Novell eDirectory

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

The exchange of data between eDirectory client and server takes place over network connections. Depending on the eDirectory system and network structure, it may be possible for the communications packets, which can contain authentication information as well as directory contents, to be transmitted unprotected.

Depending on the operating system installed, different network protocols can be used here. Thus, for example, eDirectory can be accessed both with Novell's own NDAP, which is superimposed on the Netware Core Protocol (NCP), and also with the standard LDAP protocol. For NDAP, data is transported over IP or IPX networks and for LDAP it is transported exclusively over IP networks.

User authentication with access over NDAP follows a proprietary procedure that does not transport any authentication data directly over the network. However, where NDAP is used, communications between client and server are not always encrypted, but it is the responsibility of the (NDAP) client used to ensure that communications are encrypted. Hence access to eDirectory with this protocol should only be possible within the intranet.

If an eDirectory server is to be accessed from outside with NDAP, the communications link between client and server must be protected sufficiently to ensure the confidentiality of the data transmitted. This can be achieved, for example, through use of a Virtual Private Network (VPN)

Where eDirectory is accessed with LDAP, encryption is possible (using SSL) but there are also specific risks (configuration of anonymous access). Details of the relevant security aspects are provided in safeguard S 4.158 Configuration of LDAP access to Novell eDirectory.

Furthermore, administrators can access the system remotely. One example of this is the Novell proprietary tool, iMonitor, which permits access to data of the system monitor via a browser (see S 4.160 Monitoring of Novell eDirectory).

As the data available in iMonitor provides significant insight into the organisation and configuration of an eDirectory installation, this indirect means of access to eDirectory must also be protected. Therefore only authorised users should be able to access iMonitor over HTTP. Transmissions should, moreover, be protected by TLS/SSL (see S 5.66 Use of TLS/SSL).

Example: If an eDirectory server for LDAP access from outside is inside the screened subnet of a firewall system, then HTTP access to this server should not be possible.

Review questions:

• Access from outside to an eDirectory directory service with NDAP: Has the communication connection between client and server been secured?
• Are only authorised users able to access iMonitor of eDirectory over HTTP?