• Use of firewalls.
• Requirement for strong authentication, leading to the need for certification authorities.
Firewalls often have two parts:
• Network routers which perform packet filtering and limits connections between the internal and external networks.
• Bastion host (or "application gateway") which is a host machine that is used to run proxy services. A proxy service is an intermediate gateway that handles, monitors and 'vets' communications between a client (e.g. a Web browser) and a server (e.g. a Web server). Examples of protocols that can be handled by an appropriate server are Telnet, FTP and Web.
Introduction of a new service into an environment where a firewall is in use can be difficult, especially when the new service may work in a way not currently supported or easily handled by the firewall without compromising its integrity. As such it is probably better to set up a service to work within the current restrictions of the firewall rather than to adapt the firewall to the service. In particular if no application proxy is available for the service then other means of protection must be considered.
The important questions for a directory service as envisaged by EuroView, are:
• Will the DSA sit inside or outside of the firewall?
• Similarly will LDAP or Web/X.500 gateway positioning be problematic?
The DSA is likely to be placed outside a secured network as this eliminates the need for filtering of incoming connections to the DSA, because all externally initiated connections will not need to access services guarded by the firewall.
This, though, assumes that data held by the DSA is not regarded as overly sensitive and in need of protection. Where access to sensitive data is an issue one answer may be to implement two servers. One DSA positioned within the secure perimeter holding sensitive data with the DSA holding "public" data outside the secure boundary or, if appropriate, on a bastion host. This is not a perfect solution as it makes restricted external access to the sensitive data, using access control, difficult to achieve.
Figure 7-1. Example DSA and Firewall Configuration
A configuration that goes some way to satisfy the needs illustrated above is depicted in Figure 7-1.
The issue of LDAP and Web/X.500 gateways is less sensitive, as connections to these can reasonably be limited to internal users. The only connections initiated by these gateways will be directly to the organizational DSA. It should then be reasonable to limit access to the gateways by placing them inside the firewall perimeter. If the DSA is outside the boundary, then connections from the gateway to the DSA will have to be enabled using the appropriate means. The behaviour of Web gateways can be further controlled by use of Web proxy servers.
An application proxy for X.500 services, called the Guardian DSA, has been developed by the ICE-TEL project. The Guardian DSA performs filtering operations on all X.500 operations passing through the firewall, and can in this way limit the external view onto an internal DSA, e.g. by preventing or limiting external access to internal data, such as telephone numbers, addresses or pointers to internal documents. The Guardian DSA is a promising development, and will be evaluated by EuroView for possible use in the service.
As yet there is little requirement for strong authentication. However, secure communication will need to be implemented if global and widely accessible directory services are to become a reality. Strong authentication is essential if security of data depends on access controls in DSAs. Further the storage and delivery of authentication certificates is likely to be a major requirement to support other applications.