The most typical threats to directory security include the following:
Eavesdropping. Information remains intact, but its privacy is compromised. For example, someone could learn your credit card number, record a sensitive conversation, or intercept classified information.
Unauthorized access. This threat includes unauthorized access to data through data-fetching operations. Unauthorized users might also gain access to reusable client authentication information by monitoring the access of others. The Directory Server Enterprise Edition authentication methods, password policies, and access control mechanisms provide effective ways of preventing unauthorized access.
Tampering. Information in transit is changed or replaced and then sent on to the recipient. For example, someone could alter an order for goods or change a person’s resume.
This threat includes unauthorized modification of data or configuration information. If your directory cannot detect tampering, an attacker might alter a client’s request to the server. The attacker might also cancel the request or change the server’s response to the client. The Secure Socket Layer (SSL) protocol and similar technologies can solve this problem by signing information at either end of the connection.
Impersonation. Information passes to a person who poses as the intended recipient.
Impersonation can take two forms, spoofing and misrepresentation.
Spoofing. A person or computer impersonates someone else. For example, a person can pretend to have the mail address jdoe@example.com, or a computer can identify itself as a site called www.example.com when it is not.
Misrepresentation. A person or organization misrepresents itself. For example, suppose the site www.example.com pretends to be a furniture store when it is really just a site that takes credit-card payments but never sends any goods.
Denial of service. An attacker uses the system resources to prevent these resources from being used by legitimate users.
In a denial of service attack, the attacker’s goal is to prevent the directory from providing service to its clients. Directory Server Enterprise Edition provides a way of preventing denial of service attacks by setting limits on the resources that are allocated to a particular bind DN.