Messaging and Directory Server software used around the world in the Government, Military, Aviation and Commercial sectors.

isode.com / products / directory / directory server /

M-Vault Directory Server - Security

 

M-Vault provides a number of important security capabilities:

Strong Authentication

Strong authentication based on X.509 PKI using Isode's strong authentication infrastructure is provided for all X.500 protocols (DAP, DSP, and DISP). and for LDAP using SASL-EXTERNAL.

Strong authentication is desirable for secure directory deployments, and should be used in preference to password based authentication. This is discussed in the white paper Why Strong Authentication for Directory?

SASL Authentication

M-Vault supports the SASL (Simple Authentication and Security Layer) Internet standards for LDAP client authentication. The Isode SASL implementation supports a number of authentication mechanisms, given authentication flexibility. SASL also enables authentication using simple string names (as opposed to directory names), which is convenient for applications using directory based authentication. A full description of SASL and its use in M-Vault can be found here.

Signed Operations

M-Vault uses digital signatures based on X.509 PKI to support signed operations in the DAP and DSP protocols. This provides additional integrity and audit security for individual operations and allows chained updates to be authenticated using a digital signature from the originating directory client. M-Vault can be configured to require signed operations for all updates, which is recommended for directory deployments with stringent security requirements. Further information is provided in the Isode White Paper Directory Signed Operations.

Signed operations are also used for the X.500 DISP replication protocol, providing the same per operation security as for DAP and DSP.

Identity Based Access Control

Support is provided for the full range of X.500 Access Control, covering both Basic Access Control (BAC) and Simplified Access Control (SAC). Features include access control applied to a specific directory entry, all entries within an administrative area, and a group of entries. In addition, access control can be defined per attribute (e.g., deny access to the password attribute for all entries). This identity based access control support includes support for roles, sometimes referred to as Role Based Access Control.

Security Label Based Access Control

M-Vault supports access control based on Security Labels and Security Clearances, using mechanisms of the type specified in X.500 as Rule Based Access Control. M-Vault allows Security Labels to be associated with directory entries, which then controls access based on the Security Clearance of the user. Detailed capabilities:

• All functionality is Security Policy controlled. Isode provides capabilities for Security Policy Management.
• Replication controlled by Security Policy can be achieved by use of Sodium Sync, and a login account with appropriate Security Clearance.
• M-Vault can restrict access based on user’s Security Clearance, using a Security Label associated with the M-Vault server.
• M-Vault can constrain the Security Labels on data held, by use of a Security Clearance associated with the M-Vault server.

Further information is provided in the following whitepapers:

• Security Labels: Access Control using Security Labels & Security Clearance
• Support for Security Clearance: Managing and Securely Determining Security Clearance
• Security Policy: Isode Security Policy, Security Label and Security Clearance Infrastructure

Audit Logging

M-Vault provides audit logging of directory activity, in a structured parse-able format. Details can be found on the Isode product page covering Audit Logging & Event Handling.

Confidentiality

LDAP confidentiality is supported in M-Vault using TLS/SSL protocols. The server supports the Start TLS extended operation of LDAP and LDAPS. The set of cipher suites available is configurable, as is the effective authentication level for a user depending upon whether a suitably confidential cipher suite was negotiated.

Password Policy

M-Vault provides comprehensive capabilities for managing password based authentication. This includes:

• Control of hashing choice, and auto-migration on authentication
• Ability to lock accounts
• Password quality control
• Password ageing
• Password history (controlled by age)
• Force password reset
• Grace login
• Require old password
• DSA generated password
• Prevention of password guessing attacks
• Ability to exclude
• Protocol support for password policy aware clients
• GUI management of password policy using Sodium (see here for screenshots)
• Password policy support in Isode Directory Client APIs
• Password policy aware changing in Isode Web Applications – PIA (Personal Information Administration).

Further details are given in the Isode white paper Password Policy for Directories.