Military Directory
Whitepapers with a special relevance to those building
military directory solutions, together with whitepapers
of a more general relevance to military solutions.
Using Security
Labels for Directory Access Control and Replication Control
This paper looks at how Security Labels can be used to provide security
and management benefits to directory services. It shows how Security
Labels can be used to control access to data based on the Security Clearance
of the user accessing the directory, and how Security Labels can be
used to control access to directory services and selective directory
replication.
(17th April 2008)
Managing and securely
determining Security Clearance
Access controls based on Security Labels are made by matching the Security
Label against the Security Clearance of the user or location for which
the access control check is being made. This paper
looks at how to ensure that the correct Security Clearance is used,
and the role of directory in achieving this.
(18th March 2008)
Access
Control using Security Labels & Security Clearance
Security Labels provide an important mechanism for controlling access
to information in many high security environments, and are also useful
in environments with lower security requirements. This paper provides
a reasonably detailed description of how security labels and clearances
work, while attempting to avoid the high level of technical complexity
seen in many papers in this area.
(31st Jan 2008)
Directory Signed
Operations
Directory signed operation are often requested
or mandated as a part of Military ACP 133 Directory or other directory
services with high security requirements. This paper explains what
directory signed operations are, the benefits they provide, and situations
where it makes sense to require their use.
(11th July 2007)
ACP133: The Military Directory Standard
ACP 133 is the NATO Standard for Military Directory: "Common
Directory Services and Procedures". The current version is "Edition
B", published in February 2000. "Edition C" is being
developed, and is expected to be published shortly. This white paper
gives a short summary of ACP 133 aimed at readers with some familiarity
with directory services.
(17th Aug 2006)
Operational
Monitoring and Control of Systems using Isode Servers
Isode server products are deployed in a wide variety of situations,
and usually there is a high service reliance placed on them. Isode’s
approach to server design and management is that the products are
building blocks, with maximum use of open standard protocols for interconnection.
Management is almost entirely client/server. This combination of building
block + client/server means that the approach to operational management
needs to be considered as part of the overall system design. This
paper explains the approach Isode has taken and the options provided,
that can be used to build an operational system.
(1st March 2006)
Why Strong Authentication for Directory?
LDAP and the X.500 directory protocols can all use strong authentication
based on X.509 PKI (Public Key Infrastructure). This paper looks at
the benefits and issues in using strong authentication for directory.
It considers security threats to directory and looks at how strong
authentication can be used to address these threats. It also looks
at administrative benefits and drawbacks. This paper argues that strong
authentication should used wherever possible for server to server
communication, and for administrator access.
(22nd Nov 2005)
Why Strong Authentication? – The
Security and Administrative Benefits of using X.509 PKI based Strong
Authentication
Strong authentication based on X.509 PKI (Public Key Infrastructure)
is available in a number of protocols and provides both security &
administrative benefits and drawbacks. This paper looks at the security
and administrative benefits (and draw backs) of using strong authentication.
This paper looks at generic issues that apply to many applications
and protocols using strong authentication. Future white papers will
look at specific applications of strong authentication.
(22nd Nov 2005)
Replication
for Tactical Directory
Directory is an important component of Tactical Military operations.
This paper looks at requirements for Tactical Directory, explains
why there are special replication requirements, and that this is the
only area where requirements differ significantly to other military
directories.
(30th June 2005)
Building a Highly Replicated Directory:
The case for X.500 DISP
This whitepaper looks at issues related to replication, when building
a highly distributed and replicated directory. It argues that X.500
DISP (Directory Information Shadowing Protocol) is the best solution
to this problem. This paper looks particularly at military directory,
which has strong requirements for highly replicated directory. The
paper is also applicable to other environments.
(14th Sept 2004)
General
Directory Deployment
Planning Checklist
This document has been written to help those planning a directory
deployment, and in particular Isode partners working on directory
deployments for their customers and prospects. As the specifics of
the approach taken will depend on the deployment requirements this
paper does not attempt to be prescriptive, there are no "right
answers". Instead, a series of questions that (may) need to be
asked are listed. Notes on those questions help define the answers
and explain the implications of choices made. References to other
material are provided where appropriate.
(5th March 2008)
Password Policy for Directories
In this whitepaper we look at password policy for directories, its
major capabilities, benefits, how it is integrated into other applications
and how it is used. The paper looks at password policy features implemented
by Isode’s M-Vault in Release 14.1. A few features are described
that are planned for Release 14.2. M-Vault implements a comprehensive
set of password policy features, and so this paper covers all features
which are likely to be of interest. The paper focuses on showing how
features appear to the end user and can be used and controlled by
an administrator.
(27th Sept 2007)
SNMP and Isode Servers
This white paper looks at the role of SNMP (Simple Network Management
Protocol) in managing systems using Isode messaging and directory
servers. It explains why SNMP support is provided, the sub-agent architecture
used by Isode products, and approaches to deploying SNMP monitoring.
(29th May 2007)
Web Interfaces to the Directory
Isode provides a number of Web UIs that interact with its M-Vault
directory servers, in support of both messaging and directory deployments.
Two new UIs have been added as a part of our R14 release. The first
goal of this paper is to give a description of the Isode UIs, which
have been driven by Isode's Internet messaging product set. The two
new UIs are currently a part of Internet Messaging management, but
will change to become general purpose directory UIs. A second goal
of this paper is to solicit input from Isode directory customers as
to requirements that may be addressed by these new products.
(20th April 2007)
Packaging
Military Messaging for HF Radio and other Low Bandwidth Links
The general requirements and protocol architecture for military messaging
over low bandwidth communications were described in the Isode White
Paper Military Messaging Over Low Bandwidth
Networks. This paper looks in more detail at how various server
components are packaged together, looking at both software and hardware
combinations, and showing how users and user agents fit into the system.
The paper looks in detail at single user systems, from both hardware
and software perspective.
(15th Feb 2007)
Using Active
Directory as part of a distributed directory
There are many situations that require large distributed directories
using LDAP (Lightweight Directory Access Protocol) and/or X.500, such
as Government, Military and Aviation. Organizations building these
distributed directories will often be making use of Microsoft Active
Directory (AD). AD provides a number of key functions in a Microsoft
server network, which impact its use as part of a distributed directory.
This paper explains these issues, and then looks at three different
approaches to using AD in the context of a distributed directory.
(5th July 2005)
Isode Management Architecture:
Client/Server and Directory
Isode's core business is messaging and directory servers. Isode products
are designed for service oriented environments, such as ISPs, military,
government and aviation. These are environments where there are stringent
management requirements. This white paper sets out the approaches
that Isode takes to address management requirements.
(21st Sept 2004)