Isode Military Directory Whitepapers
|M-Vault Failover and Disaster Recovery
This white paper looks at how Isode's M-Vault directory server provides failover capabilities in support of disaster recovery. It looks at requirements for replication, and describes the architecture of Isode's approach and how this addresses disaster recovery requirements.
(20th June 2011)
|SCRAM: A New Protocol for Password Authentication
SCRAM (Salted Challenge Response) is a new protocol and data storage mechanism to support password based authentication. This white paper looks at the security benefits of SCRAM, and how it should be used to complement PKI based strong authentication. It describes Isode’s current support and future plans for SCRAM.
(19th May 2010)
|Isode Support for Kerberos, Active Directory and Single Sign On
This paper looks at how Isode client and server products can make use of Kerberos authentication, in configurations where Isode provides both client and server, and in conjunction with third party clients and servers, including Microsoft Active Directory. It looks at how Single Sign On (SSO) can be achieved for Isode products using Kerberos, and compares this with use of other SSO approaches.
(22nd April 2010)
|Using Isode's Messaging and Directory Applications with a Data Diode
Data Diodes are low level hardware devices, with very high assurance, that allow data to flow in one direction while preventing data from flowing in the opposite direction. This white paper shows how Isode applications can be used in conjunction with a Data Diode to give high assurance one way flow of data.
(28th May 2009)
Replication by Email and over 'Air Gap'
Directory replication is an important feature of most directory services, commonly achieved by use of directory protocols. There are a number of situations where using directory protocols to perform replication does not work well, these include: HF Radio and other constrained links, system boundaries where only email traffic is allowed, directory gateways performing security checks and tactical directories with irregular network access. This paper looks at these scenarios, shows how directory replication over email and 'air gap' can address them and describes the architecture and key features of Isode's solution.
(3rd September 2008)
|Using Security Labels for
Directory Access Control and Replication Control
This paper looks at how Security Labels can be used to provide security and management benefits to directory services. It shows how Security Labels can be used to control access to data based on the Security Clearance of the user accessing the directory, and how Security Labels can be used to control access to directory services and selective directory replication.The paper looks at the functionality that can be achieved, and how this functionality may be useful in handling a number of security problems.
(17th April 2008)
Directory signed operation are often requested or mandated as a part of Military ACP 133 Directory or other directory services with high security requirements. This paper explains what directory signed operations are, the benefits they provide, and situations where it makes sense to require their use.
(11th July 2007)
|ACP133: The Military Directory Standard
ACP 133 is the NATO Standard for Military Directory: "Common Directory Services and Procedures". The current version is "Edition B", published in February 2000. "Edition C" is being developed, and is expected to be published shortly. This white paper gives a short summary of ACP 133 aimed at readers with some familiarity with directory services.
(17th Aug 2006)
|Why Strong Authentication for Directory?
LDAP and the X.500 directory protocols can all use strong authentication based on X.509 PKI (Public Key Infrastructure). This paper looks at the benefits and issues in using strong authentication for directory. It considers security threats to directory and looks at how strong authentication can be used to address these threats. It also looks at administrative benefits and drawbacks. This paper argues that strong authentication should used wherever possible for server to server communication, and for administrator access.
(22nd Nov 2005)
|Why Strong Authentication? – The
Security and Administrative Benefits of using X.509 PKI based Strong
Strong authentication based on X.509 PKI (Public Key Infrastructure) is available in a number of protocols and provides both security & administrative benefits and drawbacks. This paper looks at the security and administrative benefits (and draw backs) of using strong authentication. This paper looks at generic issues that apply to many applications and protocols using strong authentication. Future white papers will look at specific applications of strong authentication.
(22nd Nov 2005)
for Tactical Directory
Directory is an important component of Tactical Military operations. This paper looks at requirements for Tactical Directory, explains why there are special replication requirements, and that this is the only area where requirements differ significantly to other military directories.
(30th June 2005)
|Building a Highly Replicated Directory:
The case for X.500 DISP
This whitepaper looks at issues related to replication, when building a highly distributed and replicated directory. It argues that X.500 DISP (Directory Information Shadowing Protocol) is the best solution to this problem. This paper looks particularly at military directory, which has strong requirements for highly replicated directory. The paper is also applicable to other environments.
(14th Sept 2004)
This document has been written to help those planning a directory deployment, and in particular Isode partners working on directory deployments for their customers and prospects. As the specifics of the approach taken will depend on the deployment requirements this paper does not attempt to be prescriptive, there are no "right answers". Instead, a series of questions that (may) need to be asked are listed. Notes on those questions help define the answers and explain the implications of choices made. References to other material are provided where appropriate.
(5th March 2008)
|Password Policy for Directories
In this whitepaper we look at password policy for directories, its major capabilities, benefits, how it is integrated into other applications and how it is used. The paper looks at password policy features implemented by Isode’s M-Vault in Release 14.1. A few features are described that are planned for Release 14.2. M-Vault implements a comprehensive set of password policy features, and so this paper covers all features which are likely to be of interest. The paper focuses on showing how features appear to the end user and can be used and controlled by an administrator.
(27th Sept 2007)
|Replicating and Synchronizing Data
Between Directory Servers
There are many situations where it is useful in a directory service for directory data to be available in more than one directory server. This paper looks at three techniques for achieving this (replication, direct synchronization and indirect synchronization) and discusses when each is appropriate.
(11th Sept 2007)
|SNMP and Isode Servers
This white paper looks at the role of SNMP (Simple Network Management Protocol) in managing systems using Isode messaging and directory servers. It explains why SNMP support is provided, the sub-agent architecture used by Isode products, and approaches to deploying SNMP monitoring.
(29th May 2007)
|Web Interfaces to the Directory
Isode provides a number of Web UIs that interact with its M-Vault directory servers, in support of both messaging and directory deployments. Two new UIs have been added as a part of our R14 release. The first goal of this paper is to give a description of the Isode UIs, which have been driven by Isode's Internet messaging product set. The two new UIs are currently a part of Internet Messaging management, but will change to become general purpose directory UIs. A second goal of this paper is to solicit input from Isode directory customers as to requirements that may be addressed by these new products.
(20th April 2007)
Monitoring and Control of Systems using Isode Servers
Isode server products are deployed in a wide variety of situations, and usually there is a high service reliance placed on them. Isode’s approach to server design and management is that the products are building blocks, with maximum use of open standard protocols for interconnection. Management is almost entirely client/server. This combination of building block + client/server means that the approach to operational management needs to be considered as part of the overall system design. This paper explains the approach Isode has taken and the options provided, that can be used to build an operational system.
(1st March 2006)
Directory as part of a distributed directory
There are many situations that require large distributed directories using LDAP (Lightweight Directory Access Protocol) and/or X.500, such as Government, Military and Aviation. Organizations building these distributed directories will often be making use of Microsoft Active Directory (AD). AD provides a number of key functions in a Microsoft server network, which impact its use as part of a distributed directory. This paper explains these issues, and then looks at three different approaches to using AD in the context of a distributed directory.
(5th July 2005)
|Isode Management Architecture:
Client/Server and Directory
Isode's core business is messaging and directory servers. Isode products are designed for service oriented environments, such as ISPs, military, government and aviation. These are environments where there are stringent management requirements. This white paper sets out the approaches that Isode takes to address management requirements.
(21st Sept 2004)
|LDAP Version 3
This white paper, by Steve Kille (one of the LDAP authors), looks at LDAP v3 capabilities.
|The LDAP Standard Specification
In June 2006, 10 new LDAP RFCs were published (RFCs 4510-4519) to provide a new LDAPv3 (Lightweight Directory Access Protocol version 3) specification and to replace RFC 2251 and a number of related specifications. The primary goal of this paper is to guide those with some basic knowledge of LDAP quickly through all of these documents.
|LDAP and X.500
This article by Steve Kille, Published in Messaging Magazine, looks at LDAP and X.500 and their relationship.