Manualshelf

User guide

ManualsBrandsRed Hat ManualsComputer equipmentNETSCAPE ENTERPRISE SERVER 6.0 - PROGRAMMER GUIDE TO SERVLETS
51525354555657585960
Interstage Single Sign-on
1-29
Possible Threats
This section explains the possible threats when using Interstage Single Sign-on.
Deleting, Rewriting, and Exposing Server Resources
The repository server, authentication server, and business server contain important files to control the
programs. The files include the authentication infrastructure setup file and business system setup file
required for setting up each server, and the configuration file and service ID file created after setting up
the servers. The possible threats to these resources are as follows:
Deletion of resources, which disables system configuration and operation.
Rewriting of resources, which causes results not intended by the administrator (e.g., disabled
authentication or authorization).
Exposure of resources, which causes user spoofing or system takeover.
Rewriting and Exposure of Communication Contents
Important data items (e.g., user name, password, and authentication or authorization control
information) are exchanged between the servers or between a Web browser (client) and a server. If
these data items are rewritten, authentication or authorization may be controlled incorrectly.
Interception of such data involves the risk of password leakage or spoofing.
Communication contents could be leaked by network interceptors, or by someone tapping into the
information on the proxy server log or business server access log along the communication route.
User Spoofing
Interstage Single Sign-on verifies users with one or both of two authentication methods: certificate
authentication and password authentication using the user name and password.
Certificate authentication requires a security key paired with the certificate. Leakage of this key may
cause spoofing. Similarly, password authentication requires the user name and password, leakage of
which may cause spoofing. It is particularly dangerous to use a simple password because it can be
guessed and tried by others relatively easily. The attacker may use a special program to make a
dictionary or use the brute force attack method to decode.
Authentication Server Spoofing
In password authentication, the authentication server asks the user to provide the user name and
password. In practical terms, the Web browser prompts the user to enter the user name and password
in the dialog box. The authentication request is usually issued when the user accesses the business
server via a Web browser.
However, it is difficult to confirm that the Web browser requesting the user name and password is
representing the proper authentication server. It is possible that an attacker posing as the
authentication server could trick users into entering their names and passwords. Users could
unknowingly give out their user names and passwords to a server prepared by the attacker.
DoS Attack
In a denial of services (DoS) attack, the attacker generates a large amount of accesses to the system to
create heavier loads for the server. This leads to slower response resulting in deterioration of the
service quality, or excludes regular users from using the services.