Thank you for your reply. We were looking to use NIS+ in the dmz for user/paword/group admin consolidation. Root s not going to be under NIS+.
I was also looking into definitive information about the way rpc services grabs a port and the implications for a firewall. >From: Paul Robertson <[EMAIL PROTECTED]> >To: Carol Smith <[EMAIL PROTECTED]> >CC: <[EMAIL PROTECTED]> >Subject: Re: NIS+ across a firewall (Unix servers) >Date: Mon, 17 Dec 2001 22:25:23 -0500 (EST) > >On Mon, 17 Dec 2001, Carol Smith wrote: > > > Does anyone use NIS+ to go across a firewall to the dmz? If yes (or no) > > what issues should I be concerned with? > >I vote no: > >As a general rule of thumb, I recommend against sharing authentication >credentials over a trust boundary. If a server gets compromised (and >generally systems in a DMZ are at higher risk to compromise) and >you're using the same credentials for internal services, VPN access, etc. >then your authentication realm is compromised. Seondly, if a compromise >in the DMZ works, it's possible to go from outside in if the NIS server >has a bug-- generally I like my firewall->DMZ traffic to be outbound. > >A config oops on NIS+ to enable NIS compat mode will make your >encrypted password file obtainable externally- that can't be a good thing. > >Password guessing and rpcbind worms aside, it just feels wrong. > >[I have only played with NIS once, and it was a while ago, so I'm going to >make some assumptions- feel free to level-set them.] > >Portmapper is probably the #1 vector into Solaris boxen, are you sure you >want to let traffic from your DMZ into that port in to your auth. server? >Letting the higher ports in seems to add to the potential damage. > >I suppose /bin/login issues are also a factor. > >Is there a particular reason you want the DMZ machines to be part of the >domain? > >IMO NIS+ is too complex a beast to let inside from outside, and the trust >boundary issues are potentially bad. > >Paul >----------------------------------------------------------------------------- >Paul D. Robertson "My statements in this message are personal opinions >[EMAIL PROTECTED] which may have no basis whatsoever in fact." > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
