On 08/17/2012 07:02 AM, Michael Mercier wrote:

Let us assume just the two systems directly connected to the internet. I
am specifically interested in what the security implications would be,
not ways to get around them (e.g. point-to-point tunnel). I have read
that kerberos was designed for untrusted networks, just how untrusted
can they be?


On 16-Aug-12, at 9:43 PM, Steven Jones wrote:


I would assume you could do a point to point tunnel between each and
do the authentication via that.


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com] on behalf of Michael Mercier
Sent: Friday, 17 August 2012 1:14 p.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] IPA over the Internet - Security Implications


I was wondering what the security implications would be setting up a
server to be a freeipa client at one site, and have it join a freeipa
system over the internet at another site.

ipaclient (siteA) <-- internet --> ipaserver (siteB)

Is there an IPA document that describes this situation?


Don't overlook DOS/DDOS type attacks against these servers. While it may not penetrate the encryption, they could limit your options for fixing the problem remotely, or even locally. I'm not aware of/if/how well these services are validated against DOS-type attacks. However, even if they are somewhat hardened, simple things like massive ping-floods could easily overload the networking stack.

Further, all of these services are heavily dependent on DNS. I'd worry about this just as much as KDC/LDAP, for simple availability problems (whatever the attack vector). This could easily bottle up all other traffic, and the short client-side timeouts (6-seconds) aren't helping.

Again thinking beyond just the encrypted traffic, the server processes are also exposed with whatever unknown flaws they have. While they're certainly tighter than the average app., I'd pay particular attention to keeping them updated, 0-day if possible. This again can impact availability, for example in the case of unknown and unrelated regressions in the updates themselves.

Quality Assurance Engineer
e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214

Freeipa-users mailing list

Reply via email to