Hello, while wondering about design for 'external DNS integration' feature I have realized that I did not see any explicit threat model for FreeIPA.
Do we have any? IMHO it would be handy to have it somewhere on wiki so it could be used as 'checklist' while developing design documents for security reviews. Threat model ============ IMHO our assumed attacker should have these powers: 1) Do active man-in-the-middle attack on network: - All network communication can be monitored and altered by attacked. - This includes client<->FreeIPA server communication, - and also server<->server communication. 2) Compromise normal user account: I think that in in large networks the probability of successful attack against at least one user account is almost 1. So, we should assume that at least one user account was compromised. I.e. our attacker knows user's password or has equivalent of keytab. 3) Compromise a client machine: Again, I think that in in large networks the probability of successful attack against at least one machine is almost 1. So, we should assume that at least one machine account was compromised. I.e. our attacker has equivalent of machine keytab and keytabs for services running on it. What did I miss? Maybe we should explicitly say how replica files and other 'secrets' (DM password ...) should be handled. It would help with discussion about automated FreeIPA deployment too. Also, we should explicitly say that FreeIPA server itself and its LDAP database is the key to everything. If the FreeIPA server and its LDAP database is compromised then the game is over - attacker has access to everything. Abuse cases =========== IMHO security sensitive design documents (e.g. automated FreeIPA deployment, sub-CAs, Vault, external DNS integration) should explicitly walk through the thread model and state what is going to happen if FreeIPA infrastructure is under attack we assume. E.g. for external DNS integration with symmetric TSIG keys: Proposal in design document: - TSIG keys are distributed all to FreeIPA clients using LDAP & GSSAPI and thus are accessible using any host/client.example.com credentials. Design assessment with thread model in mind: -> MitM attack will not reveal anything because we trust GSSAPI. -> User account compromise will not reveal anything because uses doesn't have access to TSIG keys. -> Single compromised client will reveal TSIG keys to attacker so authentication to external DNS will be completely compromised. This will allow attacker to modify any records in external DNS. This could be have very serious consequences if DNSSEC is in place so clients can fully trust the records and use them for e.g. TLS validation. --> This could be a reason to re-think the design and remove this weak point. What do you think? -- Petr^2 Spacek _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
