Re: [Freeipa-users] IPA over the Internet - Security Implications
On 08/17/2012 07:02 AM, Michael Mercier wrote: Hi, Let us assume just the two systems directly connected to the internet. I am specifically interested in what the security implications would be, not ways to get around them (e.g. point-to-point tunnel). I have read that kerberos was designed for untrusted networks, just how untrusted can they be? Thanks, Mike On 16-Aug-12, at 9:43 PM, Steven Jones wrote: Hi, I would assume you could do a point to point tunnel between each and do the authentication via that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Michael Mercier [mmerc...@gmail.com] Sent: Friday, 17 August 2012 1:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA over the Internet - Security Implications Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) <-- internet --> ipaserver (siteB) Is there an IPA document that describes this situation? Thanks, Mike Don't overlook DOS/DDOS type attacks against these servers. While it may not penetrate the encryption, they could limit your options for fixing the problem remotely, or even locally. I'm not aware of/if/how well these services are validated against DOS-type attacks. However, even if they are somewhat hardened, simple things like massive ping-floods could easily overload the networking stack. Further, all of these services are heavily dependent on DNS. I'd worry about this just as much as KDC/LDAP, for simple availability problems (whatever the attack vector). This could easily bottle up all other traffic, and the short client-side timeouts (6-seconds) aren't helping. Again thinking beyond just the encrypted traffic, the server processes are also exposed with whatever unknown flaws they have. While they're certainly tighter than the average app., I'd pay particular attention to keeping them updated, 0-day if possible. This again can impact availability, for example in the case of unknown and unrelated regressions in the updates themselves. -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA over the Internet - Security Implications
On 08/16/2012 09:14 PM, Michael Mercier wrote: Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) <-- internet --> ipaserver (siteB) Is there an IPA document that describes this situation? I'm not aware of any such document but IPA was designed to be secure in multiple ways including traffic on open networks. All network traffic that is sensitive is tunneled in some fashion, usually either by the kerberos protocol or the SSL/TLS protocols. IPA also makes sure strong encryption is utilized for those tunnels. Strong authentication is also required at the endpoints of those tunnels. It really wouldn't make much sense to design an authentication and security manager that itself wasn't secure :-) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA over the Internet - Security Implications
- Original Message - > Hi, > > Let us assume just the two systems directly connected to the > internet. I am specifically interested in what the security > implications would be, not ways to get around them (e.g. point-to- > point tunnel). I have read that kerberos was designed for untrusted > networks, just how untrusted can they be? I would say that it reallyt depends on your threat model. With recent versions of FreeIPa we disable by default using DES keys which were certainly not really secure anymore, given you can easily break DES encryption in a short enough period and without the need for expensive hardware these days. AES and RC4 which are the common ones used and even 3DES should be robust enough to allow to operate in safety, even if traffic is captured and rute force attacked, for the ticket validity period. We also always enabled by default required preauthentication for all principals, which avoid attacks against TGT packets. What you may want to do however is harden the LDAP server configuration a bit. You probably want to prevent anonymous connections and also make sure all connections always are encrypted by setting the right minssf limits. You need also to decide if you want to expose admin interfaces (kadmin, http) over the internet or only krb5/ldap. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA over the Internet - Security Implications
Hi, Let us assume just the two systems directly connected to the internet. I am specifically interested in what the security implications would be, not ways to get around them (e.g. point-to- point tunnel). I have read that kerberos was designed for untrusted networks, just how untrusted can they be? Thanks, Mike On 16-Aug-12, at 9:43 PM, Steven Jones wrote: Hi, I would assume you could do a point to point tunnel between each and do the authentication via that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com ] on behalf of Michael Mercier [mmerc...@gmail.com] Sent: Friday, 17 August 2012 1:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA over the Internet - Security Implications Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) <-- internet --> ipaserver (siteB) Is there an IPA document that describes this situation? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA over the Internet - Security Implications
Hi, I would assume you could do a point to point tunnel between each and do the authentication via that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Michael Mercier [mmerc...@gmail.com] Sent: Friday, 17 August 2012 1:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA over the Internet - Security Implications Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) <-- internet --> ipaserver (siteB) Is there an IPA document that describes this situation? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA over the Internet - Security Implications
Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) <-- internet --> ipaserver (siteB) Is there an IPA document that describes this situation? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users