Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

> > I keep hearing people say this ["it's insecure"] about NIS.

> Have a firewall block the ports NIS is using

The trouble is, this changes from each boot to the next, and changes
from host to host.  When the daemon starts up, it picks a port randomly
(well, actually, the kernel picks it at the daemon's request) and
registers it with the portmapper.

The router thus would have to constantly do GETPORT queries to be sure
of blocking the correct port.  I don't know of any commercial router
box that can do this, and doubt one exists; if you're rolling your own
firewall on an OS you have source to, anything is possible.
Alternatively, you could have it do something like keep an open TCP
connection to every host (say, to the discard port) with keepalives on.
When a machine reboots, the keepalives will kill this connection and
the firewall will notice and realize it needs to redo the GETPORT query
for that machine.  Of course, it may not notice quite soon enough;
perhaps you should connect to the echo port, and write a byte and wait
for it to come back before forwarding a packet.

> and make sure the router is programmed not to allow NIS packets
> through an outside line.

The problem here is telling which packets are NIS packets.

> Then the questions come, what ports do I block?  On one setup, I
> already block the ports for sunrpc.  Is that enough?

Not if you mean just port 111, as was discussed here quite recently.
It's far too easy for the attacker to just fire queries at a couple of
thousand ports to find the one NIS is listening on.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu