Re: [PEN-TEST] NIS. An Alternative.

[Max Vision <vision () WHITEHATS COM>]

You probably shouldn't make your infrastructure decisions based on
security problems in particular implementations.  Security holes are found
in most software - so unless there are fundamental design flaws you might
consider newer versions, versus ruling out the entire protocol.  Sun may
have NIS/NIS+ working perfectly now, I haven't looked.  IMHO,
configuration plays the largest role in proper directory services
security.

Another good option is LDAP, which seems to be gaining popularity
recently.  Solaris 8 also supports Native LDAP (nsswitch.ldap template).

http://www.openldap.org/

Several LDAP implementations have had serious security flaws as well,
although I don't think this should be a factor in choosing a protocol for
your directory services needs:
 Microsoft Exchange 5.5 (LDAP buffer overflow, found by ISS)
 Checkpoint Firewall-1 4.0 sp4 (LDAP ACLs didn't work, found by Olaf)
 Netscape Professional Servies (LDAP ACL's again, found by lcamtuf)
 and numerous localhost holes...

I suppose my point is that even another good directory service (LDAP) has
a history of problems, and that although security is critical, perhaps
protocol infrastructure/design should be a more important consideration
in your selection.  Once you pick the right tool for the job, you can go
about securing it. :)

Max Vision
http://whitehats.com

On Mon, 21 Aug 2000, Jason Spencer wrote:
> Due to the security implications created through using NIS (Network
> Information Services) could anyone recommend any alternatives ?
>
> Thanks