Re: [PEN-TEST] NIS. An Alternative.

[Iván Arce <core.lists.pentest () CORE-SDI COM>]

Max Vision wrote:
> You probably shouldn't make your infrastructure decisions based on
> security problems in particular implementations.  Security holes are found
> in most software - so unless there are fundamental design flaws you might
> consider newer versions, versus ruling out the entire protocol.  Sun may
> have NIS/NIS+ working perfectly now, I haven't looked.  IMHO,
> configuration plays the largest role in proper directory services
> security.

Well, there might be fundamental design decisions that impact on the
security.. Namely that the whole thing is based on RPC which in itself
has several design and implementation problems.
It can be argued that NIS/NIS+ can make use of SecureRPC but then other
issues arises (key distribution and the mutual autentication DH scheme,
etc.)
Anyway, NIS+ is a HUGE amount of code and as a general rule i would
go for simplier things
Openldap sounds like a good alternative but im not sure it provides
all the functionality the NIS+ does.


> Another good option is LDAP, which seems to be gaining popularity
> recently.  Solaris 8 also supports Native LDAP (nsswitch.ldap template).
>
> http://www.openldap.org/
>
> Several LDAP implementations have had serious security flaws as well,
> although I don't think this should be a factor in choosing a protocol for
> your directory services needs:
>  Microsoft Exchange 5.5 (LDAP buffer overflow, found by ISS)
>  Checkpoint Firewall-1 4.0 sp4 (LDAP ACLs didn't work, found by Olaf)
>  Netscape Professional Servies (LDAP ACL's again, found by lcamtuf)
>  and numerous localhost holes...
>
> I suppose my point is that even another good directory service (LDAP) has
> a history of problems, and that although security is critical, perhaps
> protocol infrastructure/design should be a more important consideration
> in your selection.  Once you pick the right tool for the job, you can go
> about securing it. :)
>
> Max Vision
> http://whitehats.com
>
> On Mon, 21 Aug 2000, Jason Spencer wrote:
> > Due to the security implications created through using NIS (Network
> > Information Services) could anyone recommend any alternatives ?
> >
> > Thanks

--
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email: iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce () core-sdi com