Penetration Testing mailing list archives
Re: [PEN-TEST] NIS. An Alternative.
From: Iván Arce <core.lists.pentest () CORE-SDI COM>
Date: Tue, 22 Aug 2000 21:44:22 -0300
Max Vision wrote:
You probably shouldn't make your infrastructure decisions based on security problems in particular implementations. Security holes are found in most software - so unless there are fundamental design flaws you might consider newer versions, versus ruling out the entire protocol. Sun may have NIS/NIS+ working perfectly now, I haven't looked. IMHO, configuration plays the largest role in proper directory services security.
Well, there might be fundamental design decisions that impact on the security.. Namely that the whole thing is based on RPC which in itself has several design and implementation problems. It can be argued that NIS/NIS+ can make use of SecureRPC but then other issues arises (key distribution and the mutual autentication DH scheme, etc.) Anyway, NIS+ is a HUGE amount of code and as a general rule i would go for simplier things Openldap sounds like a good alternative but im not sure it provides all the functionality the NIS+ does.
Another good option is LDAP, which seems to be gaining popularity recently. Solaris 8 also supports Native LDAP (nsswitch.ldap template). http://www.openldap.org/ Several LDAP implementations have had serious security flaws as well, although I don't think this should be a factor in choosing a protocol for your directory services needs: Microsoft Exchange 5.5 (LDAP buffer overflow, found by ISS) Checkpoint Firewall-1 4.0 sp4 (LDAP ACLs didn't work, found by Olaf) Netscape Professional Servies (LDAP ACL's again, found by lcamtuf) and numerous localhost holes... I suppose my point is that even another good directory service (LDAP) has a history of problems, and that although security is critical, perhaps protocol infrastructure/design should be a more important consideration in your selection. Once you pick the right tool for the job, you can go about securing it. :) Max Vision http://whitehats.com On Mon, 21 Aug 2000, Jason Spencer wrote:Due to the security implications created through using NIS (Network Information Services) could anyone recommend any alternatives ? Thanks
-- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email: iarce () core-sdi com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- [PEN-TEST] NIS. An Alternative. Jason Spencer (Aug 21)
- Re: [PEN-TEST] NIS. An Alternative. Max Vision (Aug 22)
- Re: [PEN-TEST] NIS. An Alternative. Iván Arce (Aug 22)
- Re: [PEN-TEST] NIS. An Alternative. Adam Prato (Aug 22)
- Re: [PEN-TEST] NIS. An Alternative. Jose Nazario (Aug 22)
- Re: [PEN-TEST] NIS. An Alternative. Massimo Fubini (Aug 22)
- Re: [PEN-TEST] NIS. An Alternative. Ryan Permeh (Aug 22)
- Re: [PEN-TEST] NIS. An Alternative. Domenico De Vitto (Aug 24)
- Re: [PEN-TEST] NIS. An Alternative. Peter Van Epp (Aug 24)
- Re: [PEN-TEST] NIS. An Alternative. Max Vision (Aug 22)