How to secure LAN visiting with NIS
This is a discussion on How to secure LAN visiting with NIS within the Linux Security forums, part of the System Security and Security Related category; Hello everyone, I've set up one LAN with NIS account verification, and limit visit to switcher ports with MAC ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-12-2006
|
|||
|
|||
How to secure LAN visiting with NIS
Hello everyone,
I've set up one LAN with NIS account verification, and limit visit to switcher ports with MAC address binding, but I think it not so safe. If one person use his laptop and make the same MAC address with working machine and then connect into the LAN and set domain and NIS server, he'll get all the visiting to the server and have the way to get data to his laptop, which is awful. Is there any way to avoid it? I don't know how to make NIS more secure, is there any way to set up verification server to check the legality of machine itself? Thanks for your help! Have a good day! B.R. Joffre 
|
|
06-12-2006
|
|||
|
|||
|
Re: How to secure LAN visiting with NIS
On 12.06.2006, tech11 <tech11@sohu.com> wrote:
> I've set up one LAN with NIS account verification, and limit visit to > switcher ports with MAC address binding, but I think it not so safe. If one > person use his laptop and make the same MAC address with working machine and > then connect into the LAN and set domain and NIS server, he'll get all the > visiting to the server and have the way to get data to his laptop, which is > awful. Is there any way to avoid it? I don't know how to make NIS more > secure, is there any way to set up verification server to check the legality > of machine itself? Thanks for your help! I did something similar some time ago. You can't authenticate machines with NIS only, you need some kind of tunneling which does that. But not all tunneling protocols fit here, since NIS uses UDP protocol. You can use IPsec with X.509 certificates. Create tunnel to NIS server on each client and road warrior on server and accept only certificates from clients and server (you may use PKI infrastructure and create your own CA to issue certificates; this simplifies this task a bit). -- Feel free to correct my English Stanislaw Klekot
|
|
06-12-2006
|
|||
|
|||
|
Re: How to secure LAN visiting with NIS
tech11 <tech11@sohu.com> wrote:
> I've set up one LAN with NIS account verification, and limit visit to > switcher ports with MAC address binding, but I think it not so safe. Doesn't sound too bad to me. Presumably NIS+ rather than NIS? > If one person use his laptop and make the same MAC address with working > machine and then connect into the LAN and set domain and NIS server, > he'll get all the visiting to the server and have the way to get data > to his laptop, which is awful. Don't trust MAC addresses implicitly. Instead, use them as part of your security blanket. > Is there any way to avoid it? Ssh with public/private certificates for encrypting simple traffic from client to server. Kerberos V5 for authenticating users, hosts, and services. Chris
|
|
06-12-2006
|
|||
|
|||
|
Re: How to secure LAN visiting with NIS
On 12.06.2006, Chris Davies <chris-usenet@roaima.co.uk> wrote:
> tech11 <tech11@sohu.com> wrote: >> I've set up one LAN with NIS account verification, and limit visit to >> switcher ports with MAC address binding, but I think it not so safe. > > Doesn't sound too bad to me. Presumably NIS+ rather than NIS? Do you know _any_ NIS+ _server_ implementation working under Linux? >> If one person use his laptop and make the same MAC address with working >> machine and then connect into the LAN and set domain and NIS server, >> he'll get all the visiting to the server and have the way to get data >> to his laptop, which is awful. > > Don't trust MAC addresses implicitly. Instead, use them as part of your > security blanket. Didn't tech11 said that he don't want to trust MAC addresses? >> Is there any way to avoid it? > > Ssh with public/private certificates for encrypting simple traffic from > client to server. Kerberos V5 for authenticating users, hosts, and > services. How would you forward UDP traffic over SSH? Except setting up VPN (recent versions of OpenSSH). -- Feel free to correct my English Stanislaw Klekot
|
|
06-13-2006
|
|||
|
|||
|
Re: How to secure LAN visiting with NIS
tech11 <tech11@sohu.com> wrote:
T> I've set up one LAN with NIS account verification, and limit visit to T> switcher ports with MAC address binding, but I think it not so safe. On 12.06.2006, Chris Davies <chris-usenet@roaima.co.uk> wrote: C> Doesn't sound too bad to me. Presumably NIS+ rather than NIS? Stachu 'Dozzie' K. <dozzie@dynamit.im.pwr.wroc.pl.nospam> wrote: S> Do you know _any_ NIS+ _server_ implementation working under Linux? My domain knowledge of NIS is woefully limited (and I've never managed to get NIS+ working. At all.) Just because I don't know something exists doesn't mean it doesn't actually exist. Sometimes a pointer is all that's required. C> Don't trust MAC addresses implicitly. Instead, use them as part of your C> security blanket. S> Didn't tech11 said that he don't want to trust MAC addresses? Yes. I'm agreeing with the philosophy. T> Is there any way to avoid it? C> Ssh with public/private certificates for encrypting simple traffic from C> client to server. Kerberos V5 for authenticating users, hosts, and C> services. > How would you forward UDP traffic over SSH? Except setting up VPN > (recent versions of OpenSSH). Sometimes people just want a "simple" solution. If you're wanting to handle not just TCP traffic but other stuff as well then I would suggest OpenVPN as the "next most simple" solution. Too often I see people trying to provide a complete answer to a question that was phrased badly, only to discover that the answer doesn't fit the actual (un-asked) question. I'm happy to be proven wrong with my assumptions, and I will happily amend those to refine my answer to fit the problem domain as it unfolds. Regards, Chris
|
|
06-14-2006
|
|||
|
|||
|
Re: How to secure LAN visiting with NIS
"Stachu 'Dozzie' K." <dozzie@dynamit.im.pwr.wroc.pl.nospam> 写入消息新闻:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl... > On 12.06.2006, tech11 <tech11@sohu.com> wrote: >> I've set up one LAN with NIS account verification, and limit visit to >> switcher ports with MAC address binding, but I think it not so safe. If >> one >> person use his laptop and make the same MAC address with working machine >> and >> then connect into the LAN and set domain and NIS server, he'll get all >> the >> visiting to the server and have the way to get data to his laptop, which >> is >> awful. Is there any way to avoid it? I don't know how to make NIS more >> secure, is there any way to set up verification server to check the >> legality >> of machine itself? Thanks for your help! > > I did something similar some time ago. You can't authenticate machines > with NIS only, you need some kind of tunneling which does that. But not > all tunneling protocols fit here, since NIS uses UDP protocol. You can > use IPsec with X.509 certificates. Create tunnel to NIS server on each > client and road warrior on server and accept only certificates from > clients and server (you may use PKI infrastructure and create your own > CA to issue certificates; this simplifies this task a bit). > > -- > Feel free to correct my English > Stanislaw Klekot Thanks for your answers. May you give me more info? I'm one freshman and it seems hard to do for me. If I copy the certificatate files to one new pc, will it visit my NIS server rightly? Since my data server share its directory to clients and I have no proper way to validate the right client machine to mount. If one person use his laptop and mount on the shared data on server, it's another failing. Do you have any good way to fill it? Thanks for your help! Have a good day! B.R. Joffre
|
|
06-14-2006
|
|||
|
|||
|
Re: How to secure LAN visiting with NIS
On 14.06.2006, tech11 <tech11@sohu.com> wrote:
> > "Stachu 'Dozzie' K." <dozzie@dynamit.im.pwr.wroc.pl.nospam> 写入消息新闻:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl... >> On 12.06.2006, tech11 <tech11@sohu.com> wrote: >>> I've set up one LAN with NIS account verification, and limit visit to >>> switcher ports with MAC address binding, but I think it not so safe. If >>> one >>> person use his laptop and make the same MAC address with working machine >>> and >>> then connect into the LAN and set domain and NIS server, he'll get all >>> the >>> visiting to the server and have the way to get data to his laptop, which >>> is >>> awful. Is there any way to avoid it? I don't know how to make NIS more >>> secure, is there any way to set up verification server to check the >>> legality >>> of machine itself? Thanks for your help! >> >> I did something similar some time ago. You can't authenticate machines >> with NIS only, you need some kind of tunneling which does that. But not >> all tunneling protocols fit here, since NIS uses UDP protocol. You can >> use IPsec with X.509 certificates. Create tunnel to NIS server on each >> client and road warrior on server and accept only certificates from >> clients and server (you may use PKI infrastructure and create your own >> CA to issue certificates; this simplifies this task a bit). >> >> -- >> Feel free to correct my English >> Stanislaw Klekot > > Thanks for your answers. May you give me more info? I'm one freshman and it > seems hard to do for me. If I copy the certificatate files to one new pc, > will it visit my NIS server rightly? You will need to _copy_ only the CA certificate (if you use PKI). For new PC, you will need to _generate_ a new private key and issue a new certificate. Never copy a private key to a new machine! > Since my data server share its directory to clients and I have no proper way > to validate the right client machine to mount. If one person use his laptop > and mount on the shared data on server, it's another failing. Do you have > any good way to fill it? Thanks for your help! Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained NFS as well. You will probably want to bind portmapper and NIS and NFS daemons to particular ports and filter out traffic coming from outside of IPsec tunnel. -- Feel free to correct my English Stanislaw Klekot
|
|
06-14-2006
|
|||
|
|||
|
Re: How to secure LAN visiting with NIS
"Stachu 'Dozzie' K." <dozzie@dynamit.im.pwr.wroc.pl.nospam> ??????:slrne8vhdb.3ai.dozzie@hans.zsh.bash.org.pl. .. > On 14.06.2006, tech11 <tech11@sohu.com> wrote: >> >> "Stachu 'Dozzie' K." <dozzie@dynamit.im.pwr.wroc.pl.nospam> >> 写入消息新闻:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl... >>> On 12.06.2006, tech11 <tech11@sohu.com> wrote: >>>> I've set up one LAN with NIS account verification, and limit visit to >>>> switcher ports with MAC address binding, but I think it not so safe. If >>>> one >>>> person use his laptop and make the same MAC address with working >>>> machine >>>> and >>>> then connect into the LAN and set domain and NIS server, he'll get all >>>> the >>>> visiting to the server and have the way to get data to his laptop, >>>> which >>>> is >>>> awful. Is there any way to avoid it? I don't know how to make NIS more >>>> secure, is there any way to set up verification server to check the >>>> legality >>>> of machine itself? Thanks for your help! >>> >>> I did something similar some time ago. You can't authenticate machines >>> with NIS only, you need some kind of tunneling which does that. But not >>> all tunneling protocols fit here, since NIS uses UDP protocol. You can >>> use IPsec with X.509 certificates. Create tunnel to NIS server on each >>> client and road warrior on server and accept only certificates from >>> clients and server (you may use PKI infrastructure and create your own >>> CA to issue certificates; this simplifies this task a bit). >>> >>> -- >>> Feel free to correct my English >>> Stanislaw Klekot >> >> Thanks for your answers. May you give me more info? I'm one freshman and >> it >> seems hard to do for me. If I copy the certificatate files to one new pc, >> will it visit my NIS server rightly? > > You will need to _copy_ only the CA certificate (if you use PKI). For > new PC, you will need to _generate_ a new private key and issue a new > certificate. Never copy a private key to a new machine! > >> Since my data server share its directory to clients and I have no proper >> way >> to validate the right client machine to mount. If one person use his >> laptop >> and mount on the shared data on server, it's another failing. Do you have >> any good way to fill it? Thanks for your help! > > Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained > NFS as well. I don't think so. If one machine don't be authenticated and if one man get the root permission, he'll round off the NIS server and mount the nfs filesystem since there's no need to get tunnel connecting between NFS server and client machines. > > You will probably want to bind portmapper and NIS and NFS daemons to > particular ports and filter out traffic coming from outside of IPsec > tunnel. > > -- > Feel free to correct my English > Stanislaw Klekot Well, it's one good solution but I don't think I'm able to finish it by myself just now, so I try to find one easier way to do it. Will one radius server with 802.1x authentication do the same way?
|
|
06-14-2006
|
|||
|
|||
|
Re: How to secure LAN visiting with NIS
On 14.06.2006, tech11 <tech11@sohu.com> wrote:
> > "Stachu 'Dozzie' K." <dozzie@dynamit.im.pwr.wroc.pl.nospam> > ??????:slrne8vhdb.3ai.dozzie@hans.zsh.bash.org.pl. .. >> On 14.06.2006, tech11 <tech11@sohu.com> wrote: >>> >>> "Stachu 'Dozzie' K." <dozzie@dynamit.im.pwr.wroc.pl.nospam> >>> 写入消息新闻:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl... >>>> On 12.06.2006, tech11 <tech11@sohu.com> wrote: >>>>> I've set up one LAN with NIS account verification, and limit visit to >>>>> switcher ports with MAC address binding, but I think it not so safe. If >>>>> one >>>>> person use his laptop and make the same MAC address with working >>>>> machine >>>>> and >>>>> then connect into the LAN and set domain and NIS server, he'll get all >>>>> the >>>>> visiting to the server and have the way to get data to his laptop, >>>>> which >>>>> is >>>>> awful. Is there any way to avoid it? I don't know how to make NIS more >>>>> secure, is there any way to set up verification server to check the >>>>> legality >>>>> of machine itself? Thanks for your help! >>>> >>>> I did something similar some time ago. You can't authenticate machines >>>> with NIS only, you need some kind of tunneling which does that. But not >>>> all tunneling protocols fit here, since NIS uses UDP protocol. You can >>>> use IPsec with X.509 certificates. Create tunnel to NIS server on each >>>> client and road warrior on server and accept only certificates from >>>> clients and server (you may use PKI infrastructure and create your own >>>> CA to issue certificates; this simplifies this task a bit). >>>> >>>> -- >>>> Feel free to correct my English >>>> Stanislaw Klekot >>> >>> Thanks for your answers. May you give me more info? I'm one freshman and >>> it >>> seems hard to do for me. If I copy the certificatate files to one new pc, >>> will it visit my NIS server rightly? >> >> You will need to _copy_ only the CA certificate (if you use PKI). For >> new PC, you will need to _generate_ a new private key and issue a new >> certificate. Never copy a private key to a new machine! >> >>> Since my data server share its directory to clients and I have no proper >>> way >>> to validate the right client machine to mount. If one person use his >>> laptop >>> and mount on the shared data on server, it's another failing. Do you have >>> any good way to fill it? Thanks for your help! >> >> Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained >> NFS as well. > > I don't think so. If one machine don't be authenticated and if one man get > the root > permission, he'll round off the NIS server and mount the nfs filesystem > since there's > no need to get tunnel connecting between NFS server and client machines. Eh? Are you saying that setup that I _did_ and _tested_ for such anomalies contain such a hole, while you _didn't_ see this setup? Am I correct? There _is_ need to get tunnel between NFS server and client. Server setup doesn't allow clear text connections (because of firewall, but that's a different matter). If you don't setup tunnel (and thus don't authenticate to server), then you can't mount _anything_. If someone gets root on such client, then he can do anything that can do this client and server can't distinguish traffic from compromised and clean client. >> You will probably want to bind portmapper and NIS and NFS daemons to >> particular ports and filter out traffic coming from outside of IPsec >> tunnel. >> >> -- >> Feel free to correct my English >> Stanislaw Klekot > > Well, it's one good solution but I don't think I'm able to finish it by > myself just now, so > I try to find one easier way to do it. Will one radius server with 802.1x > authentication > do the same way? Nope, I think. You need to protect NIS and NFS traffic, both by authenticating origin and encrypting payload. Radius AFAIK doesn't provide these two. -- Feel free to correct my English Stanislaw Klekot
|
Linear Mode
