On Mon, 17 Dec 2001, Carol Smith wrote: > Does anyone use NIS+ to go across a firewall to the dmz? If yes (or no) > what issues should I be concerned with?
I vote no: As a general rule of thumb, I recommend against sharing authentication credentials over a trust boundary. If a server gets compromised (and generally systems in a DMZ are at higher risk to compromise) and you're using the same credentials for internal services, VPN access, etc. then your authentication realm is compromised. Seondly, if a compromise in the DMZ works, it's possible to go from outside in if the NIS server has a bug-- generally I like my firewall->DMZ traffic to be outbound. A config oops on NIS+ to enable NIS compat mode will make your encrypted password file obtainable externally- that can't be a good thing. Password guessing and rpcbind worms aside, it just feels wrong. [I have only played with NIS once, and it was a while ago, so I'm going to make some assumptions- feel free to level-set them.] Portmapper is probably the #1 vector into Solaris boxen, are you sure you want to let traffic from your DMZ into that port in to your auth. server? Letting the higher ports in seems to add to the potential damage. I suppose /bin/login issues are also a factor. Is there a particular reason you want the DMZ machines to be part of the domain? IMO NIS+ is too complex a beast to let inside from outside, and the trust boundary issues are potentially bad. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
