On Tue, 18 Dec 2001, Carol Smith wrote: > Thank you for your reply. We were looking to use NIS+ in the dmz for > user/paword/group admin consolidation. Root s not going to be under NIS+.
If you really have to go there, I'd recommend either ssh with pre-shared keys, or RADIUS. > > I was also looking into definitive information about the way rpc services > grabs a port and the implications for a firewall. Most firewalls don't understand RPC services, so you're left with opening up a range of ports (for Solaris in the 32nnn range) as well as rpcbind. The rpc program will grab an ephemeral port (which on Solaris will be predictable if the machine config doesn't change and Sun never changes the algorithm) then registers its name and port with rpcbind/portmapper. Anything client-wise queries rpcbind, gets the port information and then opens the connection. If your firewall understood RPC, then it could dynamically open the ephemeral port associated with the service and let that traffic happen- if it really understood it, it could make sure that only one service was allowed. Possibly someone could do that with INSPECT on FW-1, and Sidewinder used to advertise an RPC proxy service- but even then, the risk is bad. You'd still need to leave rpcbind open to the DMZ- and that's a huge hole. If you leave high ports open, then you're allowing DMZ servers to access basically *any* RPC service on the NIS master. The only two ways to expose your NIS server to more risk is to (a) pipe anything to it via the firewall, or (b) move it to the DMZ. A firewall's protection mechanism is based on what it blocks, allowing historically compromised services from the outside in negates the value of the firewall. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
