On Wed, Apr 11, 2001 at 08:27:32PM -0400, Kenneth E. Lussier wrote:
You can't. There is no way to harden the RPC services without completely
rewriting them from the ground up. That would be like trying to protect
an open door without closing it.
My favorite analogy for this came from Bob Hillery at the SANS
conference: It's like trying to protect a gate with no fence.
Somebody asked me (more or less) why Kenny's statement is true, and
since I said you shouldn't do this without really explaining what the
problem is, I s'pose I should address it.
Ignoring bugs (meaning programming errors; code that does not do what
it was intended to do), RPC suffers from at least one inherent design
flaw from a security perspective. That is, it depends solely on
host-based authentication for granting access to services. If you
haven't heard by now, it's very easy to spoof an IP address, and it's
even possible to forge a name lookup, so these things really can't be
trusted for providing authentication to sensitive services. The
result of which is that it's fairly easy to trick RPC services into
doing things they shouldn't do, if you know what you're doing.
Add to that all the programming errors that are found on a regular
basis, and the fact that these services invariably run as root on most
systems/distros/OSes, and you've got one big security nightmare. It's
pretty much impossible to secure.
FWIW, IIRC, debian is one of the only places I've seen an RPC daemon
NOT running as root. But I may be mistaken.
--
I have written this book partly to correct a mistake... A colleage of
mine once told me that the world was full of bad security systems
designed by people who read Applied Cryptograpy.
Since writing the book, I have made a living as a cryptography
consultant: designing and analyzing security systems. To my initial
surprise, I found that the weak points had nothing to do with the
mathematics. They were in the hardware, the software, the networks,
and the people. Beautiful pices of mathematics were made irrelevant
through bad programming, a lousy operating system, or someone's bad
password choice. I learned to look beyond the cryptography, at the
entire system, to find weaknesses. I started repeating a couple of
sentiments you'll find throughout this book: 'Security is a chain;
it's only as secure as the weakest link.' 'Security is a process, not
a product.'
--Bruce Schneier, from Secrets Lies
---
Derek Martin | Unix/Linux geek
[EMAIL PROTECTED]| GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
**
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**
