[Freeipa-users] IPA over the Internet - Security Implications
Chris Evich
cevich at redhat.com
Fri Aug 17 13:57:07 UTC 2012
On 08/17/2012 07:02 AM, Michael Mercier wrote:
> Hi,
>
> Let us assume just the two systems directly connected to the internet. I
> am specifically interested in what the security implications would be,
> not ways to get around them (e.g. point-to-point tunnel). I have read
> that kerberos was designed for untrusted networks, just how untrusted
> can they be?
>
> Thanks,
> Mike
>
> On 16-Aug-12, at 9:43 PM, Steven Jones wrote:
>
>> Hi,
>>
>> I would assume you could do a point to point tunnel between each and
>> do the authentication via that.
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com
>> [freeipa-users-bounces at redhat.com] on behalf of Michael Mercier
>> [mmercier at gmail.com]
>> Sent: Friday, 17 August 2012 1:14 p.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] IPA over the Internet - Security Implications
>>
>> Hello,
>>
>> I was wondering what the security implications would be setting up a
>> server to be a freeipa client at one site, and have it join a freeipa
>> system over the internet at another site.
>>
>> ipaclient (siteA) <-- internet --> ipaserver (siteB)
>>
>> Is there an IPA document that describes this situation?
>>
>> Thanks,
>> Mike
Don't overlook DOS/DDOS type attacks against these servers. While it
may not penetrate the encryption, they could limit your options for
fixing the problem remotely, or even locally. I'm not aware of/if/how
well these services are validated against DOS-type attacks. However,
even if they are somewhat hardened, simple things like massive
ping-floods could easily overload the networking stack.
Further, all of these services are heavily dependent on DNS. I'd worry
about this just as much as KDC/LDAP, for simple availability problems
(whatever the attack vector). This could easily bottle up all other
traffic, and the short client-side timeouts (6-seconds) aren't helping.
Again thinking beyond just the encrypted traffic, the server processes
are also exposed with whatever unknown flaws they have. While they're
certainly tighter than the average app., I'd pay particular attention to
keeping them updated, 0-day if possible. This again can impact
availability, for example in the case of unknown and unrelated
regressions in the updates themselves.
--
Chris Evich, RHCA, RHCE, RHCDS, RHCSS
Quality Assurance Engineer
e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214
More information about the Freeipa-users
mailing list