[Freeipa-users] freeipa unsecured ports & MITM
Simo Sorce
simo at redhat.com
Tue Mar 29 15:31:25 UTC 2016
On Tue, 2016-03-29 at 08:51 -0600, Master P. wrote:
> Hello,
>
> I am using FreeIPA on the cloud and am worried about MITM attacks. I'm
> assuming all network traffic can be easily read and possibly manipulated by
> an attacker.
>
> When following
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html,
> some of the listed ports for FreeIPA (80 and 389) are unencrypted ports.
The only thing port 80 does is redirect to 443.
Port 389 is the only use LDAP port and clients will use the STARTTLS
command to transition to to a TLS encrypted connection or use GSSAPI and
confidentiality to encrypt the traffic.
> Should this be a concern or does FreeIPA only use those ports to send
> non-sensitive information. If I disable just the unencrypted ports on my
> clients will everything still work?
>
> I don't understand Kerberos much so the same question applies to its ports
> as well (88 and 464).
The kerberos protocol was conceived and built to be able to run on a non
trusted network, all communication is secured.
> I am also using FreeIPA for DNS but it looks like DNSSEC is not enabled by
> default, does this mean an attacker hijacking the DNS connections can get
> into my system?
You should define what "get into" means, A DNS server w/o DNSSEC is
pretty much what you have in the wild, almost no client yet uses DNSSEC
validation, for any of the internet activity you see people doing every
day.
DNSSEC can give you extra protection but lack of it is not necessarily a
concern unless you have evidence you need it for specific DNS records.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list