[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] LDAP vs NIS

cwagnon redbugmail k12 ar us wrote:

1.) My users are _extremely_ unsophisticated :-)

Then you should be OK.

2.) I wasn't thinking about the portmapper security nightmares. Riddle me
this batman: What if I run the server with a static nat number behind a
firewall....no Real IP. On top of that.....set my local iptables firewall
on that particular server to only allow MY ip range access to those ports?
Would that work? Or is there another security issue altogether that I'm
missing? Thanks for the info.

Having the server on an RFC1918 Private IP address is a good move, as it
means that external attackers can't route datagrams to it. Of course, if
someone compromised your firewall. . . As for filtering to allow only local
addresses (via either iptables or tcpwrappers) the problem with that is
that it's fairly easy to spoof source IP addresses for connectionless
protocols like UDP (and RPC/nfs/nis on top of that). Of course, when I say
"fairly easy", the attacker has to know how to do it, and how to then
exploit a higher-level vulnerability. I can't see the typical
elementary-school kid being able to do that, but on a university campus,
I'd be thinking differently.

Given your comment above about the unsophistication of your users, I'd say
the risk is acceptable. ;)

I still wouldn't use NIS, though. But that's just me. . .


--- Les Bell, RHCE, CISSP

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]