RE: KDC Hardware

RE: KDC Hardware

thanks a lot for you reply
actually, i was thinking of two separate machines one for the KDC and the other for the OpenLDAP, i read an article that suggests the separation to avoid to secure the KDC. A machine dedicated for the KDC will guarantee absense of all services except the kdc services and i think this reduces the hacking chances.
please tell me if this is not true..
thanks
Amir Saad
Software Engineer

________________________________

From: kerberos-bounces@mit.edu on behalf of Turbo Fredriksson
Sent: Sat 1/7/2006 12:38 PM
To: kerberos@mit.edu
Subject: Re: KDC Hardware

Quoting Jeffrey Hutzelman :

> On Friday, January 06, 2006 12:37:51 PM +0100 Turbo Fredriksson
> wrote:
>
>> Quoting Jeffrey Hutzelman :
>>
>>> On Thursday, January 05, 2006 10:03:44 AM +0200 Amir Saad
>>> wrote:
>>>
>>>> i use Fedora 4, OpenLDAP and Kerberos instead of NIS
>>>> what is the suitable hardware configuration for the KDC to support a
>>>> network with 200 machines? thanks
>>>
>>> Whatever random piece of crap you have lying around will do just fine.
>
>> Note though the 'random piece of crap' note is true when it comes
>> to KERBEROS (that doesn't need ANYTHING regarding power/storage/speed)
>> but not LDAP... That is a lot more demanding...
>
> True. The original question was about a KDC, not an LDAP server.

Doh, right. Sorry. He just mentioned OpenLDAP so I _assumed_ he would
be running both the LDAP _and_ the KDC on the same host. No point really
to separate them. Or?!?

Security? Nah, both need _extra ordinary security_ so it's easier to
safegard ONE machine than two (* nr of slaves of course .

Price? Keeping the KDC at the very cheapest and the LDAP a lot more expencive
IS of course a reason, but then you have to take into account how much extra
'resources' (time mostly) to keep an extra machine safe.
But then again, buying one cheap and one more expensive IS more expensive
than buying a 'expencive + some extra for the KDC'...
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KDC Hardware

Quoting "Amir Saad" :

> actually, i was thinking of two separate machines one for the KDC
> and the other for the OpenLDAP, i read an article that suggests the
> separation to avoid to secure the KDC.

To avoid securing the KDC!?!? Sorry, but whoever wrote that must be
drunk (or know something I don't .

The KDC is the single most important part of you whole network! If that
is cracked (i.e. someone gains root access on it), then you're screwed!
It have access to EVERYTHING basically.

In my opinion, the KDC is the one you should 'guard with your life'.
Everything else can be fixed if it get's cracked, but if the KDC is
cracked, EVERY SINGLE USER must change password/passphrase and the machine
MUST (for safety) be totaly reinstalled.

The LDAP server is nowhere NEAR as important. If they crack that,
all they'll get is ... what, nothing basically?

If _I_ had my LDAP server on a totaly separate machine, and that
was cracked, all the cracker would get is information on what
email addresses the user(s) have, what shell, uid/gid and home/mail
directory they have. True, there's somewhat censetive information
there - their telephone number and address (not all users have that
info though).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KDC Hardware

On Sun, Jan 08, 2006 at 01:04:08PM +0100, Turbo Fredriksson wrote:
> The LDAP server is nowhere NEAR as important. If they crack that,
> all they'll get is ... what, nothing basically?

Depends on who's relying on the LDAP server and for what.

If important systems are using LDAP for user information like, say, UID,
group memberships, and so on, well, then your LDAP server is practically
as important as your KDC (losing a KDC would still be worse, primarily
because re-keying an entire realm is painful).

Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KDC Hardware

Quoting Nicolas Williams :

> On Sun, Jan 08, 2006 at 01:04:08PM +0100, Turbo Fredriksson wrote:
>> The LDAP server is nowhere NEAR as important. If they crack that,
>> all they'll get is ... what, nothing basically?
>
> Depends on who's relying on the LDAP server and for what.
>
> If important systems are using LDAP for user information like, say, UID,
> group memberships, and so on, well, then your LDAP server is practically
> as important as your KDC (losing a KDC would still be worse, primarily
> because re-keying an entire realm is painful).

Exactly, that was what I was assuming. _I_ use it with my mail system
_as well_, but not everyone/that many (?) use it that way. So _my_ LDAP server is
'almost' more important than the KDC. I don't have that many users (<50), and
I know them in person, so recreating a KDC wouldn't be THAT much job for me.
But recreating the LDAP database with all information would be 'almost impossible'.

But if the LDAP server is 'only' used for authorization (uid/gid/home etc);
which most users use it as when using Kerberos (?) then it's _just slightly_
less important than the KDC..
In such a case, recreating the LDAP server can be scripted but recreating
a KDC would be a SERIOUS pain.

So as I see it, LDAP and Kerberos (should) have the same weight regarding
security...
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KDC Hardware

Turbo Fredriksson wrote:

> So as I see it, LDAP and Kerberos (should) have the same weight regarding
> security...

Here is how I see it.

* losing the LDAP contents to an attacker is a royal pain. if the loss
is read-only, then you have privacy issues to deal with but the rest
of your network infrastructure is still in tact.

if the loss is read-write, then the attacker is capable of modifying
the authorization associated with any authenticated ID. However,
once you close the hole and restore the LDAP contents to a previous
state much of those authorization escalations are removed. You still
have the problem of figuring out what was done with the authorization
enhancements.

* losing the KDC on the other hand is worse. whether read-only or
read-write the attacker no has all of the key material for your
realm. The attacker is now capable of accessing your LDAP service
and making whatever authorization changes s/he wishes. However,
now you need to contact all users and re-key everything in the
realm.

While losing LDAP is bad, the KDC is much much worse. The purpose of
running the KDC on a machine that has no services on it other than the
KDC is to reduce the attack footprint. You want the only reason for a
KDC machine to be compromised to be due to a coding failure in the KDC
programming.

The LDAP directory has similar security concerns as the KDC. Hence, it
can be treated the same way. The machine running LDAP should only be
running LDAP. You do not want a root hack against LDAP to allow the
KDC to be compromised. However, you also do not want a root hack
against any other daemon with open network ports to result in LDAP
being compromised.

Jeffrey Altman

RE: KDC Hardware - Kerberos

Thread: RE: KDC Hardware

LinkBack

Tools

RE: KDC Hardware

Re: KDC Hardware

Re: KDC Hardware

Re: KDC Hardware

Re: KDC Hardware