On 12.06.2006, tech11 wrote:
> I've set up one LAN with NIS account verification, and limit visit to
> switcher ports with MAC address binding, but I think it not so safe. If one
> person use his laptop and make the same MAC address with working machine and
> then connect into the LAN and set domain and NIS server, he'll get all the
> visiting to the server and have the way to get data to his laptop, which is
> awful. Is there any way to avoid it? I don't know how to make NIS more
> secure, is there any way to set up verification server to check the legality
> of machine itself? Thanks for your help!

I did something similar some time ago. You can't authenticate machines
with NIS only, you need some kind of tunneling which does that. But not
all tunneling protocols fit here, since NIS uses UDP protocol. You can
use IPsec with X.509 certificates. Create tunnel to NIS server on each
client and road warrior on server and accept only certificates from
clients and server (you may use PKI infrastructure and create your own
CA to issue certificates; this simplifies this task a bit).

--
Feel free to correct my English
Stanislaw Klekot

tech11 wrote:
> I've set up one LAN with NIS account verification, and limit visit to
> switcher ports with MAC address binding, but I think it not so safe.

Doesn't sound too bad to me. Presumably NIS+ rather than NIS?


> If one person use his laptop and make the same MAC address with working
> machine and then connect into the LAN and set domain and NIS server,
> he'll get all the visiting to the server and have the way to get data
> to his laptop, which is awful.

Don't trust MAC addresses implicitly. Instead, use them as part of your
security blanket.


> Is there any way to avoid it?

Ssh with public/private certificates for encrypting simple traffic from
client to server. Kerberos V5 for authenticating users, hosts, and
services.

Chris

On 12.06.2006, Chris Davies wrote:
> tech11 wrote:
>> I've set up one LAN with NIS account verification, and limit visit to
>> switcher ports with MAC address binding, but I think it not so safe.
>
> Doesn't sound too bad to me. Presumably NIS+ rather than NIS?

Do you know _any_ NIS+ _server_ implementation working under Linux?

>> If one person use his laptop and make the same MAC address with working
>> machine and then connect into the LAN and set domain and NIS server,
>> he'll get all the visiting to the server and have the way to get data
>> to his laptop, which is awful.
>
> Don't trust MAC addresses implicitly. Instead, use them as part of your
> security blanket.

Didn't tech11 said that he don't want to trust MAC addresses?

>> Is there any way to avoid it?
>
> Ssh with public/private certificates for encrypting simple traffic from
> client to server. Kerberos V5 for authenticating users, hosts, and
> services.

How would you forward UDP traffic over SSH? Except setting up VPN
(recent versions of OpenSSH).

--
Feel free to correct my English
Stanislaw Klekot

Have you considered LDAP?

It maybe easier than all the hacks to secure NIS.

tech11 wrote:
T> I've set up one LAN with NIS account verification, and limit visit to
T> switcher ports with MAC address binding, but I think it not so safe.

On 12.06.2006, Chris Davies wrote:
C> Doesn't sound too bad to me. Presumably NIS+ rather than NIS?

Stachu 'Dozzie' K. wrote:
S> Do you know _any_ NIS+ _server_ implementation working under Linux?

My domain knowledge of NIS is woefully limited (and I've never managed to
get NIS+ working. At all.) Just because I don't know something exists
doesn't mean it doesn't actually exist. Sometimes a pointer is all
that's required.


C> Don't trust MAC addresses implicitly. Instead, use them as part of your
C> security blanket.

S> Didn't tech11 said that he don't want to trust MAC addresses?

Yes. I'm agreeing with the philosophy.


T> Is there any way to avoid it?

C> Ssh with public/private certificates for encrypting simple traffic from
C> client to server. Kerberos V5 for authenticating users, hosts, and
C> services.

> How would you forward UDP traffic over SSH? Except setting up VPN
> (recent versions of OpenSSH).

Sometimes people just want a "simple" solution. If you're wanting to
handle not just TCP traffic but other stuff as well then I would suggest
OpenVPN as the "next most simple" solution.

Too often I see people trying to provide a complete answer to a question
that was phrased badly, only to discover that the answer doesn't fit
the actual (un-asked) question. I'm happy to be proven wrong with my
assumptions, and I will happily amend those to refine my answer to fit
the problem domain as it unfolds.

Regards,
Chris

"Stachu 'Dozzie' K." дÈëÏûÏ¢ÐÂÎÅ:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
> On 12.06.2006, tech11 wrote:
>> I've set up one LAN with NIS account verification, and limit visit to
>> switcher ports with MAC address binding, but I think it not so safe. If
>> one
>> person use his laptop and make the same MAC address with working machine
>> and
>> then connect into the LAN and set domain and NIS server, he'll get all
>> the
>> visiting to the server and have the way to get data to his laptop, which
>> is
>> awful. Is there any way to avoid it? I don't know how to make NIS more
>> secure, is there any way to set up verification server to check the
>> legality
>> of machine itself? Thanks for your help!
>
> I did something similar some time ago. You can't authenticate machines
> with NIS only, you need some kind of tunneling which does that. But not
> all tunneling protocols fit here, since NIS uses UDP protocol. You can
> use IPsec with X.509 certificates. Create tunnel to NIS server on each
> client and road warrior on server and accept only certificates from
> clients and server (you may use PKI infrastructure and create your own
> CA to issue certificates; this simplifies this task a bit).
>
> --
> Feel free to correct my English
> Stanislaw Klekot

Thanks for your answers. May you give me more info? I'm one freshman and it
seems hard to do for me. If I copy the certificatate files to one new pc,
will it visit my NIS server rightly?

Since my data server share its directory to clients and I have no proper way
to validate the right client machine to mount. If one person use his laptop
and mount on the shared data on server, it's another failing. Do you have
any good way to fill it? Thanks for your help!

Have a good day!

B.R.
Joffre

On 14.06.2006, tech11 wrote:
>
> "Stachu 'Dozzie' K." дÈëÏûÏ¢ÐÂÎÅ:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
>> On 12.06.2006, tech11 wrote:
>>> I've set up one LAN with NIS account verification, and limit visit to
>>> switcher ports with MAC address binding, but I think it not so safe. If
>>> one
>>> person use his laptop and make the same MAC address with working machine
>>> and
>>> then connect into the LAN and set domain and NIS server, he'll get all
>>> the
>>> visiting to the server and have the way to get data to his laptop, which
>>> is
>>> awful. Is there any way to avoid it? I don't know how to make NIS more
>>> secure, is there any way to set up verification server to check the
>>> legality
>>> of machine itself? Thanks for your help!
>>
>> I did something similar some time ago. You can't authenticate machines
>> with NIS only, you need some kind of tunneling which does that. But not
>> all tunneling protocols fit here, since NIS uses UDP protocol. You can
>> use IPsec with X.509 certificates. Create tunnel to NIS server on each
>> client and road warrior on server and accept only certificates from
>> clients and server (you may use PKI infrastructure and create your own
>> CA to issue certificates; this simplifies this task a bit).
>>
>> --
>> Feel free to correct my English
>> Stanislaw Klekot
>
> Thanks for your answers. May you give me more info? I'm one freshman and it
> seems hard to do for me. If I copy the certificatate files to one new pc,
> will it visit my NIS server rightly?

You will need to _copy_ only the CA certificate (if you use PKI). For
new PC, you will need to _generate_ a new private key and issue a new
certificate. Never copy a private key to a new machine!

> Since my data server share its directory to clients and I have no proper way
> to validate the right client machine to mount. If one person use his laptop
> and mount on the shared data on server, it's another failing. Do you have
> any good way to fill it? Thanks for your help!

Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained
NFS as well.

You will probably want to bind portmapper and NIS and NFS daemons to
particular ports and filter out traffic coming from outside of IPsec
tunnel.

--
Feel free to correct my English
Stanislaw Klekot

"Stachu 'Dozzie' K."
??????:slrne8vhdb.3ai.dozzie@hans.zsh.bash.org.pl. ..
> On 14.06.2006, tech11 wrote:
>>
>> "Stachu 'Dozzie' K."
>> дÈëÏûÏ¢ÐÂÎÅ:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
>>> On 12.06.2006, tech11 wrote:
>>>> I've set up one LAN with NIS account verification, and limit visit to
>>>> switcher ports with MAC address binding, but I think it not so safe. If
>>>> one
>>>> person use his laptop and make the same MAC address with working
>>>> machine
>>>> and
>>>> then connect into the LAN and set domain and NIS server, he'll get all
>>>> the
>>>> visiting to the server and have the way to get data to his laptop,
>>>> which
>>>> is
>>>> awful. Is there any way to avoid it? I don't know how to make NIS more
>>>> secure, is there any way to set up verification server to check the
>>>> legality
>>>> of machine itself? Thanks for your help!
>>>
>>> I did something similar some time ago. You can't authenticate machines
>>> with NIS only, you need some kind of tunneling which does that. But not
>>> all tunneling protocols fit here, since NIS uses UDP protocol. You can
>>> use IPsec with X.509 certificates. Create tunnel to NIS server on each
>>> client and road warrior on server and accept only certificates from
>>> clients and server (you may use PKI infrastructure and create your own
>>> CA to issue certificates; this simplifies this task a bit).
>>>
>>> --
>>> Feel free to correct my English
>>> Stanislaw Klekot
>>
>> Thanks for your answers. May you give me more info? I'm one freshman and
>> it
>> seems hard to do for me. If I copy the certificatate files to one new pc,
>> will it visit my NIS server rightly?
>
> You will need to _copy_ only the CA certificate (if you use PKI). For
> new PC, you will need to _generate_ a new private key and issue a new
> certificate. Never copy a private key to a new machine!
>
>> Since my data server share its directory to clients and I have no proper
>> way
>> to validate the right client machine to mount. If one person use his
>> laptop
>> and mount on the shared data on server, it's another failing. Do you have
>> any good way to fill it? Thanks for your help!
>
> Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained
> NFS as well.

I don't think so. If one machine don't be authenticated and if one man get
the root
permission, he'll round off the NIS server and mount the nfs filesystem
since there's
no need to get tunnel connecting between NFS server and client machines.
>
> You will probably want to bind portmapper and NIS and NFS daemons to
> particular ports and filter out traffic coming from outside of IPsec
> tunnel.
>
> --
> Feel free to correct my English
> Stanislaw Klekot

Well, it's one good solution but I don't think I'm able to finish it by
myself just now, so
I try to find one easier way to do it. Will one radius server with 802.1x
authentication
do the same way?

On 14.06.2006, tech11 wrote:
>
> "Stachu 'Dozzie' K."
> ??????:slrne8vhdb.3ai.dozzie@hans.zsh.bash.org.pl. ..
>> On 14.06.2006, tech11 wrote:
>>>
>>> "Stachu 'Dozzie' K."
>>> дÈëÏûÏ¢ÐÂÎÅ:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
>>>> On 12.06.2006, tech11 wrote:
>>>>> I've set up one LAN with NIS account verification, and limit visit to
>>>>> switcher ports with MAC address binding, but I think it not so safe. If
>>>>> one
>>>>> person use his laptop and make the same MAC address with working
>>>>> machine
>>>>> and
>>>>> then connect into the LAN and set domain and NIS server, he'll get all
>>>>> the
>>>>> visiting to the server and have the way to get data to his laptop,
>>>>> which
>>>>> is
>>>>> awful. Is there any way to avoid it? I don't know how to make NIS more
>>>>> secure, is there any way to set up verification server to check the
>>>>> legality
>>>>> of machine itself? Thanks for your help!
>>>>
>>>> I did something similar some time ago. You can't authenticate machines
>>>> with NIS only, you need some kind of tunneling which does that. But not
>>>> all tunneling protocols fit here, since NIS uses UDP protocol. You can
>>>> use IPsec with X.509 certificates. Create tunnel to NIS server on each
>>>> client and road warrior on server and accept only certificates from
>>>> clients and server (you may use PKI infrastructure and create your own
>>>> CA to issue certificates; this simplifies this task a bit).
>>>>
>>>> --
>>>> Feel free to correct my English
>>>> Stanislaw Klekot
>>>
>>> Thanks for your answers. May you give me more info? I'm one freshman and
>>> it
>>> seems hard to do for me. If I copy the certificatate files to one new pc,
>>> will it visit my NIS server rightly?
>>
>> You will need to _copy_ only the CA certificate (if you use PKI). For
>> new PC, you will need to _generate_ a new private key and issue a new
>> certificate. Never copy a private key to a new machine!
>>
>>> Since my data server share its directory to clients and I have no proper
>>> way
>>> to validate the right client machine to mount. If one person use his
>>> laptop
>>> and mount on the shared data on server, it's another failing. Do you have
>>> any good way to fill it? Thanks for your help!
>>
>> Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained
>> NFS as well.
>
> I don't think so. If one machine don't be authenticated and if one man get
> the root
> permission, he'll round off the NIS server and mount the nfs filesystem
> since there's
> no need to get tunnel connecting between NFS server and client machines.

Eh? Are you saying that setup that I _did_ and _tested_ for such
anomalies contain such a hole, while you _didn't_ see this setup?
Am I correct?
There _is_ need to get tunnel between NFS server and client. Server
setup doesn't allow clear text connections (because of firewall, but
that's a different matter). If you don't setup tunnel (and thus
don't authenticate to server), then you can't mount _anything_.

If someone gets root on such client, then he can do anything that can do
this client and server can't distinguish traffic from compromised and
clean client.

>> You will probably want to bind portmapper and NIS and NFS daemons to
>> particular ports and filter out traffic coming from outside of IPsec
>> tunnel.
>>
>> --
>> Feel free to correct my English
>> Stanislaw Klekot
>
> Well, it's one good solution but I don't think I'm able to finish it by
> myself just now, so
> I try to find one easier way to do it. Will one radius server with 802.1x
> authentication
> do the same way?

Nope, I think. You need to protect NIS and NFS traffic, both by
authenticating origin and encrypting payload. Radius AFAIK doesn't
provide these two.

--
Feel free to correct my English
Stanislaw Klekot

"Stachu 'Dozzie' K."
??????:slrne901mt.4k3.dozzie@hans.zsh.bash.org.pl. ..
> On 14.06.2006, tech11 wrote:
>>
>> "Stachu 'Dozzie' K."
>> ??????:slrne8vhdb.3ai.dozzie@hans.zsh.bash.org.pl. ..
>>> On 14.06.2006, tech11 wrote:
>>>>
>>>> "Stachu 'Dozzie' K."
>>>> дÈëÏûÏ¢ÐÂÎÅ:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
>>>>> On 12.06.2006, tech11 wrote:
>>>>>> I've set up one LAN with NIS account verification, and limit visit to
>>>>>> switcher ports with MAC address binding, but I think it not so safe.
>>>>>> If
>>>>>> one
>>>>>> person use his laptop and make the same MAC address with working
>>>>>> machine
>>>>>> and
>>>>>> then connect into the LAN and set domain and NIS server, he'll get
>>>>>> all
>>>>>> the
>>>>>> visiting to the server and have the way to get data to his laptop,
>>>>>> which
>>>>>> is
>>>>>> awful. Is there any way to avoid it? I don't know how to make NIS
>>>>>> more
>>>>>> secure, is there any way to set up verification server to check the
>>>>>> legality
>>>>>> of machine itself? Thanks for your help!
>>>>>
>>>>> I did something similar some time ago. You can't authenticate machines
>>>>> with NIS only, you need some kind of tunneling which does that. But
>>>>> not
>>>>> all tunneling protocols fit here, since NIS uses UDP protocol. You can
>>>>> use IPsec with X.509 certificates. Create tunnel to NIS server on each
>>>>> client and road warrior on server and accept only certificates from
>>>>> clients and server (you may use PKI infrastructure and create your own
>>>>> CA to issue certificates; this simplifies this task a bit).
>>>>>
>>>>> --
>>>>> Feel free to correct my English
>>>>> Stanislaw Klekot
>>>>
>>>> Thanks for your answers. May you give me more info? I'm one freshman
>>>> and
>>>> it
>>>> seems hard to do for me. If I copy the certificatate files to one new
>>>> pc,
>>>> will it visit my NIS server rightly?
>>>
>>> You will need to _copy_ only the CA certificate (if you use PKI). For
>>> new PC, you will need to _generate_ a new private key and issue a new
>>> certificate. Never copy a private key to a new machine!
>>>
>>>> Since my data server share its directory to clients and I have no
>>>> proper
>>>> way
>>>> to validate the right client machine to mount. If one person use his
>>>> laptop
>>>> and mount on the shared data on server, it's another failing. Do you
>>>> have
>>>> any good way to fill it? Thanks for your help!
>>>
>>> Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained
>>> NFS as well.
>>
>> I don't think so. If one machine don't be authenticated and if one man
>> get
>> the root
>> permission, he'll round off the NIS server and mount the nfs filesystem
>> since there's
>> no need to get tunnel connecting between NFS server and client machines.
>
> Eh? Are you saying that setup that I _did_ and _tested_ for such
> anomalies contain such a hole, while you _didn't_ see this setup?
> Am I correct?
> There _is_ need to get tunnel between NFS server and client. Server
> setup doesn't allow clear text connections (because of firewall, but
> that's a different matter). If you don't setup tunnel (and thus
> don't authenticate to server), then you can't mount _anything_.
Do you mean divide the servers and clients into two LAN and set up VPN
between
them?
>
> If someone gets root on such client, then he can do anything that can do
> this client and server can't distinguish traffic from compromised and
> clean client.
I don't worry about the right client machine but the personal laptop, so the
connecting
tunnel is a must before one machine comming into my LAN.
>
>>> You will probably want to bind portmapper and NIS and NFS daemons to
>>> particular ports and filter out traffic coming from outside of IPsec
>>> tunnel.
>>>
>>> --
>>> Feel free to correct my English
>>> Stanislaw Klekot
>>
>> Well, it's one good solution but I don't think I'm able to finish it by
>> myself just now, so
>> I try to find one easier way to do it. Will one radius server with 802.1x
>> authentication
>> do the same way?
>
> Nope, I think. You need to protect NIS and NFS traffic, both by
> authenticating origin and encrypting payload. Radius AFAIK doesn't
> provide these two.
>
Since our LAN don't connect to internet and the data traffic security is not
considered
so much. May radius server ensure the safe of origin?
> --
> Feel free to correct my English
> Stanislaw Klekot

On 15.06.2006, tech11 wrote:
>>>>>>> I've set up one LAN with NIS account verification, and limit visit to
>>>>>>> switcher ports with MAC address binding, but I think it not so safe.
>>>>>>> If
>>>>>>> one
>>>>>>> person use his laptop and make the same MAC address with working
>>>>>>> machine
>>>>>>> and
>>>>>>> then connect into the LAN and set domain and NIS server, he'll get
>>>>>>> all
>>>>>>> the
>>>>>>> visiting to the server and have the way to get data to his laptop,
>>>>>>> which
>>>>>>> is
>>>>>>> awful. Is there any way to avoid it? I don't know how to make NIS
>>>>>>> more
>>>>>>> secure, is there any way to set up verification server to check the
>>>>>>> legality
>>>>>>> of machine itself? Thanks for your help!
>>>>>>
>>>>>> I did something similar some time ago. You can't authenticate machines
>>>>>> with NIS only, you need some kind of tunneling which does that. But
>>>>>> not
>>>>>> all tunneling protocols fit here, since NIS uses UDP protocol. You can
>>>>>> use IPsec with X.509 certificates. Create tunnel to NIS server on each
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>>> client and road warrior on server and accept only certificates from
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
>>>>>> clients and server (you may use PKI infrastructure and create your own
^^^^^^^^^^^^^^^^^^
>>>>>> CA to issue certificates; this simplifies this task a bit).
[...]
>> Eh? Are you saying that setup that I _did_ and _tested_ for such
>> anomalies contain such a hole, while you _didn't_ see this setup?
>> Am I correct?
>> There _is_ need to get tunnel between NFS server and client. Server
>> setup doesn't allow clear text connections (because of firewall, but
>> that's a different matter). If you don't setup tunnel (and thus
>> don't authenticate to server), then you can't mount _anything_.
> Do you mean divide the servers and clients into two LAN and set up VPN
> between
> them?

Read underscored part again.

>>>> You will probably want to bind portmapper and NIS and NFS daemons to
>>>> particular ports and filter out traffic coming from outside of IPsec
>>>> tunnel.

>>> Well, it's one good solution but I don't think I'm able to finish it by
>>> myself just now, so
>>> I try to find one easier way to do it. Will one radius server with 802.1x
>>> authentication
>>> do the same way?
>>
>> Nope, I think. You need to protect NIS and NFS traffic, both by
>> authenticating origin and encrypting payload. Radius AFAIK doesn't
>> provide these two.
>>
> Since our LAN don't connect to internet and the data traffic security is not
> considered
> so much.

It is. You have (possibly hostile) laptops _inside_ your network. Some
laptop could sniff traffic.

> May radius server ensure the safe of origin?

I think you don't understand basic idea. Radius is _not_ designed for
protect _traffic_. It allows only secure login. You need to protect
traffic, so you need a tunneling protocol, such as OpenVPN or IPsec.

--
Feel free to correct my English
Stanislaw Klekot