How to secure LAN visiting with NIS - Security

This is a discussion on How to secure LAN visiting with NIS - Security ; Hello everyone, I've set up one LAN with NIS account verification, and limit visit to switcher ports with MAC address binding, but I think it not so safe. If one person use his laptop and make the same MAC address ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: How to secure LAN visiting with NIS

  1. How to secure LAN visiting with NIS

    Hello everyone,

    I've set up one LAN with NIS account verification, and limit visit to
    switcher ports with MAC address binding, but I think it not so safe. If one
    person use his laptop and make the same MAC address with working machine and
    then connect into the LAN and set domain and NIS server, he'll get all the
    visiting to the server and have the way to get data to his laptop, which is
    awful. Is there any way to avoid it? I don't know how to make NIS more
    secure, is there any way to set up verification server to check the legality
    of machine itself? Thanks for your help!

    Have a good day!

    B.R.

    Joffre



  2. Re: How to secure LAN visiting with NIS

    On 12.06.2006, tech11 wrote:
    > I've set up one LAN with NIS account verification, and limit visit to
    > switcher ports with MAC address binding, but I think it not so safe. If one
    > person use his laptop and make the same MAC address with working machine and
    > then connect into the LAN and set domain and NIS server, he'll get all the
    > visiting to the server and have the way to get data to his laptop, which is
    > awful. Is there any way to avoid it? I don't know how to make NIS more
    > secure, is there any way to set up verification server to check the legality
    > of machine itself? Thanks for your help!


    I did something similar some time ago. You can't authenticate machines
    with NIS only, you need some kind of tunneling which does that. But not
    all tunneling protocols fit here, since NIS uses UDP protocol. You can
    use IPsec with X.509 certificates. Create tunnel to NIS server on each
    client and road warrior on server and accept only certificates from
    clients and server (you may use PKI infrastructure and create your own
    CA to issue certificates; this simplifies this task a bit).

    --
    Feel free to correct my English
    Stanislaw Klekot

  3. Re: How to secure LAN visiting with NIS

    tech11 wrote:
    > I've set up one LAN with NIS account verification, and limit visit to
    > switcher ports with MAC address binding, but I think it not so safe.


    Doesn't sound too bad to me. Presumably NIS+ rather than NIS?


    > If one person use his laptop and make the same MAC address with working
    > machine and then connect into the LAN and set domain and NIS server,
    > he'll get all the visiting to the server and have the way to get data
    > to his laptop, which is awful.


    Don't trust MAC addresses implicitly. Instead, use them as part of your
    security blanket.


    > Is there any way to avoid it?


    Ssh with public/private certificates for encrypting simple traffic from
    client to server. Kerberos V5 for authenticating users, hosts, and
    services.

    Chris

  4. Re: How to secure LAN visiting with NIS

    On 12.06.2006, Chris Davies wrote:
    > tech11 wrote:
    >> I've set up one LAN with NIS account verification, and limit visit to
    >> switcher ports with MAC address binding, but I think it not so safe.

    >
    > Doesn't sound too bad to me. Presumably NIS+ rather than NIS?


    Do you know _any_ NIS+ _server_ implementation working under Linux?

    >> If one person use his laptop and make the same MAC address with working
    >> machine and then connect into the LAN and set domain and NIS server,
    >> he'll get all the visiting to the server and have the way to get data
    >> to his laptop, which is awful.

    >
    > Don't trust MAC addresses implicitly. Instead, use them as part of your
    > security blanket.


    Didn't tech11 said that he don't want to trust MAC addresses?

    >> Is there any way to avoid it?

    >
    > Ssh with public/private certificates for encrypting simple traffic from
    > client to server. Kerberos V5 for authenticating users, hosts, and
    > services.


    How would you forward UDP traffic over SSH? Except setting up VPN
    (recent versions of OpenSSH).

    --
    Feel free to correct my English
    Stanislaw Klekot

  5. Re: How to secure LAN visiting with NIS


    Have you considered LDAP?

    It maybe easier than all the hacks to secure NIS.


  6. Re: How to secure LAN visiting with NIS

    tech11 wrote:
    T> I've set up one LAN with NIS account verification, and limit visit to
    T> switcher ports with MAC address binding, but I think it not so safe.

    On 12.06.2006, Chris Davies wrote:
    C> Doesn't sound too bad to me. Presumably NIS+ rather than NIS?

    Stachu 'Dozzie' K. wrote:
    S> Do you know _any_ NIS+ _server_ implementation working under Linux?

    My domain knowledge of NIS is woefully limited (and I've never managed to
    get NIS+ working. At all.) Just because I don't know something exists
    doesn't mean it doesn't actually exist. Sometimes a pointer is all
    that's required.


    C> Don't trust MAC addresses implicitly. Instead, use them as part of your
    C> security blanket.

    S> Didn't tech11 said that he don't want to trust MAC addresses?

    Yes. I'm agreeing with the philosophy.


    T> Is there any way to avoid it?

    C> Ssh with public/private certificates for encrypting simple traffic from
    C> client to server. Kerberos V5 for authenticating users, hosts, and
    C> services.

    > How would you forward UDP traffic over SSH? Except setting up VPN
    > (recent versions of OpenSSH).


    Sometimes people just want a "simple" solution. If you're wanting to
    handle not just TCP traffic but other stuff as well then I would suggest
    OpenVPN as the "next most simple" solution.

    Too often I see people trying to provide a complete answer to a question
    that was phrased badly, only to discover that the answer doesn't fit
    the actual (un-asked) question. I'm happy to be proven wrong with my
    assumptions, and I will happily amend those to refine my answer to fit
    the problem domain as it unfolds.

    Regards,
    Chris

  7. Re: How to secure LAN visiting with NIS


    "Stachu 'Dozzie' K." 写入消息新闻:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
    > On 12.06.2006, tech11 wrote:
    >> I've set up one LAN with NIS account verification, and limit visit to
    >> switcher ports with MAC address binding, but I think it not so safe. If
    >> one
    >> person use his laptop and make the same MAC address with working machine
    >> and
    >> then connect into the LAN and set domain and NIS server, he'll get all
    >> the
    >> visiting to the server and have the way to get data to his laptop, which
    >> is
    >> awful. Is there any way to avoid it? I don't know how to make NIS more
    >> secure, is there any way to set up verification server to check the
    >> legality
    >> of machine itself? Thanks for your help!

    >
    > I did something similar some time ago. You can't authenticate machines
    > with NIS only, you need some kind of tunneling which does that. But not
    > all tunneling protocols fit here, since NIS uses UDP protocol. You can
    > use IPsec with X.509 certificates. Create tunnel to NIS server on each
    > client and road warrior on server and accept only certificates from
    > clients and server (you may use PKI infrastructure and create your own
    > CA to issue certificates; this simplifies this task a bit).
    >
    > --
    > Feel free to correct my English
    > Stanislaw Klekot


    Thanks for your answers. May you give me more info? I'm one freshman and it
    seems hard to do for me. If I copy the certificatate files to one new pc,
    will it visit my NIS server rightly?

    Since my data server share its directory to clients and I have no proper way
    to validate the right client machine to mount. If one person use his laptop
    and mount on the shared data on server, it's another failing. Do you have
    any good way to fill it? Thanks for your help!

    Have a good day!

    B.R.
    Joffre



  8. Re: How to secure LAN visiting with NIS

    On 14.06.2006, tech11 wrote:
    >
    > "Stachu 'Dozzie' K." 写入消息新闻:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
    >> On 12.06.2006, tech11 wrote:
    >>> I've set up one LAN with NIS account verification, and limit visit to
    >>> switcher ports with MAC address binding, but I think it not so safe. If
    >>> one
    >>> person use his laptop and make the same MAC address with working machine
    >>> and
    >>> then connect into the LAN and set domain and NIS server, he'll get all
    >>> the
    >>> visiting to the server and have the way to get data to his laptop, which
    >>> is
    >>> awful. Is there any way to avoid it? I don't know how to make NIS more
    >>> secure, is there any way to set up verification server to check the
    >>> legality
    >>> of machine itself? Thanks for your help!

    >>
    >> I did something similar some time ago. You can't authenticate machines
    >> with NIS only, you need some kind of tunneling which does that. But not
    >> all tunneling protocols fit here, since NIS uses UDP protocol. You can
    >> use IPsec with X.509 certificates. Create tunnel to NIS server on each
    >> client and road warrior on server and accept only certificates from
    >> clients and server (you may use PKI infrastructure and create your own
    >> CA to issue certificates; this simplifies this task a bit).
    >>
    >> --
    >> Feel free to correct my English
    >> Stanislaw Klekot

    >
    > Thanks for your answers. May you give me more info? I'm one freshman and it
    > seems hard to do for me. If I copy the certificatate files to one new pc,
    > will it visit my NIS server rightly?


    You will need to _copy_ only the CA certificate (if you use PKI). For
    new PC, you will need to _generate_ a new private key and issue a new
    certificate. Never copy a private key to a new machine!

    > Since my data server share its directory to clients and I have no proper way
    > to validate the right client machine to mount. If one person use his laptop
    > and mount on the shared data on server, it's another failing. Do you have
    > any good way to fill it? Thanks for your help!


    Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained
    NFS as well.

    You will probably want to bind portmapper and NIS and NFS daemons to
    particular ports and filter out traffic coming from outside of IPsec
    tunnel.

    --
    Feel free to correct my English
    Stanislaw Klekot

  9. Re: How to secure LAN visiting with NIS


    "Stachu 'Dozzie' K."
    ??????:slrne8vhdb.3ai.dozzie@hans.zsh.bash.org.pl. ..
    > On 14.06.2006, tech11 wrote:
    >>
    >> "Stachu 'Dozzie' K."
    >> 写入消息新闻:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
    >>> On 12.06.2006, tech11 wrote:
    >>>> I've set up one LAN with NIS account verification, and limit visit to
    >>>> switcher ports with MAC address binding, but I think it not so safe. If
    >>>> one
    >>>> person use his laptop and make the same MAC address with working
    >>>> machine
    >>>> and
    >>>> then connect into the LAN and set domain and NIS server, he'll get all
    >>>> the
    >>>> visiting to the server and have the way to get data to his laptop,
    >>>> which
    >>>> is
    >>>> awful. Is there any way to avoid it? I don't know how to make NIS more
    >>>> secure, is there any way to set up verification server to check the
    >>>> legality
    >>>> of machine itself? Thanks for your help!
    >>>
    >>> I did something similar some time ago. You can't authenticate machines
    >>> with NIS only, you need some kind of tunneling which does that. But not
    >>> all tunneling protocols fit here, since NIS uses UDP protocol. You can
    >>> use IPsec with X.509 certificates. Create tunnel to NIS server on each
    >>> client and road warrior on server and accept only certificates from
    >>> clients and server (you may use PKI infrastructure and create your own
    >>> CA to issue certificates; this simplifies this task a bit).
    >>>
    >>> --
    >>> Feel free to correct my English
    >>> Stanislaw Klekot

    >>
    >> Thanks for your answers. May you give me more info? I'm one freshman and
    >> it
    >> seems hard to do for me. If I copy the certificatate files to one new pc,
    >> will it visit my NIS server rightly?

    >
    > You will need to _copy_ only the CA certificate (if you use PKI). For
    > new PC, you will need to _generate_ a new private key and issue a new
    > certificate. Never copy a private key to a new machine!
    >
    >> Since my data server share its directory to clients and I have no proper
    >> way
    >> to validate the right client machine to mount. If one person use his
    >> laptop
    >> and mount on the shared data on server, it's another failing. Do you have
    >> any good way to fill it? Thanks for your help!

    >
    > Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained
    > NFS as well.


    I don't think so. If one machine don't be authenticated and if one man get
    the root
    permission, he'll round off the NIS server and mount the nfs filesystem
    since there's
    no need to get tunnel connecting between NFS server and client machines.
    >
    > You will probably want to bind portmapper and NIS and NFS daemons to
    > particular ports and filter out traffic coming from outside of IPsec
    > tunnel.
    >
    > --
    > Feel free to correct my English
    > Stanislaw Klekot


    Well, it's one good solution but I don't think I'm able to finish it by
    myself just now, so
    I try to find one easier way to do it. Will one radius server with 802.1x
    authentication
    do the same way?



  10. Re: How to secure LAN visiting with NIS

    On 14.06.2006, tech11 wrote:
    >
    > "Stachu 'Dozzie' K."
    > ??????:slrne8vhdb.3ai.dozzie@hans.zsh.bash.org.pl. ..
    >> On 14.06.2006, tech11 wrote:
    >>>
    >>> "Stachu 'Dozzie' K."
    >>> 写入消息新闻:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
    >>>> On 12.06.2006, tech11 wrote:
    >>>>> I've set up one LAN with NIS account verification, and limit visit to
    >>>>> switcher ports with MAC address binding, but I think it not so safe. If
    >>>>> one
    >>>>> person use his laptop and make the same MAC address with working
    >>>>> machine
    >>>>> and
    >>>>> then connect into the LAN and set domain and NIS server, he'll get all
    >>>>> the
    >>>>> visiting to the server and have the way to get data to his laptop,
    >>>>> which
    >>>>> is
    >>>>> awful. Is there any way to avoid it? I don't know how to make NIS more
    >>>>> secure, is there any way to set up verification server to check the
    >>>>> legality
    >>>>> of machine itself? Thanks for your help!
    >>>>
    >>>> I did something similar some time ago. You can't authenticate machines
    >>>> with NIS only, you need some kind of tunneling which does that. But not
    >>>> all tunneling protocols fit here, since NIS uses UDP protocol. You can
    >>>> use IPsec with X.509 certificates. Create tunnel to NIS server on each
    >>>> client and road warrior on server and accept only certificates from
    >>>> clients and server (you may use PKI infrastructure and create your own
    >>>> CA to issue certificates; this simplifies this task a bit).
    >>>>
    >>>> --
    >>>> Feel free to correct my English
    >>>> Stanislaw Klekot
    >>>
    >>> Thanks for your answers. May you give me more info? I'm one freshman and
    >>> it
    >>> seems hard to do for me. If I copy the certificatate files to one new pc,
    >>> will it visit my NIS server rightly?

    >>
    >> You will need to _copy_ only the CA certificate (if you use PKI). For
    >> new PC, you will need to _generate_ a new private key and issue a new
    >> certificate. Never copy a private key to a new machine!
    >>
    >>> Since my data server share its directory to clients and I have no proper
    >>> way
    >>> to validate the right client machine to mount. If one person use his
    >>> laptop
    >>> and mount on the shared data on server, it's another failing. Do you have
    >>> any good way to fill it? Thanks for your help!

    >>
    >> Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained
    >> NFS as well.

    >
    > I don't think so. If one machine don't be authenticated and if one man get
    > the root
    > permission, he'll round off the NIS server and mount the nfs filesystem
    > since there's
    > no need to get tunnel connecting between NFS server and client machines.


    Eh? Are you saying that setup that I _did_ and _tested_ for such
    anomalies contain such a hole, while you _didn't_ see this setup?
    Am I correct?
    There _is_ need to get tunnel between NFS server and client. Server
    setup doesn't allow clear text connections (because of firewall, but
    that's a different matter). If you don't setup tunnel (and thus
    don't authenticate to server), then you can't mount _anything_.

    If someone gets root on such client, then he can do anything that can do
    this client and server can't distinguish traffic from compromised and
    clean client.

    >> You will probably want to bind portmapper and NIS and NFS daemons to
    >> particular ports and filter out traffic coming from outside of IPsec
    >> tunnel.
    >>
    >> --
    >> Feel free to correct my English
    >> Stanislaw Klekot

    >
    > Well, it's one good solution but I don't think I'm able to finish it by
    > myself just now, so
    > I try to find one easier way to do it. Will one radius server with 802.1x
    > authentication
    > do the same way?


    Nope, I think. You need to protect NIS and NFS traffic, both by
    authenticating origin and encrypting payload. Radius AFAIK doesn't
    provide these two.

    --
    Feel free to correct my English
    Stanislaw Klekot

  11. Re: How to secure LAN visiting with NIS


    "Stachu 'Dozzie' K."
    ??????:slrne901mt.4k3.dozzie@hans.zsh.bash.org.pl. ..
    > On 14.06.2006, tech11 wrote:
    >>
    >> "Stachu 'Dozzie' K."
    >> ??????:slrne8vhdb.3ai.dozzie@hans.zsh.bash.org.pl. ..
    >>> On 14.06.2006, tech11 wrote:
    >>>>
    >>>> "Stachu 'Dozzie' K."
    >>>> 写入消息新闻:slrne8qu6v.j56.dozzie@hans.zsh.bash.o rg.pl...
    >>>>> On 12.06.2006, tech11 wrote:
    >>>>>> I've set up one LAN with NIS account verification, and limit visit to
    >>>>>> switcher ports with MAC address binding, but I think it not so safe.
    >>>>>> If
    >>>>>> one
    >>>>>> person use his laptop and make the same MAC address with working
    >>>>>> machine
    >>>>>> and
    >>>>>> then connect into the LAN and set domain and NIS server, he'll get
    >>>>>> all
    >>>>>> the
    >>>>>> visiting to the server and have the way to get data to his laptop,
    >>>>>> which
    >>>>>> is
    >>>>>> awful. Is there any way to avoid it? I don't know how to make NIS
    >>>>>> more
    >>>>>> secure, is there any way to set up verification server to check the
    >>>>>> legality
    >>>>>> of machine itself? Thanks for your help!
    >>>>>
    >>>>> I did something similar some time ago. You can't authenticate machines
    >>>>> with NIS only, you need some kind of tunneling which does that. But
    >>>>> not
    >>>>> all tunneling protocols fit here, since NIS uses UDP protocol. You can
    >>>>> use IPsec with X.509 certificates. Create tunnel to NIS server on each
    >>>>> client and road warrior on server and accept only certificates from
    >>>>> clients and server (you may use PKI infrastructure and create your own
    >>>>> CA to issue certificates; this simplifies this task a bit).
    >>>>>
    >>>>> --
    >>>>> Feel free to correct my English
    >>>>> Stanislaw Klekot
    >>>>
    >>>> Thanks for your answers. May you give me more info? I'm one freshman
    >>>> and
    >>>> it
    >>>> seems hard to do for me. If I copy the certificatate files to one new
    >>>> pc,
    >>>> will it visit my NIS server rightly?
    >>>
    >>> You will need to _copy_ only the CA certificate (if you use PKI). For
    >>> new PC, you will need to _generate_ a new private key and issue a new
    >>> certificate. Never copy a private key to a new machine!
    >>>
    >>>> Since my data server share its directory to clients and I have no
    >>>> proper
    >>>> way
    >>>> to validate the right client machine to mount. If one person use his
    >>>> laptop
    >>>> and mount on the shared data on server, it's another failing. Do you
    >>>> have
    >>>> any good way to fill it? Thanks for your help!
    >>>
    >>> Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained
    >>> NFS as well.

    >>
    >> I don't think so. If one machine don't be authenticated and if one man
    >> get
    >> the root
    >> permission, he'll round off the NIS server and mount the nfs filesystem
    >> since there's
    >> no need to get tunnel connecting between NFS server and client machines.

    >
    > Eh? Are you saying that setup that I _did_ and _tested_ for such
    > anomalies contain such a hole, while you _didn't_ see this setup?
    > Am I correct?
    > There _is_ need to get tunnel between NFS server and client. Server
    > setup doesn't allow clear text connections (because of firewall, but
    > that's a different matter). If you don't setup tunnel (and thus
    > don't authenticate to server), then you can't mount _anything_.

    Do you mean divide the servers and clients into two LAN and set up VPN
    between
    them?
    >
    > If someone gets root on such client, then he can do anything that can do
    > this client and server can't distinguish traffic from compromised and
    > clean client.

    I don't worry about the right client machine but the personal laptop, so the
    connecting
    tunnel is a must before one machine comming into my LAN.
    >
    >>> You will probably want to bind portmapper and NIS and NFS daemons to
    >>> particular ports and filter out traffic coming from outside of IPsec
    >>> tunnel.
    >>>
    >>> --
    >>> Feel free to correct my English
    >>> Stanislaw Klekot

    >>
    >> Well, it's one good solution but I don't think I'm able to finish it by
    >> myself just now, so
    >> I try to find one easier way to do it. Will one radius server with 802.1x
    >> authentication
    >> do the same way?

    >
    > Nope, I think. You need to protect NIS and NFS traffic, both by
    > authenticating origin and encrypting payload. Radius AFAIK doesn't
    > provide these two.
    >

    Since our LAN don't connect to internet and the data traffic security is not
    considered
    so much. May radius server ensure the safe of origin?
    > --
    > Feel free to correct my English
    > Stanislaw Klekot




  12. Re: How to secure LAN visiting with NIS

    On 15.06.2006, tech11 wrote:
    >>>>>>> I've set up one LAN with NIS account verification, and limit visit to
    >>>>>>> switcher ports with MAC address binding, but I think it not so safe.
    >>>>>>> If
    >>>>>>> one
    >>>>>>> person use his laptop and make the same MAC address with working
    >>>>>>> machine
    >>>>>>> and
    >>>>>>> then connect into the LAN and set domain and NIS server, he'll get
    >>>>>>> all
    >>>>>>> the
    >>>>>>> visiting to the server and have the way to get data to his laptop,
    >>>>>>> which
    >>>>>>> is
    >>>>>>> awful. Is there any way to avoid it? I don't know how to make NIS
    >>>>>>> more
    >>>>>>> secure, is there any way to set up verification server to check the
    >>>>>>> legality
    >>>>>>> of machine itself? Thanks for your help!
    >>>>>>
    >>>>>> I did something similar some time ago. You can't authenticate machines
    >>>>>> with NIS only, you need some kind of tunneling which does that. But
    >>>>>> not
    >>>>>> all tunneling protocols fit here, since NIS uses UDP protocol. You can
    >>>>>> use IPsec with X.509 certificates. Create tunnel to NIS server on each

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    >>>>>> client and road warrior on server and accept only certificates from

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
    >>>>>> clients and server (you may use PKI infrastructure and create your own

    ^^^^^^^^^^^^^^^^^^
    >>>>>> CA to issue certificates; this simplifies this task a bit).

    [...]
    >> Eh? Are you saying that setup that I _did_ and _tested_ for such
    >> anomalies contain such a hole, while you _didn't_ see this setup?
    >> Am I correct?
    >> There _is_ need to get tunnel between NFS server and client. Server
    >> setup doesn't allow clear text connections (because of firewall, but
    >> that's a different matter). If you don't setup tunnel (and thus
    >> don't authenticate to server), then you can't mount _anything_.

    > Do you mean divide the servers and clients into two LAN and set up VPN
    > between
    > them?


    Read underscored part again.

    >>>> You will probably want to bind portmapper and NIS and NFS daemons to
    >>>> particular ports and filter out traffic coming from outside of IPsec
    >>>> tunnel.


    >>> Well, it's one good solution but I don't think I'm able to finish it by
    >>> myself just now, so
    >>> I try to find one easier way to do it. Will one radius server with 802.1x
    >>> authentication
    >>> do the same way?

    >>
    >> Nope, I think. You need to protect NIS and NFS traffic, both by
    >> authenticating origin and encrypting payload. Radius AFAIK doesn't
    >> provide these two.
    >>

    > Since our LAN don't connect to internet and the data traffic security is not
    > considered
    > so much.


    It is. You have (possibly hostile) laptops _inside_ your network. Some
    laptop could sniff traffic.

    > May radius server ensure the safe of origin?


    I think you don't understand basic idea. Radius is _not_ designed for
    protect _traffic_. It allows only secure login. You need to protect
    traffic, so you need a tunneling protocol, such as OpenVPN or IPsec.

    --
    Feel free to correct my English
    Stanislaw Klekot

+ Reply to Thread