[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: networking




	Second the Kerberos (which I use) but You can also do
it very effectively using a master host and ssh/rsync/whatever
to securely push/pull the user information to/from places on
a semi regular basis. No NIS and everything works. Of course
you have to deal with the issue of differing password encryption
schemes and the like if you're heterogeneous which usually
means you fall back to using DES instead of something better.  

Note there may be no way to *ensure* that "Your OpenBSD box won't fall
if your solaris box gets hacked" if your OpenBSD box trusts the
Solaris box in any way - i.e. If I nail the solaris box can watch
people logging in to the OpenBSD box -- then you have a problem (tty
sniff, replace ssh/telnet, etc.) Even Kerberos, Ipsec and other stuff
doesn't help you then. Basically, if you have a user coming in to you
from a compromised machine where the bad guy has root and a clue,
you're dead. If that's your concern, start thinking firewalls in front
of the lot to reduce the risk of one of your cluster getting nailed
due to running insecure software, and don't let people in from the
outside. My solution to safe Solaris is usually either:

- Put it on a massive diet and turn everything off/replace anything
I don't trust. (AKA our SunSITE machines)
- Put OpenBSD in front of it and let nothing into it. (AKA our
admin database machines).

	IPsec and/or properly set up switches can help(but not cure
everything) in these cases depending on your exact scenario and
what ability to secure and compartmentalize the network you have,
and what sort of risks you realisticly expect to mitigate. Start
looking at where you can draw lines in the sand. 

	-Bob

>
>kerberos!
>
>-----Original Message-----
>From: alex [mailto:alex@crawfish.suba.com]
>pSent: Thursday, September 16, 1999 2:07 AM
>To: misc@openbsd.com
>Subject: Re: networking
>
>
>> Does anyone know of a site that teaches different network setups in
>> openbsd environments?
>
>This isn't exactly the same question, but I'd be interested in knowing
>how openbsd security gurus build networks that need NIS-like and
>NFS-like services.  If you assume your network is being sniffed, is
>there any way to implement that kind of functionality securely?  Are
>there secure tools that will tie different *nix os's together
>(solaris, linux, etc.)?  Is there any way to do it so your openbsd
>boxes won't fall if your solaris box gets hacked?
>