[Full-disclosure] AFS - The Ultimate Sulution?



Hi list,

recently I found myself in an argument which I found interesting. This
is why I want to pass it on to the list since neither me nor my friend
were able to agree on this. Maybe the broader knowledge of this list
will lighten up the matter a bit. Apart from this I think it might
interest many of you.

Core of the discussion is a corporate system with several workstations
all attached to a single network. This network runs an AFS-server which
is supplying the corporation's AFS-cell.
Every workstation boots into a minimal environment which ask for
username and password. Afterwards it uses these to connect to the
AFS-Cell and boots one of several available System-Images which reside
on the AFS-Server. (Both Linux (FC1) and Windows (2000) Images are
available). After booting the OS several important folders and files are
replaced with the user's own data (which only he can access due to
Kerberos authentication). For instance the Linux image gets /etc/passwd,
/etc/shadow, /home/$USER and some others replaced. The custom
/etc/passwd and /etc/shadow will only contain the user himself and the
root-account in order to prevent bruteforcing the passwords.

It seems like this system is quite secure. Even if an attacker should
gain root-access locally he would not be able to access anything he
didn't own in the first place. (So to say other user's files residing in
their private AFS folders.) Also he could cause no destruction to the
system because the system is booted from the same Image every time. Even
if he did something like rm -rf / he would only delete his private files
in the home-folder.

This is kind of a combination of RemoteBoot and AFS.

The well known weakness of RemoteBoot is that - set the case the
communication between the image-server is not encrypted - it is possible
to supply forged images to the workstation. (E.g. by ARP-Spoofing the
image-server.)
AFS however uses Kerberos to authenticate and thus is considered secure.

Now my friend claims that this system could go unmanaged for ages since
the user's data would remain secure even if security holes were
published and exploits released. This seems true.
However I kind of refuse to believe that something this simple can truly
be secure.

The only hole I could come up with is that there would be a remote
vulnerability which an attacker would use to access the running
workstation of somebody else.
However this seems unlikely and quite lame.

Anyone up for anything more sophisticated?

Thanks in advance and happy arguing.

Paul

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Paradigms II
    ... Secure Systems Revisited ... Performing the following very basic security evaluation on your system ... (server or workstation); however, they can be easily adapted to any other ... control over that information. ...
    (comp.security.misc)
  • Re: Paradigms II
    ... > are not about trying to circumvent security. ... > (server or workstation); however, they can be easily adapted to any other ... > to have at least a vague idea what security, and a secure environment, ...
    (comp.security.misc)
  • RE: Question: How To Secure a Public Access Workstation
    ... I think step one would be to secure the box itself. ... Access workstation" shouldn't necessarily mean access to the ... > rather than Windows Explorer. ... > q154780 - How to Use Kiosk Mode in Microsoft ...
    (Focus-Microsoft)
  • Re: [Full-disclosure] AFS - The Ultimate Sulution? -- What is the point?
    ... But the Images wouldn't have to be. ... Of course somebody could be hardlogging on a workstation, ... USB device or something that the employees can take home with them, ... Also employees might use recent attacks against eachother to gain ...
    (Full-Disclosure)
  • Re: Secure and Nonsecure items
    ... You need to place your images in a secure directory, ... Secure your images directory, ... telling our customers to alter thier security settings for our ...
    (microsoft.public.dotnet.framework.aspnet)