Re: tcpwrapped rpcbind/portmap?

From: Trevor Fiatal (trevor@seven.com)
Date: 08/21/01

Previous message: Hal Flynn: "Re: tcpwrapped rpcbind/portmap?"
In reply to: Hal Flynn: "Re: tcpwrapped rpcbind/portmap?"
Next in thread: Chris Ess: "Re: tcpwrapped rpcbind/portmap?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <3B819796.64D4DFBA@seven.com>
Date: Mon, 20 Aug 2001 16:04:54 -0700
From: Trevor Fiatal <trevor@seven.com>
Subject: Re: tcpwrapped rpcbind/portmap?

Hal Flynn wrote:
>
> > Absolutely. The lack of ACL enforcement within the stock Solaris
> > rpcbind make its use problematic in a security-sensitive environment.
>
> How so? Is it not possible to access any service that uses rpc directly
> anyways? :>

Good point.

[deletia]
>
> Perhaps I'm just a draconian BOFH type, but for systems that are
> production and in a DMZ, the only good rpc is no rpc.

I'm 100% with you on that one. None of our externally visible systems
run rpc, period. However, on our interior networks, it is frequently
desirable or necessary to run rpcbind in order to satisfy the needs
of our users.

In that particular case, having an additional policy enforcement
point on internal systems via tcpwrappered rpcbind would certainly
reduce certain types of risk from internal threats. There's only
so far I can go with implementing firewalls and ACLs on the
interior networks, so anywhere I can increase enforcement without
buying hardware or software is a Good Thing(tm).

> In short, or at least in my opinion, if you're betting the farm on a more
> secure rpcbind...well let me just say the cows and chickens are going to
> gang up on you one night while you're sleeping.

Nope, not me. Managed risk via defense in depth, not blind trust
in the New Improved version of anything. :)

-Trevor

-- 
Trevor Fiatal -- trevor@seven.com -- http://www.seven.com/
Co-Founder
Seven
510.967.4556 (work/mobile)  
510.401.8054 (vmail/fax)

Previous message: Hal Flynn: "Re: tcpwrapped rpcbind/portmap?"
In reply to: Hal Flynn: "Re: tcpwrapped rpcbind/portmap?"
Next in thread: Chris Ess: "Re: tcpwrapped rpcbind/portmap?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: tcpwrapped rpcbind/portmap?
... Subject: tcpwrapped rpcbind/portmap? ... The lack of ACL enforcement within the stock Solaris ... incremental feature in an existing package. ...
(Focus-SUN)
Re: tcpwrapped rpcbind/portmap?
... Subject: tcpwrapped rpcbind/portmap? ... Is it not possible to access any service that uses rpc directly ... more secure than one particular daemon with access control. ... layers of access control above it ala network firewall, router acl's, etc. ...
(Focus-SUN)