Re: How to secure LAN visiting with NIS

On 14.06.2006, tech11 <tech11@xxxxxxxx> wrote:

"Stachu 'Dozzie' K." <dozzie@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Đ´ČëĎűϢĐÂÎĹ:slrne8qu6v.j56.dozzie@xxxxxxxxxxxxxxxxxxxxxxx
On 12.06.2006, tech11 <tech11@xxxxxxxx> wrote:
I've set up one LAN with NIS account verification, and limit visit to
switcher ports with MAC address binding, but I think it not so safe. If
one
person use his laptop and make the same MAC address with working machine
and
then connect into the LAN and set domain and NIS server, he'll get all
the
visiting to the server and have the way to get data to his laptop, which
is
awful. Is there any way to avoid it? I don't know how to make NIS more
secure, is there any way to set up verification server to check the
legality
of machine itself? Thanks for your help!

I did something similar some time ago. You can't authenticate machines
with NIS only, you need some kind of tunneling which does that. But not
all tunneling protocols fit here, since NIS uses UDP protocol. You can
use IPsec with X.509 certificates. Create tunnel to NIS server on each
client and road warrior on server and accept only certificates from
clients and server (you may use PKI infrastructure and create your own
CA to issue certificates; this simplifies this task a bit).

--
Feel free to correct my English
Stanislaw Klekot

Thanks for your answers. May you give me more info? I'm one freshman and it
seems hard to do for me. If I copy the certificatate files to one new pc,
will it visit my NIS server rightly?

You will need to _copy_ only the CA certificate (if you use PKI). For
new PC, you will need to _generate_ a new private key and issue a new
certificate. Never copy a private key to a new machine!

Since my data server share its directory to clients and I have no proper way
to validate the right client machine to mount. If one person use his laptop
and mount on the shared data on server, it's another failing. Do you have
any good way to fill it? Thanks for your help!

Is it NFS? The same solution as for NIS. My NIS+IPsec setup contained
NFS as well.

You will probably want to bind portmapper and NIS and NFS daemons to
particular ports and filter out traffic coming from outside of IPsec
tunnel.

--
Feel free to correct my English
Stanislaw Klekot
.

Relevant Pages

  • Re: How to secure LAN visiting with NIS
    ... then connect into the LAN and set domain and NIS server, ... visiting to the server and have the way to get data to his laptop, ... I don't know how to make NIS ... There _is_ need to get tunnel between NFS server and client. ...
    (comp.os.linux.security)
  • Re: How to secure LAN visiting with NIS
    ... then connect into the LAN and set domain and NIS server, ... I don't know how to make NIS more ... client and road warrior on server and accept only certificates from ... NFS as well. ...
    (comp.os.linux.security)
  • Re: Fedora Home Network
    ... I have the NFS working on my linux desktop, just need to migrate the local home dir to the server and change the mount points as well as getting the NIS to work in conjunction. ... Then you don't have to worry about the remote uid's or keeping anything in sync - and the bandwidth requirement is very reasonable for a wireless laptop. ...
    (Fedora)
  • Re: copy files from internet using authenticate certificates
    ... Just use ASP.NET on the server, configure your IIS server to use SSL and ... require client certificates. ... you'll need some kind of software that runs when the laptop ... > How I need to use these certificates is the confusing part. ...
    (microsoft.public.dotnet.general)
  • Re: How to secure LAN visiting with NIS
    ... switcher ports with MAC address binding, but I think it not so safe. ... visiting to the server and have the way to get data to his laptop, ... I don't know how to make NIS more ...
    (comp.os.linux.security)