Re: How to secure LAN visiting with NIS
- From: "Stachu 'Dozzie' K." <dozzie@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 15 Jun 2006 11:41:10 +0000 (UTC)
On 15.06.2006, tech11 <tech11@xxxxxxxx> wrote:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^I've set up one LAN with NIS account verification, and limit visit to
switcher ports with MAC address binding, but I think it not so safe.
If
one
person use his laptop and make the same MAC address with working
machine
and
then connect into the LAN and set domain and NIS server, he'll get
all
the
visiting to the server and have the way to get data to his laptop,
which
is
awful. Is there any way to avoid it? I don't know how to make NIS
more
secure, is there any way to set up verification server to check the
legality
of machine itself? Thanks for your help!
I did something similar some time ago. You can't authenticate machines
with NIS only, you need some kind of tunneling which does that. But
not
all tunneling protocols fit here, since NIS uses UDP protocol. You can
use IPsec with X.509 certificates. Create tunnel to NIS server on each
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^client and road warrior on server and accept only certificates from
^^^^^^^^^^^^^^^^^^clients and server (you may use PKI infrastructure and create your own
[...]CA to issue certificates; this simplifies this task a bit).
Eh? Are you saying that setup that I _did_ and _tested_ for suchDo you mean divide the servers and clients into two LAN and set up VPN
anomalies contain such a hole, while you _didn't_ see this setup?
Am I correct?
There _is_ need to get tunnel between NFS server and client. Server
setup doesn't allow clear text connections (because of firewall, but
that's a different matter). If you don't setup tunnel (and thus
don't authenticate to server), then you can't mount _anything_.
between
them?
Read underscored part again.
You will probably want to bind portmapper and NIS and NFS daemons to
particular ports and filter out traffic coming from outside of IPsec
tunnel.
Since our LAN don't connect to internet and the data traffic security is notWell, it's one good solution but I don't think I'm able to finish it by
myself just now, so
I try to find one easier way to do it. Will one radius server with 802.1x
authentication
do the same way?
Nope, I think. You need to protect NIS and NFS traffic, both by
authenticating origin and encrypting payload. Radius AFAIK doesn't
provide these two.
considered
so much.
It is. You have (possibly hostile) laptops _inside_ your network. Some
laptop could sniff traffic.
May radius server ensure the safe of origin?
I think you don't understand basic idea. Radius is _not_ designed for
protect _traffic_. It allows only secure login. You need to protect
traffic, so you need a tunneling protocol, such as OpenVPN or IPsec.
--
Feel free to correct my English
Stanislaw Klekot
.
- References:
- How to secure LAN visiting with NIS
- From: tech11
- Re: How to secure LAN visiting with NIS
- From: Stachu 'Dozzie' K.
- Re: How to secure LAN visiting with NIS
- From: tech11
- Re: How to secure LAN visiting with NIS
- From: Stachu 'Dozzie' K.
- Re: How to secure LAN visiting with NIS
- From: tech11
- Re: How to secure LAN visiting with NIS
- From: Stachu 'Dozzie' K.
- Re: How to secure LAN visiting with NIS
- From: tech11
- How to secure LAN visiting with NIS
- Prev by Date: Re: monitor command(urgent --plz help)
- Next by Date: DOS attacks on linux computers
- Previous by thread: Re: How to secure LAN visiting with NIS
- Next by thread: Re: How to secure LAN visiting with NIS
- Index(es):
Relevant Pages
|
