12.2. How secure are NIS and NFS?
NFS and NIS have bad reputations
for security. NFS earned its reputation because of its default RPC
security flavor AUTH_SYS (see
Section 12.4.1, "RPC security"
later in this chapter) is very weak. There are
better security flavors available for
NFS on Solaris and other systems. However, the better security
flavors are not available for all, or even most NFS implementations,
resulting in a practical dilemma for you. The stronger the NFS
security you insist on, the more homogenous your computing
environment will become. Assuming that secure file access across the
network is a requirement, another option to consider is to not run
NFS and switch to another file access system. Today there are but two
practical choices:
- SMB (also known as CIFS)
-
This limits your desktop environment
to Windows. However, as discussed in
Section 10.2.1, "NFS versus SMB (CIFS)", if you want strong security,
you'll have to have systems capable of it, which means running
Windows clients and servers throughout.
- DCE/DFS
-
At the time this book was written, DCE/DFS was
available
as an add-on product developed by IBM's Pittsburgh Laboratory
(also known as Transarc) unit for Solaris, IBM's AIX, and
Windows. Other vendors offer DCE/DFS for their own operating systems
(for example, HP offers DCE/DFS). So DCE/DFS offers the file access
solution that is both heterogeneous and very secure.
NIS has earned its reputation because it
has
no authentication at all. The risk of this is that a successful
attacker could provide a bogus NIS map to your users by having a host
he controls masquerade as an NIS server. So the attacker could use a
bogus host map to redirect the user to a host he controls (of course
DNS has the same issue).
[19] Even more insidious, the attacker could gain root access
when logging into a system, simply by providing a bogus passwd map.
Another risk is that the encrypted password field from the
passwd map in NIS is available to everyone, thus
permitting attackers to perform faster password guessing than if they
manually tried passwords via login attempts.
These issues are corrected by NIS+. If you are uncomfortable with NIS
security then you ought to consider NIS+. In addition to Solaris,
NIS+ is supported by AIX and HP/UX, and a client implementation is
available for Linux. By default NIS+ uses the RPC/dh security
discussed in
Section 12.5.4, "AUTH_DH: Diffie-Hellman authentication". As discussed in
Section 12.5.4.10, "How secure is RPC/DH?", RPC/dh security is not state of
the art. Solaris offers an enhanced Diffie-Hellman security for NIS+,
but so far, other systems have not added it to their NIS+
implementations.
Ultimately, the future of directory services is LDAP, but at
the
time this book was written, the common
security story for LDAP on Solaris, AIX, HP/UX, and Linux was not as
strong as that of NIS+. You can get very secure LDAP out of Windows
2000, but then your clients and servers will be limited to running
Windows
2000.
| | |
12. Network Security | | 12.3. Password and NIS security |