Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: Stanford break in

RE: Stanford break in

From: Ames, Neil <NAmes_at_anteon.com>
Date: Thu, 22 Apr 2004 16:46:52 -0400

Ron,
        Your gripe with HP is that they should have given you shadow
passwords by default instead of only when you switched to Trusted
mode--never allowing you to store your crypt-ed passwords in
/etc/passwd--right? (That's Solaris behavior out of the box, isn't it?)
I have *only* worked in the TCB environment, and don't see it as that
big a hassle (any worse that DEC's or IBM's)--though they're all a bit
of pain.

--Fritz

-----Original Message-----
From: R. DuFresne [mailto:dufresne_at_sysinfo.com]
Sent: Thursday, April 22, 2004 1:11 PM
To: Carric Dooley
Cc: Chuck Vose; firewall-wizards_at_honor.icsalabs.com
Subject: Re: [fw-wiz] Stanford break in

>
> Network synced passwords are the only way to manage a large number of
> users. If you have 10 workstations and 1 server, it might be fine to
have
> no network directory, but with 300,000 users, I would say it's
impossible.
> I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS. (notice the

> conspicuous absence of NIS, and I wanted to leave out AD, but it seems
to
> be unavoidable these days.
>

HP made this usless, unless they have finally enabled a shadow setup in
new versions of the OS. We played the single sing-on game at nortel,
and
played with password cracking and all that, but, since 80% of the
servers
were hp's and they lacked any seperation of passwords from the required
/etc/passwd file, users wanting to up their privs on a system just took
copies of the /etc/passwd file home and cracked to the point they felt
they needed. And our CISSP's spent alot of time putting together all
these metrics on strong passwords and how effective they were making
security of the network, without facing the reality of the 80% exposure
faced. HP folks a few years ago hinted that HP was going to change
theit
OS to include shadow password implimentations, but, I've long since
moved
on and these days don;t have to play on much but SUN's and AIX systems,
so
I do not know if they have something beside the horrid TCB that would
break most interal apps for companies and require alot of retrofitting.

Thanks,

Ron DuFresne 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Apr 22 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos