|
Penetration Testing
mailing list archives
Re: [PEN-TEST] NIS. An Alternative.
From: Max Vision <vision () WHITEHATS COM>
Date: Mon, 21 Aug 2000 19:19:00 -0700
You probably shouldn't make your infrastructure decisions based on
security problems in particular implementations. Security holes are found
in most software - so unless there are fundamental design flaws you might
consider newer versions, versus ruling out the entire protocol. Sun may
have NIS/NIS+ working perfectly now, I haven't looked. IMHO,
configuration plays the largest role in proper directory services
security.
Another good option is LDAP, which seems to be gaining popularity
recently. Solaris 8 also supports Native LDAP (nsswitch.ldap template).
http://www.openldap.org/
Several LDAP implementations have had serious security flaws as well,
although I don't think this should be a factor in choosing a protocol for
your directory services needs:
Microsoft Exchange 5.5 (LDAP buffer overflow, found by ISS)
Checkpoint Firewall-1 4.0 sp4 (LDAP ACLs didn't work, found by Olaf)
Netscape Professional Servies (LDAP ACL's again, found by lcamtuf)
and numerous localhost holes...
I suppose my point is that even another good directory service (LDAP) has
a history of problems, and that although security is critical, perhaps
protocol infrastructure/design should be a more important consideration
in your selection. Once you pick the right tool for the job, you can go
about securing it. :)
Max Vision
http://whitehats.com
On Mon, 21 Aug 2000, Jason Spencer wrote:
Due to the security implications created through using NIS (Network
Information Services) could anyone recommend any alternatives ?
Thanks
 By Date 
By Thread
Current thread:
|
Intro
