Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Security of NIS (YP) Gary Lam

Published byPrudence Warren Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Security of NIS (YP) Gary Lam"— Presentation transcript:

1 1 Security of NIS (YP) Gary Lam Lamg@vwl.medc.umn.edu

2 2 Security of N I S NIS Overview NIS benefits and Goals Possible attacks Possible solutions Conclusion

3 3 NIS overview What is NIS ? A software package originated from SUN It operates in a distributed environment It has its own domain(s) It has master servers and client hosts It has unique maps as its database files Assume the connected systems are trusted

4 4 A typical scenario User logs in to a machine(Client) on the network Username: Password: bob ServerClient CClient BClient A Network providing NIS services

5 5 NIS Domain(s) Machines share the same NIS maps are logically grouped together Each domain needs a master server Can have slave servers that act as backup Client hosts must be in the domain to use NIS services

6 6 NIS main components Mater server, slave servers ypserv, rpc.passwdd, ypbind Client hosts ypbind NIS maps NIS database is comprised of a group of files known as maps

7 7 NIS maps Maps are in the dbm format( database management ) Maps are composed of keys and values Key: a field in the map client must specify whenever it queries the map Values: attributes of the key returned from the query For example: /etc/hosts Key Value moose 123.123.123.100 Generates the “hosts.byname” & “hosts.byaddr” map Hosts map KEY name address

8 8 NIS netgroup Netgroups are used to name sets of users and machines for easy reference Format of a netgroup entry is: Groupname list-of-members Bobcat (hostname, username, domainname) For example: /etc/netgroup file contains: Bobcats (gopher,,)

9 9 How does it work? A client – Server model A NIS client requires “ypbind” to request data from an NIS server database. ypbind remembers which server and its port for binding A NIS server “ypserv” provides data from the NIS database to the requesting client.

10 10 The big picture M s ypbind ypserv rpc.passwdd ypbind c c c ypserv Master Server Slave Server ypbind

11 11 NIS Operation Application C Library ypserv ypbind portmap NIS Maps

12 12 NIS benefits & Goals Users One password goes any where!! Use the global UID and GID System administrators Ease of network administration Never bother with individual file on machines Save time !!!

13 13 Why is NIS not secure? Its connection is wide open No protection between the client/server connection Mounting an attack is easy The domain concept is flawed Could mount a dictionary attack It is based on trust in a distributed environment Allow intrusion unintentionally None or insufficient authentication Leads to Spoofing the server

14 14 Trusting relationship…? Host level equivalence /etc/hosts.equiv file Contains a list of hostnames Can log in to any hosts in the domain without password Part 1: Trusted Hosts Gopher Badger Raven Falcon Gopher No password checking

15 15 Account level equivalence $HOME/.rhosts file File contains a list of hostname and usernames Format: hostname [username, username,..] Part 2: Trusted account Trusting Relationship…?.rhosts file Gopher Tom Badger Drew Raven Brad Falcon Gopher No password checking

16 16 Implication of trust Trust relationships are transitive If B trusts A and C trusts B then A trusts C If A is compromised, then B and C is also compromised! ABC A B

17 17 Using the Domain Hosts are authenticated by the Domain Attack can be done by guessing the NIS domain name Scenario: An user can obtain the password map file. e.g. use the “ypcat” command

18 18 Dictionary Attack Given a thousand people each to choose their own password, the odds are excellent that at least one person will choose a password in the attacker’s dictionary. Attacker can crack your password offline. Password of six characters or less could be cracked in 2 days or less

19 19 Spoofing attack 3 little steps !! Scenario: Moose(server), gopher(hosts), and Hacky(intruder). 1. Take Moose out of the network 2. Guess gopher’s IP sequence number 3. Pretend to be Moose HackyMoose Gopher

20 20 Spoofing (cont.) Attacker(hacky) can forge a series of connection requests to moose using an improper protocol A connection request packet with non- existent return address Server is busy handling those bogus connection requests from hacky Server’s queue filled up and no longer can handle requests from other hosts Take moose out

21 21 Spoofing (cont.) Attacker can then guess IP sequence number Sounds difficult in reality but it is NOT Because many implementations use a well defined algorithm to generate initial sequence number Can make an educated guess!! Guess gopher’s IP sequence number

22 22 Spoofing (cont.) Hacky Moose Gopher Attack packet Fake packet Internal network Respond

23 23 Denial of Service Attack Bring down the NIS network service Use the finger service e.g. finger bob@gopher.com client send its NIS request to find “bob” Over load NIS server with NIS requests The NIS server searches the map to find bob. NIS “finger” traffic eventually congests the network Other NIS services are disrupted.(e.g. password lookup)

24 24 Possible Solutions Against login equivalence Do not use the login equivalence If you have to use it, then: Use full qualified host name(no “moose”) Use: moose.cs.umn.edu Ask for password no matter who is requesting the connection Limited to specific, trusted hosts Never be granted to hosts outside of Sys.Admin control Restrict equivalence to host-based which can be placed directly under the administrator’s control

25 25 Possible Solution (cont.) Against Dictionary attack Do not choose password from a dictionary! Disable or block ypcat command Have good password selection strategies Perform password checking Proactive checker Reactive checker

26 26 Possible Solution (cont.) Against spoofing Use encrypted IP Sequence number Packet filtering firewall that checks “from” field Session encryption

27 27 Possible Solution (cont.) Against Denial-of-Service attack Disable finger service on any NIS based system Restrict service to the minimum number of hosts or to host that do not participate in NIS.

28 28 Conclusion NIS is great but at the cost of security Try a different approach for distributing files Do not use it if possible!!

29 29 Thank you!

30 30 yppasswd data structure Struct yppasswd{ Char* oldpass; /* unencrypted passwd */ struct passwd newpasswd; };

31 31 NIS vs. NIS+ NISNIS+ Machine name and user’s name can be the same Machine name and user’s name must be unique Domains are flat—no hierarchy Domains are hierarchical Names and commands are case sensitive Names and commands are not case sensitive Data is stored in 2-columns maps Data is stored in multi- columns tables Uses no authenticationUses DES authentication Updates of maps are delayed for batch propagation Updates are propagated immediately

Download ppt "1 Security of NIS (YP) Gary Lam"

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NIS Consistent configuration across the network. Why NIS? Primary reason is to provide same user configuration across the network Users go any machine.

NIS Consistent configuration across the network. Why NIS? Primary reason is to provide same user configuration across the network Users go any machine.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google