[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security issues and LDM



Jeff Wolfe wrote:
> 
> Hi folks,
> 
> I'm sure everyone is aware of the ever increasing number of worms and other
> security compromises that are happening on the 'net these days. The local
> security folks here want to put a blanket filter on our internet
> connection for inbound port 111. The idea is that by filtering port 111, they
> make it just a bit harder for the various miscreants to find vulnerable RPC
> services.
> 
> I'm trying to understand what effects that will have on our LDM servers. I
> vaguely remember running ldm for a while without having the /etc/rpc file
> edited properly, but that was a long time ago. I'm thinking we'll be able to
> connect to other servers, but nobody will be able to connect to us.
> 
> Longer term, has anyone considered what will happen with LDM as firewalls,
> proxy servers and other security measures become more prevalent? RPC isn't the
> most firewall friendly protocol ever invented.
> 
> -JEff


Hi Jeff,

The LDM does not require that port 111 be available as long as port 388
is available, like others have said.  If port 388 was not available,
then a remote LDM would try to contact the portmapper on port 111.  If
neither are available it will give up.

Regarding the longer term, sure we're considering security issues.  But,
the current design has served us well.  Lots of our sites have firewalls
and run with no problem as long as port 388 is open.

Regarding being "firewall friendly", technically, the LDM is not an RPC
service because it doesn't require the portmapper.  Instead, it is a
"TCP service that uses RPC protocol encoding."  That is, it establishes
the service on a fixed TCP port that clients try directly.  

Anne
-- 
***************************************************
Anne Wilson                     UCAR Unidata Program            
address@hidden                 P.O. Box 3000
                                  Boulder, CO  80307
----------------------------------------------------
Unidata WWW server       http://www.unidata.ucar.edu/
****************************************************