hi,
On Mon, May 20, 2019 at 8:11 PM Stepan Vardanyan via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hello,
I've proposed to migrate from OpenLDAP to FreeIPA solution in my
organization because the former did not met our requirements as we moving
to Single Sign On. We migrated to FreeIPA but set it up with internal DNS
name. This was dumb decision as we have a lot of external hosts in AWS and
other datacenters which we want to join to our FreeIPA for authentication
with one credential and utilize policies (HBAC, sudoers) easily and
centrally.
We found that there is two solutions:
- setup tunnels between AWS and datacenters for making our DNS zone and
FreeIPA servers available;
- redeploy whole FreeIPA with external DNS name and expose FreeIPA servers
to Internet.
We end up with second option because first one is very complex, but second
option make us think about security.
A vpn between data centers is a best practice. It does not have to be very
complex or expensive, openvpn comes to mind, but if you have no experience
with vpns I can understand that they can look very hard.
What came to mind is:
- disable anonymous bind;
- prohibit unencrypted traffic and improve communications security by
using options: nsslapd-minssf=128, nsslapd-require-secure-binds=on,
sslVersionMin=TLS1.1.
This is ok, I would probably bump tls to 1.2 but you may have applications
that do not work properly with that so you know better ;-)
So, there is several questions:
1) Is there anything else from security perspective that we should
care,
configure properly (Kerberos DC for example)?
Take a look at the 'Security hardening' section of the documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
2) We want to share with users only one Web service from specific replica
so users will not cause replication conflicts by modifying entries in
other
replicas. Is it ok if we close web ports (80, 443) only to localhost on
other replicas and leave all other ports on all replicas opened to internet
(389,636,88,464)?
This is a bit unclear. All objects in the ldap servers are replicated (all
ldap servers are masters).
You do not need to open the whole internet to your environmnent, you can
firewall everything but the hosts that need authenticating/authorizing.
I would block internet wide connections to unencrypted protocols, so no
389, just ldaps/636. I know you can use starttls, but why bother. You need
http for crl and ocsp, but the rest is https.
3) How secure and strong is default SASL/GSSAPI replication mechanism? I've
noticed that traffic is encrypted but can be decrypted by using
servers
kerberos keytab
If you have the keytab, you have the password. This is normal. Secure the
keytab. The replication is as secure as you have configured your directory
server component, I guess. If you set sslVersionMin: TLS1.2, then it's
pretty secure. Remember, security is layered, so restrict ldap traffic to
the ldap servers only to trusted networks (most firewalls can be scripted
nowadays).
4) Overall, even with all previous concerns taken into account cared is it
proper to open FreeIPA to internet? This is kinda rhetorical question
as we
see that this is only choice for us but just want to hear some advices,
expert vision.
With proper care it should be safe. I would use 2FA (otp and/or pkinit),
both work really well with freeipa for any internet facing service, have
the environment properly pentested and enable a central logging mechanism
that gets audited regularly.
HTH.
--
regards,
Natxo