hi,

On Mon, May 20, 2019 at 8:11 PM Stepan Vardanyan via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hello,

I've proposed to migrate from OpenLDAP to FreeIPA solution in my organization because the former did not met our requirements as we moving to Single Sign On. We migrated to FreeIPA but set it up with internal DNS name. This was dumb decision as we have a lot of external hosts in AWS and other datacenters which we want to join to our FreeIPA for authentication with one credential and utilize policies (HBAC, sudoers) easily and centrally.

We found that there is two solutions:
- setup tunnels between AWS and datacenters for making our DNS zone and FreeIPA servers available;
- redeploy whole FreeIPA with external DNS name and expose FreeIPA servers to Internet.
We end up with second option because first one is very complex, but second option make us think about security.

A vpn between data centers is a best practice. It does not have to be very complex or expensive, openvpn comes to mind, but if you have no experience with vpns I can understand that they can look very hard.
 
What came to mind is:
- disable anonymous bind;
- prohibit unencrypted traffic and improve communications security by using options: nsslapd-minssf=128, nsslapd-require-secure-binds=on, sslVersionMin=TLS1.1.

This is ok, I would probably bump tls to 1.2 but you may have applications that do not work properly with that so you know better ;-)

So, there is several questions:
1) Is there anything else from security perspective that we should care, configure properly (Kerberos DC for example)?

Take a look at the 'Security hardening' section of the documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/p.security-hardening

2) We want to share with users only one Web service from specific replica so users will not cause replication conflicts by modifying entries in other replicas. Is it ok if we close web ports (80, 443) only to localhost on other replicas and leave all other ports on all replicas opened to internet (389,636,88,464)?

This is a bit unclear. All objects in the ldap servers are replicated (all ldap servers are masters).

You do not need to open the whole internet to your environmnent, you can firewall everything but the hosts that need authenticating/authorizing.

I would block internet wide connections to unencrypted protocols, so no 389, just ldaps/636. I know you can use starttls, but why bother. You need http for crl and ocsp, but the rest is https.


3) How secure and strong is default SASL/GSSAPI replication mechanism? I've noticed that traffic is encrypted but can be decrypted by using servers kerberos keytab

If you have the keytab, you have the password. This is normal. Secure the keytab. The replication is as secure as you have configured your directory server component, I guess. If you set sslVersionMin: TLS1.2, then it's pretty secure. Remember, security is layered, so restrict ldap traffic to the ldap servers only to trusted networks (most firewalls can be scripted nowadays).


4) Overall, even with all previous concerns taken into account cared is it proper to open FreeIPA to internet? This is kinda rhetorical question as we see that this is only choice for us but just want to hear some advices, expert vision.

With proper care it should be safe. I would use 2FA (otp and/or pkinit), both work really well with freeipa for any internet facing service, have the environment properly pentested and enable a central logging mechanism that gets audited regularly.

HTH.

--
regards,
Natxo