[omniORB] Securing a Name Service
JohnD.Heintz
JohnD.Heintz
Fri, 29 Jun 2001 09:23:29 -0500
Hello all:
How are people exposing a NameService (or something like it) that doesn't=
=20
suffer from trivial DoS attacks?
All we are looking for is to be able to provide read access (the corbanam=
e:=20
part of INS) to the general TCP connection and _some_ controlled write=20
access. Any way of doing that write access is acceptable really.
Any suggestions?
John
On Friday 29 June 2001 09:10, Duncan Grisby wrote:
> On Tuesday 26 June, "W. Eliot Kimber" wrote:
> > We started thinking today about security issues surrounding the use o=
f
> > CORBA naming services. A look at the naming service spec makes it cle=
ar
> > that there is no built-in security facility (if I was looking at the
> > latest version of the spec--I find the OMG site difficult to navigate
> > and I'm never sure if I've got the latest version of a spec).
>
> There is indeed nothing about security in the Naming service
> specification.
>
> [...]
>
> > Am I correct in my surmise that the solution to this problem would be=
to
> > implement our own naming service that provides some form of
> > authentication function? The OmniNames docs didn't suggest any featur=
e
> > like this. Has anyone else addressed this problem of naming service
> > access control?
>
> I'm not aware of anyone who has made an authentication-based
> equivalent to the Naming service. It wouldn't be too hard to create
> one, based on omniNames. You would have to create a new set of IDL
> definitions rather than changing the CosNaming interfaces, though.
>
> > Are there other things that could be, say at the network level, to
> > control name service access? I can't think of any off hand, but then =
I'm
> > not network security expert either.
>
> There is a CORBA security specification which attempts to cover this
> sort of issue. It's huge and complex, and there are few
> implementations of it. omniORB doesn't support it.
>
> Cheers,
>
> Duncan.
--=20
=2E . . . . . . . . . . . . . . . . . . . . . . .
John D. Heintz | Senior Engineer
1016 La Posada Dr. | Suite 240 | Austin TX 78752
T 512.633.1198 | jheintz@isogen.com
w w w . d a t a c h a n n e l . c o m