RE: NFS Over Private Network

From: Randy Williams (randyw_at_techsource.com)
Date: 03/25/04

  • Next message: John Rowan Littell: "RE: NFS Over Private Network"
    To: <focus-sun@securityfocus.com>
    Date: Thu, 25 Mar 2004 11:31:20 -0500
    
    

    Greetings,

    I may be off the mark here, but if your NFS configuration isolates the NFS
    shares to a significant degree (hosts, users, etc) then only the NFS daemon
    would be the weak spot (within the scope of NFS of course, if the host NFS
    server is compromised via a security weakness, then this goes out the
    window).

    Or, thinking out loud, would the "mount" command betray you, as it would
    publish all directories/mount points being published on the target machine.

    Is there any way to prevent mount, iostat, netstat or any other I/O
    measurement from giving the mount away?

    Am I chasing rabbits?

    RandyW

    -----Original Message-----
    From: Thomas Lindsay [mailto:lindsayt@socsci.umn.edu]
    Sent: Wednesday, March 24, 2004 11:53 PM
    To: Leeds, Daniel
    Cc: 'Michael Wright'; focus-sun@securityfocus.com
    Subject: RE: NFS Over Private Network

    To what degree does this solution *protect* the share itself? Is there a
    way to tie the server share to a given interface, or better yet, bind nfsd
    itself to a specific interface? Call me paranoid, but I don't trust the
    builtin security mechanisms of nfs too far, especially considering the
    vulnerability rates of some Solaris rpc services in recent years.

    If nfsd cannot be specifically bound to a given interface (and hence not
    bound to others), then a private network between two machines will serve
    only to prevent man-in-the-middle types of attacks but still leaves the
    data vulnerable to any attack on the nfs server itself through the public
    interfaces.

    Ideas?

    Thomas Lindsay
    UNIX systems administrator
    Social Science Research Facility
    University of Minnesota

    On Wed, 24 Mar 2004, Leeds, Daniel wrote:

    > should be simple. you can either cross connect the two machines secondary
    > interfaces or plug each interface into a seperate VLAN/switch/hub.
    >
    > setup the ip's on each machine and hosts/dns entries as needed. verify
    > connectivity via ping etc between the hosts.
    >
    > setup NFS as normal but mount via the private VLAN. so if hosta and hostb
    > are primary and hosta-priv and hostb-priv are the new private network
    links
    > your mount scenario would be:
    >
    > on host a: mount hostb-priv:/export /export
    > on host b: mount hosta-priv:/export /export
    >
    > etc etc etc.
    >
    > --daniel
    >
    >
    > > -----Original Message-----
    > > From: Michael Wright [mailto:cshelp@plu.edu]
    > > Sent: Wednesday, March 24, 2004 1:45 PM
    > > To: focus-sun@securityfocus.com
    > > Subject: NFS Over Private Network
    > >
    > >
    > > Hi, I have two Sun Servers (one running Solaris 8 the other
    > > Solaris 9).
    > > I would like to try and setup the machines so that I can use
    > > NFS over a
    > > private network between the two machines using their second
    > > NIC cards.
    > > Is this possible? Any information and suggestions would be greatly
    > > appreciated. Also, do I have to set anything special for the NICs as
    > > far as routing is concerned?
    > >
    > > Thanks,
    > >
    > > Michael
    > >
    > > PS: I know something like this was on the list previously, but I
    > > couldn't find any response to the question, so I'm asking again.
    > > --
    > > Michael Wright
    > > Technical Support Specialist
    > > Computer Science and Engineering
    > > email:wrightmj@plu.edu
    > > Pacific Lutheran University
    > > phone: 253-535-7408
    > > Tacoma, WA 98447-0003 fax: 253-535-8700
    > >
    >


  • Next message: John Rowan Littell: "RE: NFS Over Private Network"