RE: NFS Over Private Network

From: John Rowan Littell (littejo_at_earlham.edu)
Date: 03/25/04

  • Next message: Small, Jim: "RE: NFS Over Private Network" 
    Date: Thu, 25 Mar 2004 09:08:04 -0500 (EST)
To: focus-sun@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----

    Lo, Thomas Lindsay and the teakettle whistled in unison:

    >
    > To what degree does this solution *protect* the share itself? Is there a
    > way to tie the server share to a given interface, or better yet, bind nfsd
    > itself to a specific interface? Call me paranoid, but I don't trust the
    > builtin security mechanisms of nfs too far, especially considering the
    > vulnerability rates of some Solaris rpc services in recent years.
    >
    > If nfsd cannot be specifically bound to a given interface (and hence not
    > bound to others), then a private network between two machines will serve
    > only to prevent man-in-the-middle types of attacks but still leaves the
    > data vulnerable to any attack on the nfs server itself through the public
    > interfaces.
    >
    > Ideas?

    I'd suggest SunScreen or ipfilter to block portmap and NFS traffic on the
    public interface. Yes, I realize that this is RPC we're talking about
    here, and as such can't be guaranteed to run on a particular port, but
    blocking port 111 and 2049 is usually a pretty good first pass at
    blocking NFS (or better yet, block everything on the public interface
    and only allow approved services). I've had good success with this
    approach and occassionally a private network myself.

      --rowan

    - --
    John "Rowan" Littell
    Systems Administrator
    Earlham College Computing Services
    http://www.earlham.edu/~littejo/
    2004-03-25 09:00
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (Darwin)
    Comment: Made with pgp4pine 1.76

    iQCVAwUBQGLnypdUNSJ2nf/5AQF8MgQAi0mPnv1qb5Ko0eQmN053lRLFEWxvZeYU
    r0s7PgtGar3Rju42rgWGn5uTE/GjQ5aMnatql8dao4/kJKBBcX9fz7lNZqxKXbAo
    ox0yDYFzqvGqYb5QiobTShlQOjM+8LylTnAg+0DuUFRwzjOCW8yoyhzcIOjRPkqy
    /1f5e1zMDX4=
    =WEWr
    -----END PGP SIGNATURE-----

  • Next message: Small, Jim: "RE: NFS Over Private Network"

    Relevant Pages

    • Re: Solaris 9 system morror?
      ... | I have a solaris server running as a DNS and mail server. ... I have thought about NFS but would not like to ... interface or PCI slot. ...
      (comp.unix.solaris)
    • Re: RFC 1037 NFILE implementations around?
      ... woefully short of RAM but with a fast network interface. ... (Rainer's comment about NFS being faster than LMFS on Symbolics ... you can think of the SUN as a networked I/O coprocessor. ... is faster over the network than on the local Lisp Machine ...
      (comp.lang.lisp)
    • Re: NFS Over Private Network
      ... > way to tie the server share to a given interface, or better yet, bind nfsd ... > data vulnerable to any attack on the nfs server itself through the public ...
      (Focus-SUN)
    • Re: Cannot mount via NFS
      ... >]server is an NFS server already but only on a second network interface. ... server for another set of clients on its other ethernet interface. ...
      (comp.os.linux.networking)
    • Re: Cannot mount via NFS
      ... >]server is an NFS server already but only on a second network interface. ... server for another set of clients on its other ethernet interface. ...
      (comp.os.linux.setup)