RE: NFS Over Private Network
From: Small, Jim (jim.small_at_eds.com)
Date: 03/25/04
- Previous message: John Rowan Littell: "RE: NFS Over Private Network"
- Maybe in reply to: Michael Wright: "NFS Over Private Network"
- Next in thread: Simon Thornton: "RE: NFS Over Private Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-sun@securityfocus.com Date: Thu, 25 Mar 2004 15:36:08 -0500
You can use Kerberos for authentication and even encryption of the NFS
shares. NFSv4 which is in Solaris 10 will vastly improve NFS security and
standardization (also in Linux Kernel 2.6).
<> Jim
> -----Original Message-----
> From: Thomas Lindsay [mailto:lindsayt@socsci.umn.edu]
> Sent: Wednesday, March 24, 2004 11:53 PM
> To: Leeds, Daniel
> Cc: 'Michael Wright'; focus-sun@securityfocus.com
> Subject: RE: NFS Over Private Network
>
>
> To what degree does this solution *protect* the share itself? Is there a
> way to tie the server share to a given interface, or better yet, bind nfsd
> itself to a specific interface? Call me paranoid, but I don't trust the
> builtin security mechanisms of nfs too far, especially considering the
> vulnerability rates of some Solaris rpc services in recent years.
>
> If nfsd cannot be specifically bound to a given interface (and hence not
> bound to others), then a private network between two machines will serve
> only to prevent man-in-the-middle types of attacks but still leaves the
> data vulnerable to any attack on the nfs server itself through the public
> interfaces.
>
> Ideas?
>
> Thomas Lindsay
> UNIX systems administrator
> Social Science Research Facility
> University of Minnesota
>
> On Wed, 24 Mar 2004, Leeds, Daniel wrote:
>
> > should be simple. you can either cross connect the two machines
> secondary
> > interfaces or plug each interface into a seperate VLAN/switch/hub.
> >
> > setup the ip's on each machine and hosts/dns entries as needed. verify
> > connectivity via ping etc between the hosts.
> >
> > setup NFS as normal but mount via the private VLAN. so if hosta and
> hostb
> > are primary and hosta-priv and hostb-priv are the new private network
> links
> > your mount scenario would be:
> >
> > on host a: mount hostb-priv:/export /export
> > on host b: mount hosta-priv:/export /export
> >
> > etc etc etc.
> >
> > --daniel
> >
> >
> > > -----Original Message-----
> > > From: Michael Wright [mailto:cshelp@plu.edu]
> > > Sent: Wednesday, March 24, 2004 1:45 PM
> > > To: focus-sun@securityfocus.com
> > > Subject: NFS Over Private Network
> > >
> > >
> > > Hi, I have two Sun Servers (one running Solaris 8 the other
> > > Solaris 9).
> > > I would like to try and setup the machines so that I can use
> > > NFS over a
> > > private network between the two machines using their second
> > > NIC cards.
> > > Is this possible? Any information and suggestions would be greatly
> > > appreciated. Also, do I have to set anything special for the NICs as
> > > far as routing is concerned?
> > >
> > > Thanks,
> > >
> > > Michael
> > >
> > > PS: I know something like this was on the list previously, but I
> > > couldn't find any response to the question, so I'm asking again.
> > > --
> > > Michael Wright
> > > Technical Support Specialist
> > > Computer Science and Engineering
> > > email:wrightmj@plu.edu
> > > Pacific Lutheran University
> > > phone: 253-535-7408
> > > Tacoma, WA 98447-0003 fax: 253-535-8700
> > >
> >
- Previous message: John Rowan Littell: "RE: NFS Over Private Network"
- Maybe in reply to: Michael Wright: "NFS Over Private Network"
- Next in thread: Simon Thornton: "RE: NFS Over Private Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
