Re: NFS Over Private Network
Date: Thu, 25 Mar 2004 08:58:00 -0700 To: firstname.lastname@example.org
On Wed, Mar 24, 2004 at 10:52:46PM -0600, Thomas Lindsay wrote:
> To what degree does this solution *protect* the share itself? Is there a
> way to tie the server share to a given interface, or better yet, bind nfsd
> itself to a specific interface? Call me paranoid, but I don't trust the
> builtin security mechanisms of nfs too far, especially considering the
> vulnerability rates of some Solaris rpc services in recent years.
> If nfsd cannot be specifically bound to a given interface (and hence not
> bound to others), then a private network between two machines will serve
> only to prevent man-in-the-middle types of attacks but still leaves the
> data vulnerable to any attack on the nfs server itself through the public
Well nfs was never designed to be secure. So my suggestion would be to
tunnel it via ssh from point to point.
-- /* Security is a work in progress - dreamwvr */ # 48 69 65 72 6F 70 68 61 6E 74 32 # Note: To begin Journey type man afterboot,man help,man hier[.] # 66 6F 72 20 48 69 72 65 0000 0001 // "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \? ;-]