Re: Port 135 Probes Continue
From: Casper H.S. Dik (Casper.Dik_at_Sun.COM)
Date: 01/12/04
- Previous message: Security Alert: "SSRT2439 Rev.10 xdrmem_getbytes()"
- In reply to: Nico Kadel-Garcia: "Re: Port 135 Probes Continue"
- Next in thread: Nico Kadel-Garcia: "Re: Port 135 Probes Continue"
- Reply: Nico Kadel-Garcia: "Re: Port 135 Probes Continue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 12 Jan 2004 15:23:00 GMT
"Nico Kadel-Garcia" <nkadel@comcast.net> writes:
>Various folks keep having to prove to Sun that NFS is not securable, that an
>exposed server can have its disk scribbled (though not necessarily read)
>with a modicum of cracker effort.
This is simply false; of course, if you use Linux and you're relegated
to using a NFS implementation which does not implement any of the
proper RPC security methods, then you can't secure your server.
But if you use an NFS server with a complete implementation
then you can't scribble to disks. (Your description of being able to
write but not write leads to me believe that you're talking about using
guessed or leaked filehandles with faked IP addresses; neither will by
you anything on a server with proper NFS security)
[ Description of why Kerberos is hard to setup elided ]
>This is why I heartily recommend starting with AFS instead: it allows more
>usable group management and permissions, and is easily integrated into a
>standard Linux distribution's file-sharing setup.
Uhm, I must be missing something but isn't Kerberos the foundation
of DCE/AFS security? In that case it really doesn't matter whether you use
secure NFS with GSS_API (Kerberos based) or AFS as both would seem to
require similar security set-up.
There's no security problem with NFS other than that some implementations
are incomplete and that "no security" is possible and much easier to
use than "true security".
NFSv2 and NFSv3 are not less secure than NFSv4; it's just that NFSv4
makes the security mandatory for implementations.
NFSv2/v3 depend for security completely on the RPC layer so you will
find little or no discussion about security in the NFSv2/v3 protocol
specifications.
Casper
-- Expressed in this posting are my opinions. They are in no way related to opinions held by my employer, Sun Microsystems. Statements on Sun products included here are not gospel and may be fiction rather than truth.
- Previous message: Security Alert: "SSRT2439 Rev.10 xdrmem_getbytes()"
- In reply to: Nico Kadel-Garcia: "Re: Port 135 Probes Continue"
- Next in thread: Nico Kadel-Garcia: "Re: Port 135 Probes Continue"
- Reply: Nico Kadel-Garcia: "Re: Port 135 Probes Continue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
