Re: The dreaded "Alternatives to NFS" question
Date: Sat, 21 Aug 2004 18:24:18 +0000 (UTC)
mikester <firstname.lastname@example.org> wrote:
> X-No-Archive: Yes
> Atro Tossavainen <Atro.Tossavainenemail@example.com> wrote in message news:<pgzpt5ntpy4.fsf@kruuna.Helsinki.FI>...
>> firstname.lastname@example.org (mikester) writes:
>> > internal employees via the internet. Application servers will be used
>> > to server secure data that is stored on servers based in a DMZ. This
>> > contractor is recommending that we use NFS as shared storage for
>> > program files on the application servers.
>> Dear employee of Los Angeles Unified School District,
> Lots of assumption there...
>> Correct me if I'm wrong, but I'm reading this in a way that says the
>> contractor is not recommending the sharing of any confidential data
>> over NFS (unless you consider the software itself so confidential that
>> not just anybody with access to that network should be allowed to see
>> the binaries) and they are not recommending that multiple hosts be
>> allowed to write to a file system over the network either.
> You are correct the contractor does not want us to use NFS to send
> confidential data between hosts but you're still wrong. My problem
> isn't with transferring files via NFS; my problem isn't with the
> ability for people to snoop clear text NFS packets. My problem is that
> NFS is a notoriously vulnerable protocol and when those deamons that
> make it up are running on a server they can be used to root the server
> (even with the use of firewalling as no firewall is perfect). That
> fact alone means that if we can find a safer way to do something - we
> certainly try to at the very least discuss it. If these app servers
> were compromised and they had access to hosts with confidential data -
> then those hosts with the confidential data are much more likely to be
> compromised as well.
Maybe you should read securityfocus a little better. Yes, some rpc-services
for some platforms are vulnerable. But there exists a number of nfs-server
that has no (known) vulnerabilitys. Why don't you either patch up your system
or installs an OpenBSD box as nfs-server ?
-- Peter Håkanson IPSec Sverige ( At Gothenburg Riverside ) Sorry about my e-mail address, but i'm trying to keep spam out, remove "icke-reklam" if you feel for mailing me. Thanx.