Re: The dreaded "Alternatives to NFS" question
phn_at_icke-reklam.ipsec.nu
Date: 08/21/04
- Next message: Nick Maclaren: "Re: The dreaded "Alternatives to NFS" question"
- Previous message: Casper H.S. Dik: "Re: The dreaded "Alternatives to NFS" question"
- In reply to: mikester: "Re: The dreaded "Alternatives to NFS" question"
- Next in thread: Atro Tossavainen: "Re: The dreaded "Alternatives to NFS" question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 21 Aug 2004 18:24:18 +0000 (UTC)
mikester <submikester@yahoo.com> wrote:
> X-No-Archive: Yes
> Atro Tossavainen <Atro.Tossavainen+news@helsinki.finland.invalid> wrote in message news:<pgzpt5ntpy4.fsf@kruuna.Helsinki.FI>...
>> submikester@yahoo.com (mikester) writes:
>>
>> > internal employees via the internet. Application servers will be used
>> > to server secure data that is stored on servers based in a DMZ. This
>> > contractor is recommending that we use NFS as shared storage for
>> > program files on the application servers.
>>
>> Dear employee of Los Angeles Unified School District,
> Lots of assumption there...
>>
>> Correct me if I'm wrong, but I'm reading this in a way that says the
>> contractor is not recommending the sharing of any confidential data
>> over NFS (unless you consider the software itself so confidential that
>> not just anybody with access to that network should be allowed to see
>> the binaries) and they are not recommending that multiple hosts be
>> allowed to write to a file system over the network either.
> You are correct the contractor does not want us to use NFS to send
> confidential data between hosts but you're still wrong. My problem
> isn't with transferring files via NFS; my problem isn't with the
> ability for people to snoop clear text NFS packets. My problem is that
> NFS is a notoriously vulnerable protocol and when those deamons that
> make it up are running on a server they can be used to root the server
> (even with the use of firewalling as no firewall is perfect). That
> fact alone means that if we can find a safer way to do something - we
> certainly try to at the very least discuss it. If these app servers
> were compromised and they had access to hosts with confidential data -
> then those hosts with the confidential data are much more likely to be
> compromised as well.
Maybe you should read securityfocus a little better. Yes, some rpc-services
for some platforms are vulnerable. But there exists a number of nfs-server
that has no (known) vulnerabilitys. Why don't you either patch up your system
or installs an OpenBSD box as nfs-server ?
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
- Next message: Nick Maclaren: "Re: The dreaded "Alternatives to NFS" question"
- Previous message: Casper H.S. Dik: "Re: The dreaded "Alternatives to NFS" question"
- In reply to: mikester: "Re: The dreaded "Alternatives to NFS" question"
- Next in thread: Atro Tossavainen: "Re: The dreaded "Alternatives to NFS" question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
