Re: The dreaded "Alternatives to NFS" question

phn_at_icke-reklam.ipsec.nu
Date: 08/21/04


Date: Sat, 21 Aug 2004 18:24:18 +0000 (UTC)

mikester <submikester@yahoo.com> wrote:
> X-No-Archive: Yes
> Atro Tossavainen <Atro.Tossavainen+news@helsinki.finland.invalid> wrote in message news:<pgzpt5ntpy4.fsf@kruuna.Helsinki.FI>...
>> submikester@yahoo.com (mikester) writes:
>>
>> > internal employees via the internet. Application servers will be used
>> > to server secure data that is stored on servers based in a DMZ. This
>> > contractor is recommending that we use NFS as shared storage for
>> > program files on the application servers.
>>
>> Dear employee of Los Angeles Unified School District,

> Lots of assumption there...

>>
>> Correct me if I'm wrong, but I'm reading this in a way that says the
>> contractor is not recommending the sharing of any confidential data
>> over NFS (unless you consider the software itself so confidential that
>> not just anybody with access to that network should be allowed to see
>> the binaries) and they are not recommending that multiple hosts be
>> allowed to write to a file system over the network either.

> You are correct the contractor does not want us to use NFS to send
> confidential data between hosts but you're still wrong. My problem
> isn't with transferring files via NFS; my problem isn't with the
> ability for people to snoop clear text NFS packets. My problem is that
> NFS is a notoriously vulnerable protocol and when those deamons that
> make it up are running on a server they can be used to root the server
> (even with the use of firewalling as no firewall is perfect). That
> fact alone means that if we can find a safer way to do something - we
> certainly try to at the very least discuss it. If these app servers
> were compromised and they had access to hosts with confidential data -
> then those hosts with the confidential data are much more likely to be
> compromised as well.

Maybe you should read securityfocus a little better. Yes, some rpc-services
for some platforms are vulnerable. But there exists a number of nfs-server
that has no (known) vulnerabilitys. Why don't you either patch up your system
or installs an OpenBSD box as nfs-server ?

-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.


Relevant Pages

  • Re: Networks,,,,,,,,,,,,,,,,,,,,
    ... > nfs." ... I would have guessed both hosts are remote for each other. ... telnet is a Bad Thing ... telnet (server) is a DON'T under all circumstances. ...
    (Fedora)
  • NFS locking issue with FreeBSD7.1 client
    ... After upgrading our hosts from 6.3 to 7.1 we have been experiencing the issue ... NFS server is CentOS 5.3. ... FreeBSD client had several NFS mounts, ...
    (freebsd-stable)
  • Re: The dreaded "Alternatives to NFS" question
    ... >confidential data between hosts but you're still wrong. ... >ability for people to snoop clear text NFS packets. ... >make it up are running on a server they can be used to root the server ...
    (comp.security.unix)
  • Re: The dreaded "Alternatives to NFS" question
    ... >> to server secure data that is stored on servers based in a DMZ. ... > over NFS (unless you consider the software itself so confidential that ... confidential data between hosts but you're still wrong. ...
    (comp.security.unix)
  • Re: ping too slow. How can I tune my eth card to improve latencies?
    ... real time setup. ... Also nfs mounts from 23 hosts to a server. ... Id certainly look at the NFS and how its tuned.. ...
    (comp.os.linux.misc)