> > 2. Achieve the above thru a firewall
> If you want to do it securely, you could use something built on top
> of CFS (Cryptographic File system - not available outside US, mail
> cfs @
research .
att .
com for info)
I've used the following quite happily:
[bastion]
/ \
[internal host] [external host/bastion]
The secure bastion uses UNFS to NFS mount the tree to be mirrored from
the internal host and a tree to be mirrored to on the external host.
You then run a modified SUP server that only listens to localhost and
use SUP to mirror the tree.
UNFS is a derivative of the Linux NFS server. It runs in user land
under inetd (no portmap) over TCP and can use the TIS auth server to
authenticate mount requests using OTP etc.
Performance is pretty poor compared to in-kernel NFS, but it is much
safer.
Check out:
ftp://ftp.quick.com.au/pub/security/unfs/
which is mirrored at:
ftp://ftp.telstra.com.au/mirror/ftp.quick.com.au/security/unfs/
and is on a faster link.
I'll change the name to sNFS for the next release - apparently UNFS is
still used in the Linux world.
--sjg
|
|
