Firewalls: Re: NFS vs. FTP

Firewalls
(October 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: NFS vs. FTP
From:	Bruce Keller <gocbs @ midwest . net>
Organization:	Challenger Business Systems
Date:	Thu, 31 Oct 1996 07:57:20 -0800
To:	"Simon J. Gerraty" <sjg @ zen . quick . com . au>
Cc:	firewalls @ GreatCircle . Com
References:	<c=US%a=_%p=DOD%l=DSDCNT2-961025132232Z-1563 @ dsdcnt2 . dsdc . dla . mil> <199610281005 . VAA23836 @ zen . quick . com . au>

Simon J. Gerraty wrote:
> 
> Payne, Steve writes:
> >The reason  wide are mounts are bad is because of several cases.
> >I'll list a few, maybe some one else can add to these.
> >       1. Security, there is no real security based on the
> >           protocols (RPC over UDP's).
> >       2. Authentication, there is an authentication mechanism, (pcnfsd)
> >           however the true authentication is at the ip level, in that the
> >           workstation ip address is used for access, this can be defeated.
> 
> Both of these can be addressed by a user-space NFS server.  You can
> use the server at ftp://ftp.quick.com.au/pub/security/unfs/
> to force TCP based NFS without portmaper and authenticating via the
> TIS auth server.
> 
> >       3. The reason I say bad for wide are mounts is IP_SPOOFING
> >           If IP_SPOOFING is not checked at the main router coming in
> >           to the net then an attack can be launched by spoofing a true
> >           ip address on the internal net.
> 
> Crypto is the best bet for this.  The next release of unfs (actually
> I'll be changing the name to snfs as unfs is the name of a Linux
> project) will be able to use SSL as its transport.
> 
> >       4. Stateless server, critical applications for clients can fail if the
> >           server goes down.
> 
> Sadly, requiring challenge/response for mounting makes this situation
> much worse.  The SSL based server should be better.
> 
> --sjgHello all,
I apologize if this is taking a left turn, but in reading the ongoing 
dialogue regarding NFS across the NET I have a question. I had been 
thinking about mounting an NFS partion across the NET in order to access 
the database for a low support function( temporary at that ) my concerns 
were the same Simions....I also have the option of mapping to a WIN95 
drive to accomplish the same thing. Now the questions: Seeing as how 
Netbeui is not routeable how do you route across TCP/IP and how much can 
you secure it beyond the password protection activated when you share 
the drive.
If this is the wrong forum could someone direct me to an apropriate one!
-- 
Thanks,
Bruce Keller
Challenger Business Systems
gocbs @
 challenger2000 .
 com

References:

<<< MESSAGE REMOVED FROM ARCHIVE >>>
From: "Payne, Steve x9991" <spayne @ dsdc . dla . mil>
Re: NFS vs. FTP
From: "Simon J. Gerraty" <sjg @ zen . quick . com . au>

Indexed By Date	Previous:	TIS - Fwtk instalation in BSDI From: jadylson @ iptec . com . br
Indexed By Date	Next:	Re: Reuters 3000 & Firewall-1 From: Ken Kempster <kempster @ monarch . rnb . com>
Indexed By Thread	Previous:	Re: NFS vs. FTP From: "Simon J. Gerraty" <sjg @ zen . quick . com . au>
Indexed By Thread	Next:	RE: <NONE> From: ben @ eci . usa . com (".Ben Palmer")