Bill Wohler <wohler @
# chris> 5. We'd really like some sort of (very lightly used) network file
# chris> system to be available between one of our local hosts and a host on
# chris> the specific remote network. Does Sun-NFS work over long distance
# chris> internet connections (i.e. are the packets normally blocked)?
# it'll work fine for you...and everyone else. don't allow folks on
# the internet to access nfs on your internal net.
I definitely concur with this. If someone can get packets to and from
your NFS daemon (typically UDP port 2049 on Suns), they can probably
circumvent any authentication and authorization checks that it
# chris> 4. It would be real nice if users on our US office network could drive
# chris> straight through our gateway as if it weren't there.
# it's easy enough for someone to spoof your us office network and
# drive straight through your router as well. this *is* a good
# problem. does anyone have any good solutions?
Is it really that easy? Assuming both sites are directly connected to
a network service provider, the compromise would have to occur inside
one of those service provider networks. Does anyone know of any cases
Which leads to another question, for the service providers: what steps
do you take (if any) to isolate customer traffic from your own
internal systems, so that if, for instance, somebody breaks root on
your anonymous FTP machine, they can't simply sit there with
"etherfind" and capture all your customers' packets?
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041