Great Circle Associates Firewalls
(March 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Firewalls and NFS
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Mon, 22 Mar 93 10:02:28 -0800
To: Firewalls @ GreatCircle . COM
In-reply-to: Your message of Mon, 22 Mar 1993 15:07:28 +0100

Bill Wohler <wohler @
 hw1175 .
 sap-ag .
 de> writes:

# chris> 5.  We'd really like some sort of (very lightly used) network file
# chris>     system to be available between one of our local hosts and a host on
# chris>     the specific remote network.  Does Sun-NFS work over long distance
# chris>     internet connections (i.e. are the packets normally blocked)?
# 
#   it'll work fine for you...and everyone else.  don't allow folks on
#   the internet to access nfs on your internal net.

I definitely concur with this.  If someone can get packets to and from
your NFS daemon (typically UDP port 2049 on Suns), they can probably
circumvent any authentication and authorization checks that it
supposedly does.

# chris> 4.  It would be real nice if users on our US office network could drive
# chris>     straight through our gateway as if it weren't there.
# 
#   it's easy enough for someone to spoof your us office network and
#   drive straight through your router as well.  this *is* a good
#   problem.  does anyone have any good solutions?

Is it really that easy?  Assuming both sites are directly connected to
a network service provider, the compromise would have to occur inside
one of those service provider networks.  Does anyone know of any cases
of that?

Which leads to another question, for the service providers: what steps
do you take (if any) to isolate customer traffic from your own
internal systems, so that if, for instance, somebody breaks root on
your anonymous FTP machine, they can't simply sit there with
"etherfind" and capture all your customers' packets?


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041


Indexed By Date Previous: Re: Firewalls and NFS
From: Amos Shapira <amoss @ cs . huji . ac . il>
Next: Administrivia: bounced email returned to originator
From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Thread Previous: Re: Firewalls and NFS
From: Amos Shapira <amoss @ cs . huji . ac . il>
Next: Re: Firewalls and NFS
From: chk @ alias . com (C. Harald Koch)

Google
 
Search Internet Search www.greatcircle.com