Good morning (PST).
We have a requirement to provide a network mountable filesystem in a
shared developement environment between the firewalls of ours and
another company.
Our developement team requests that this file system be mountable
inside our firewall.
Following is our proposed configuration. All of the NFS traffic
between the server and the two companies should pass through the
firewall. We are trying protect the server as much as possible by
putting it behind the firewall but still not inside; i.e, not on the
same "side" of the firewall as the rest of the company.
_________
us -------|_ fw-1 _|--------- them
NFS clients | \ / | NFS clients
|__\___/__|
__|___
| NFS |
|server|
|______|
Under this configuration is it possible for 'us' to achieve a high
level of security for our internal network under this configuration.
We understand that FW-1 v2.0 makes it possible to selectivly pass NFS
(v2) traffic through the firewall.
We would make the server as secure as possible with almost no logins,
functionally limited to the main task of serving NFS and only NFS mount
connections permitted incoming from them. From our side to the server
appropriate outgoing access for management and NFS client connections.
Can anyone comment on this configuration and the exposures inherrant
in it?
How easy is it for someone to compromise internal hosts via the NFS server?
If there is a serious problem with this, would using NFS (v3) significantly
improve things?
Ian H. Good (604) 293-5113 igood @
mpr .
ca
MPR Teltech Ltd. fax (604) 293-5787 http://www.mpr.ca/
Burnaby BC Canada V5A-4B5
Follow-Ups:
|
|
