An organization, external to ours, has written a custom application which requires transferring files through our firewall. This application is critical to the success of the external organization; however, we stand to benefit from it also. We have expressed our requirement to perform all file transfers using the FTP protocol. Our firewall by the way supports FTP via a FTP proxy.
This external organization intends to use NFS as its file transfer utility claiming that their security policy only allows NFS for file transfers and does not permit FTP. Supposedly, with NFS they do not have to grant login access to outside users wishing to transfer files into their network. They feel that FTP requires a login and therefore compromises their security. Our policy only allows FTP - our firewall does not have a NFS proxy even though we could allow it go through.
Does any of the above make sense to any reader out there? I'm not very up to date on the security threats of NFS. I do know however that CERT has posted NFS advisories and that both CERT and Cheswick/Bellovin recommend blocking out NFS from entering a private network.
What should be my security concerns with NFS? Should I be comfortable with an external organization transmitting files into my network using NFS? Why do both CERT and Cheswick/Bellovin recommend blocking out NFS?
I appreciate you response.