Fabian...
As far as my knowledge takes me... you MUST have an account on any
UNIX system that you are writing to. The application at least must have an
account so there is no way for you use NFS without accounts and thus you
still face the logging in challenge. I personally would go with the
restricted FTP version of the application because although someone would
have to login... you do have control over who uses the service whereas
even if you could use NFS... you dont have a log of who used the
service... no more than you would with any other network services that you
log.
Hope these comments Help
Peace!
Hassan
dream --------------------------------------------------------------|
dream Hassan Karim | (202)690-0502 |
dream Senior Systems Analyst | hkarim @
usda .
gov |
dream US Department of Agriculture | http://www.usda.gov |
dream "Requirements are like water, they're easier
dream to walk on when they're frozen" -M. McKinney
dream --------------------------------------------------------------|
On Thu, 24 Oct 1996, firewalls @
GreatCircle .
COM wrote:
> Date: 10/24/1996 12:09 pm (Thursday)
> Subject: NFS vs. FTP
>
> X-Msmail-Priority: Normal
> X-Priority: 3
> Precedence: bulk
>
> Hello All,
>
> An organization, external to ours, has written a custom application which requires transferring files through our firewall. This application is critical to the success of the external organization; however, we stand to benefit from it also. We have expressed our requirement to perform all file transfers using the FTP protocol. Our firewall by the way supports FTP via a FTP proxy.
>
> This external organization intends to use NFS as its file transfer utility claiming that their security policy only allows NFS for file transfers and does not permit FTP. Supposedly, with NFS they do not have to grant login access to outside users wishing to transfer files into their network. They feel that FTP requires a login and therefore compromises their security. Our policy only allows FTP - our firewall does not have a NFS proxy even though we could allow it go through.
>
> Does any of the above make sense to any reader out there? I'm not very up to date on the security threats of NFS. I do know however that CERT has posted NFS advisories and that both CERT and Cheswick/Bellovin recommend blocking out NFS from entering a private network.
>
> What should be my security concerns with NFS? Should I be comfortable with an external organization transmitting files into my network using NFS? Why do both CERT and Cheswick/Bellovin recommend blocking out NFS?
>
> I appreciate you response.
>
> Thanks
>
> Fabian
>
>
|
|
