Great Circle Associates Firewalls
(October 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: NFS vs. FTP
From: Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>
Date: Fri, 25 Oct 1996 13:27:24 -0500
To: "Data Systems Bureau" <lasdsdn @ ix . netcom . com>
Cc: firewalls @ greatcircle . com
In-reply-to: <199610241709 . KAA24651 @ dfw-ix6 . ix . netcom . com> 
If you give anybody write access to NFS, you should assume that EVERYBODY
has write access to your NFS file system as any user that they want to be.
(excepting root in some cases). NFS security is extremely weak in this
regard and relies on the client to present itself truthfully, identify
itself correctly, and determine access.


>Hello All,
>
>An organization, external to ours, has written a custom application =
>which requires transferring files through our firewall.  This =
>application is critical to the success of the external organization; =
>however, we stand to benefit from it also. We have expressed our =
>requirement to perform all file transfers using the FTP protocol.  Our =
>firewall by the way supports FTP via a  FTP proxy.
>
>This external organization intends to use NFS as its file transfer =
>utility claiming that their security policy only allows NFS for file =
>transfers and does not permit FTP.  Supposedly, with NFS they do not =
>have to grant login access to outside users wishing to transfer files =
>into their network. They feel that FTP requires a login and therefore =
>compromises their security. Our policy only allows FTP - our firewall =
>does not have a NFS proxy even though we could allow it go through.
>
>Does any of the above make sense to any reader out there?  I'm not very =
>up to date on the security threats of NFS.  I do know however that CERT =
>has posted NFS advisories and that both CERT and Cheswick/Bellovin =
>recommend blocking out NFS from entering a private network.
>
>What should be my security concerns with NFS?  Should I be comfortable =
>with an external organization transmitting files into my network using =
>NFS?  Why do both CERT and Cheswick/Bellovin recommend blocking out NFS?
>
>I appreciate you response.
>
>Thanks
>
>Fabian
>

--
____________________________________________________________________________
Doug Hughes					Engineering Network Services
System/Net Admin  				Auburn University
			doug @
 eng .
 auburn .
 edu
References:
  • NFS vs. FTP
    From: "Data Systems Bureau" <lasdsdn @ ix . netcom . com>
Indexed By Date Previous: Re: What questions????
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Next: Re: SMTP Security breach
From: strata @ Synopsys . COM
Indexed By Thread Previous: Re: NFS vs. FTP
From: Dave Kinchlea <security @ kinch . ark . com>
Next: guantlet and ms sequel server
From: kfrisco <kfrisco @ shrike . depaul . edu>
Google
 
Search Internet Search www.greatcircle.com