[ale] Linux NAS Distributio

Jerald Sheets questy at gmail.com
Mon Jul 9 07:28:14 EDT 2007


Like I had mentioned earlier

"and a few other options".

Among those, ro.  Also, yes....very clearly we are on a trusted  
network.  The NAS mounting happens out the backend on a dedicated  
network on a separate NIC.

Sure, UDP can be spoofed, but with multiple layers of security in  
place (both proximity and access control) that shouldn't be an  
issue.  Further, if you're going to make a system available to your  
whole network, one would hope that you have appropriate controls in  
place.

So, readonly, on it's own network, UDP, and in my case at home  
tripwired and portsentried.

What other measures do you think would be helpful, Bob?  I mean after  
all, THE Unixy way to share filespace across a network is NFS.


--j



On Jul 9, 2007, at 1:14 AM, Bob Toxen wrote:

> NFS has security vulnerabilities.  I recommend NOT using it via UDP
> unless you are in a SECURE network behind a firewall.  Instead use it
> via TCP.  I suggest not using it at all unless on a SECURE network
> behind a firewall.
>
> It's security is based on the generally false assumption that packets
> (e.g., UDP packets) will not be spoofed and that on every system on
> the network, only a trusted SysAdmin will send packets from or receive
> packets to a port number below 1024.  That assumption has been false
> for at least a decade as any hacker can connect his or her Windows
> or Linux laptop to a network and spoof traffic from "trusted" systems.
>
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security  
> consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux  
> Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting  
> since 1990.
> Quality spam and virus filters.
>
> On Sat, Jul 07, 2007 at 07:23:59PM -0400, Jerald Sheets wrote:
>> The thing I'm finding interesting here is I'm not sure what the scoop
>> is on your requirements.
>>
>> Before we went Netapp, we were using straight OpenSuSE and mounting
>> NFS via UDP  (i.e. /www mounted to the nases share)
>>
>>
>> Is there something I'm missing in the requirement for you?  I mean,
>> if it'll handle a few million a day for us...
>>
>> --j
>>
>>
>> On Jul 7, 2007, at 2:34 PM, Christopher Fowler wrote:
>>
>>> After playing around with FreeNAS I kinda like it.  It may not be
>>> Linux
>>> but it seems to do a decent job.  I looked at Openfiler and it
>>> appeared
>>> that neither it nor FreeNAS had support for making backups to DVD's.
>>> Maybe in a later version.  I'm trying to learn FreeNAS now under
>>> vmware.
>>>
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://www.ale.org/mailman/listinfo/ale
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale




More information about the Ale mailing list