[ale] Linux NAS Distributio

Scott Castaline hscast at charter.net
Mon Jul 9 12:34:57 EDT 2007


James P. Kinney III wrote:
> Bob and Jerald,
> 
> I am under the impression that NFS v4 has resolved much (if not all) of
> the prior security vulnerabilities with the ancient NFS process. It uses
> TCP only, and uses kerberos for secure authentication of systems and all
> data transfer can be made through an SSL tunnel (I think. I have never
> done that yet). The NFS spec people claim NFS v.4 is safe enough now to
> be used over Internet lines (!?!?!). If so, that sure beats the crap out
> of CIFS (showing once again the superiority of the *NIX way over
> microcrap - now if only we could settle this little vi/emacs thing...).
> 
> On Mon, 2007-07-09 at 07:28 -0400, Jerald Sheets wrote:
>> Like I had mentioned earlier
>>
>> "and a few other options".
>>
>> Among those, ro.  Also, yes....very clearly we are on a trusted  
>> network.  The NAS mounting happens out the backend on a dedicated  
>> network on a separate NIC.
>>
>> Sure, UDP can be spoofed, but with multiple layers of security in  
>> place (both proximity and access control) that shouldn't be an  
>> issue.  Further, if you're going to make a system available to your  
>> whole network, one would hope that you have appropriate controls in  
>> place.
>>
>> So, readonly, on it's own network, UDP, and in my case at home  
>> tripwired and portsentried.
>>
>> What other measures do you think would be helpful, Bob?  I mean after  
>> all, THE Unixy way to share filespace across a network is NFS.
>>
>>
>> --j
>>
>>
>>
>> On Jul 9, 2007, at 1:14 AM, Bob Toxen wrote:
>>
>>> NFS has security vulnerabilities.  I recommend NOT using it via UDP
>>> unless you are in a SECURE network behind a firewall.  Instead use it
>>> via TCP.  I suggest not using it at all unless on a SECURE network
>>> behind a firewall.
>>>
>>> It's security is based on the generally false assumption that packets
>>> (e.g., UDP packets) will not be spoofed and that on every system on
>>> the network, only a trusted SysAdmin will send packets from or receive
>>> packets to a port number below 1024.  That assumption has been false
>>> for at least a decade as any hacker can connect his or her Windows
>>> or Linux laptop to a network and spoof traffic from "trusted" systems.
>>>
>>> Bob Toxen
>>> bob at verysecurelinux.com               [Please use for email to me]
>>> http://www.verysecurelinux.com        [Network&Linux/Unix security  
>>> consulting]
>>> http://www.realworldlinuxsecurity.com [My book:"Real World Linux  
>>> Security 2/e"]
>>> Quality Linux & UNIX security and SysAdmin & software consulting  
>>> since 1990.
>>> Quality spam and virus filters.
>>>
>>> On Sat, Jul 07, 2007 at 07:23:59PM -0400, Jerald Sheets wrote:
>>>> The thing I'm finding interesting here is I'm not sure what the scoop
>>>> is on your requirements.
>>>>
>>>> Before we went Netapp, we were using straight OpenSuSE and mounting
>>>> NFS via UDP  (i.e. /www mounted to the nases share)
>>>>
>>>>
>>>> Is there something I'm missing in the requirement for you?  I mean,
>>>> if it'll handle a few million a day for us...
>>>>
>>>> --j
>>>>
>>>>
>>>> On Jul 7, 2007, at 2:34 PM, Christopher Fowler wrote:
>>>>
>>>>> After playing around with FreeNAS I kinda like it.  It may not be
>>>>> Linux
>>>>> but it seems to do a decent job.  I looked at Openfiler and it
>>>>> appeared
>>>>> that neither it nor FreeNAS had support for making backups to DVD's.
>>>>> Maybe in a later version.  I'm trying to learn FreeNAS now under
>>>>> vmware.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ale mailing list
>>>>> Ale at ale.org
>>>>> http://www.ale.org/mailman/listinfo/ale
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://www.ale.org/mailman/listinfo/ale
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://www.ale.org/mailman/listinfo/ale
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
Oh no let's not start that flame war again. I broke my delete key on the 
last one.\;)



More information about the Ale mailing list