[ale] Linux NAS Distributio

James P. Kinney III jkinney at localnetsolutions.com
Mon Jul 9 08:37:18 EDT 2007


Bob and Jerald,

I am under the impression that NFS v4 has resolved much (if not all) of
the prior security vulnerabilities with the ancient NFS process. It uses
TCP only, and uses kerberos for secure authentication of systems and all
data transfer can be made through an SSL tunnel (I think. I have never
done that yet). The NFS spec people claim NFS v.4 is safe enough now to
be used over Internet lines (!?!?!). If so, that sure beats the crap out
of CIFS (showing once again the superiority of the *NIX way over
microcrap - now if only we could settle this little vi/emacs thing...).

On Mon, 2007-07-09 at 07:28 -0400, Jerald Sheets wrote:
> Like I had mentioned earlier
> 
> "and a few other options".
> 
> Among those, ro.  Also, yes....very clearly we are on a trusted  
> network.  The NAS mounting happens out the backend on a dedicated  
> network on a separate NIC.
> 
> Sure, UDP can be spoofed, but with multiple layers of security in  
> place (both proximity and access control) that shouldn't be an  
> issue.  Further, if you're going to make a system available to your  
> whole network, one would hope that you have appropriate controls in  
> place.
> 
> So, readonly, on it's own network, UDP, and in my case at home  
> tripwired and portsentried.
> 
> What other measures do you think would be helpful, Bob?  I mean after  
> all, THE Unixy way to share filespace across a network is NFS.
> 
> 
> --j
> 
> 
> 
> On Jul 9, 2007, at 1:14 AM, Bob Toxen wrote:
> 
> > NFS has security vulnerabilities.  I recommend NOT using it via UDP
> > unless you are in a SECURE network behind a firewall.  Instead use it
> > via TCP.  I suggest not using it at all unless on a SECURE network
> > behind a firewall.
> >
> > It's security is based on the generally false assumption that packets
> > (e.g., UDP packets) will not be spoofed and that on every system on
> > the network, only a trusted SysAdmin will send packets from or receive
> > packets to a port number below 1024.  That assumption has been false
> > for at least a decade as any hacker can connect his or her Windows
> > or Linux laptop to a network and spoof traffic from "trusted" systems.
> >
> > Bob Toxen
> > bob at verysecurelinux.com               [Please use for email to me]
> > http://www.verysecurelinux.com        [Network&Linux/Unix security  
> > consulting]
> > http://www.realworldlinuxsecurity.com [My book:"Real World Linux  
> > Security 2/e"]
> > Quality Linux & UNIX security and SysAdmin & software consulting  
> > since 1990.
> > Quality spam and virus filters.
> >
> > On Sat, Jul 07, 2007 at 07:23:59PM -0400, Jerald Sheets wrote:
> >> The thing I'm finding interesting here is I'm not sure what the scoop
> >> is on your requirements.
> >>
> >> Before we went Netapp, we were using straight OpenSuSE and mounting
> >> NFS via UDP  (i.e. /www mounted to the nases share)
> >>
> >>
> >> Is there something I'm missing in the requirement for you?  I mean,
> >> if it'll handle a few million a day for us...
> >>
> >> --j
> >>
> >>
> >> On Jul 7, 2007, at 2:34 PM, Christopher Fowler wrote:
> >>
> >>> After playing around with FreeNAS I kinda like it.  It may not be
> >>> Linux
> >>> but it seems to do a decent job.  I looked at Openfiler and it
> >>> appeared
> >>> that neither it nor FreeNAS had support for making backups to DVD's.
> >>> Maybe in a later version.  I'm trying to learn FreeNAS now under
> >>> vmware.
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Ale mailing list
> >>> Ale at ale.org
> >>> http://www.ale.org/mailman/listinfo/ale
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://www.ale.org/mailman/listinfo/ale
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list