Hi Felipe, Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM +0100: > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze <[email protected]> wrote: >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100:
>>> I actually built the following system : >>> - OpenBSD running on a standard AMD platform >>> - This box is actually used as firewall >>> - This box is also used as webserver >>> - This box is finally used as local shared drives via NFS file >>> but only open to subnetwork through PF >> NFS is not designed with security in mind. It transmits data >> unencrypted. It has no real authentication and no real access >> control. If is designed for strictly private networks with >> no external access that no potential attackers have access to. > Just to clarify, On an OpenBSD list, i am talking about NFS on OpenBSD (-current and -stable), and that's NFSv3. ;-) Of course, you are right that i could have mentioned that. > NFSv4 does not necessarily transmit data in clear text. > NFSv4 allows one to use encryption and/or data authentication. That doesn't help the original poster because NFSv4 is not available on OpenBSD. See http://marc.info/?l=openbsd-misc&m=123469849717017 Peter Hessler wrote on Feb 15, 2009: "openbsd uses nfsv3 over ipv4. nfsv4 is still being worked on, but is not ready." > NFSv3 and older versions do not use encryption at all, > but you can use IPSec to protect it at the network layer. I do not know enough about IPSec to judge whether and under which conditions it's viable, effective and efficient to secure NFS usage in an internal network that attackers have access to by using IPSec between the NFS server and each NFS client. Maybe this could be an option. But even if that's sound, which i neither claim nor deny, it's still a bad idea to run purely internal services on a firewall, no matter whether they use encrtption or not. Yours, Ingo
