On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze <[email protected]> wrote:
> Hi Felipe, > > Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM +0100: > > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze <[email protected]> > wrote: > >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: > > >>> I actually built the following system : > >>> - OpenBSD running on a standard AMD platform > >>> - This box is actually used as firewall > >>> - This box is also used as webserver > >>> - This box is finally used as local shared drives via NFS file > >>> but only open to subnetwork through PF > > >> NFS is not designed with security in mind. It transmits data > >> unencrypted. It has no real authentication and no real access > >> control. If is designed for strictly private networks with > >> no external access that no potential attackers have access to. > > > Just to clarify, > > On an OpenBSD list, i am talking about NFS on OpenBSD (-current > and -stable), and that's NFSv3. ;-) > Of course, you are right that i could have mentioned that. > > > NFSv4 does not necessarily transmit data in clear text. > > NFSv4 allows one to use encryption and/or data authentication. > > That doesn't help the original poster because NFSv4 is not > available on OpenBSD. See > > http://marc.info/?l=openbsd-misc&m=123469849717017 > Peter Hessler wrote on Feb 15, 2009: > "openbsd uses nfsv3 over ipv4. > nfsv4 is still being worked on, but is not ready." Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS on OpenBSD is a very poor choice due to lack of proper authentication and encryption :) > > NFSv3 and older versions do not use encryption at all, > > but you can use IPSec to protect it at the network layer. > > I do not know enough about IPSec to judge whether and under which > conditions it's viable, effective and efficient to secure NFS usage > in an internal network that attackers have access to by using IPSec > between the NFS server and each NFS client. Maybe this could be > an option. Of course if the attacker can gain remote access to the machine, IPSec is not very useful since the attacker can probably retrieve the encryption keys from the kernel :) IPSec is only useful to prevent attacks (replay, sniff, etc.) from the network. Thanks for pointing this out. But even if that's sound, which i neither claim nor deny, it's still > a bad idea to run purely internal services on a firewall, no matter > whether they use encrtption or not. And I totally agree with you, Mixing firewall services with services like Web or file/print services is a recipe for disaster.
