Hi, "And I totally agree with you, Mixing firewall services with services like Web or file/print services is a recipe for disaster."
True since hacking the web server is entering the firewall itself. But the web server, httpd, is chrooted ... so why would there be a problem here ? Le samedi 28 fC)vrier 2009 C 17:49 +0100, Felipe Alfaro Solana a C)crit : > On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze <schwa...@usta.de> > wrote: > Hi Felipe, > > Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM > +0100: > > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze > <schwa...@usta.de> wrote: > > >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM > +0100: > > >>> I actually built the following system : > >>> - OpenBSD running on a standard AMD platform > >>> - This box is actually used as firewall > >>> - This box is also used as webserver > >>> - This box is finally used as local shared drives via NFS > file > >>> but only open to subnetwork through PF > > > >> NFS is not designed with security in mind. It transmits > data > >> unencrypted. It has no real authentication and no real > access > >> control. If is designed for strictly private networks with > >> no external access that no potential attackers have access > to. > > > > Just to clarify, > > On an OpenBSD list, i am talking about NFS on OpenBSD > (-current > and -stable), and that's NFSv3. ;-) > Of course, you are right that i could have mentioned that. > > > NFSv4 does not necessarily transmit data in clear text. > > NFSv4 allows one to use encryption and/or data > authentication. > > > That doesn't help the original poster because NFSv4 is not > available on OpenBSD. See > > http://marc.info/?l=openbsd-misc&m=123469849717017 > Peter Hessler wrote on Feb 15, 2009: > "openbsd uses nfsv3 over ipv4. > nfsv4 is still being worked on, but is not ready." > > > Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS > on OpenBSD is a very poor choice due to lack of proper authentication > and encryption :) > > > NFSv3 and older versions do not use encryption at all, > > but you can use IPSec to protect it at the network layer. > > > I do not know enough about IPSec to judge whether and under > which > conditions it's viable, effective and efficient to secure NFS > usage > in an internal network that attackers have access to by using > IPSec > between the NFS server and each NFS client. Maybe this could > be > an option. > > > Of course if the attacker can gain remote access to the machine, IPSec > is not very useful since the attacker can probably retrieve the > encryption keys from the kernel :) > > > IPSec is only useful to prevent attacks (replay, sniff, etc.) from the > network. > Thanks for pointing this out. > > > But even if that's sound, which i neither claim nor deny, it's > still > a bad idea to run purely internal services on a firewall, no > matter > whether they use encrtption or not. > > > And I totally agree with you, Mixing firewall services with services > like Web or file/print services is a recipe for disaster.