There is a very good alternative for NFS.The name is scp.A small How-To is described in book Mastering FreeBSD and OpenBSD security.
In my point of view firewall must be separate machine in all cases. www and file server on one machine is acceptible solution in case of use of chroot,jail, zones on Solaris or similar solution for small companies. But I think that sooner or later you will decide to buy another machine to separate these services. 2009/2/28 Felipe Alfaro Solana <[email protected]>: > On Sat, Feb 28, 2009 at 6:40 PM, Jean-Francois <[email protected]>wrote: > >> Hi, >> "And I totally agree with you, Mixing firewall services with services >> like Web or file/print services is a recipe for disaster." >> >> True since hacking the web server is entering the firewall itself. >> But the web server, httpd, is chrooted ... so why would there be a >> problem here ? > > > There are ways to evade chroots, although I'm not sure how feasible they are > for OpenBSD. > > >> Le samedi 28 fC)vrier 2009 C B 17:49 +0100, Felipe Alfaro Solana a C)crit : >> > On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze <[email protected]> >> > wrote: >> > B B B B Hi Felipe, >> > >> > B B B B Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM >> > B B B B +0100: >> > B B B B > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze >> > B B B B <[email protected]> wrote: >> > >> > B B B B >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM >> > B B B B +0100: >> > >> > B B B B >>> I actually built the following system : >> > B B B B >>> - OpenBSD running on a standard AMD platform >> > B B B B >>> - This box is actually used as firewall >> > B B B B >>> - This box is also used as webserver >> > B B B B >>> - This box is finally used as local shared drives via NFS >> > B B B B file >> > B B B B >>> B but only open to subnetwork through PF >> > >> > >> > B B B B >> NFS is not designed with security in mind. B It transmits >> > B B B B data >> > B B B B >> unencrypted. B It has no real authentication and no real >> > B B B B access >> > B B B B >> control. B If is designed for strictly private networks with >> > B B B B >> no external access that no potential attackers have access >> > B B B B to. >> > >> > >> > B B B B > Just to clarify, >> > >> > B B B B On an OpenBSD list, i am talking about NFS on OpenBSD >> > B B B B (-current >> > B B B B and -stable), and that's NFSv3. B ;-) >> > B B B B Of course, you are right that i could have mentioned that. >> > >> > B B B B > NFSv4 does not necessarily transmit data in clear text. >> > B B B B > NFSv4 allows one to use encryption and/or data >> > B B B B authentication. >> > >> > >> > B B B B That doesn't help the original poster because NFSv4 is not >> > B B B B available on OpenBSD. B See >> > >> > B B B B B http://marc.info/?l=openbsd-misc&m=123469849717017 >> > B B B B B Peter Hessler wrote on Feb 15, 2009: >> > B B B B B "openbsd uses nfsv3 over ipv4. >> > B B B B B nfsv4 is still being worked on, but is not ready." >> > >> > >> > Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS >> > on OpenBSD is a very poor choice due to lack of proper authentication >> > and encryption :) >> > >> > B B B B > NFSv3 and older versions do not use encryption at all, >> > B B B B > but you can use IPSec to protect it at the network layer. >> > >> > >> > B B B B I do not know enough about IPSec to judge whether and under >> > B B B B which >> > B B B B conditions it's viable, effective and efficient to secure NFS >> > B B B B usage >> > B B B B in an internal network that attackers have access to by using >> > B B B B IPSec >> > B B B B between the NFS server and each NFS client. B Maybe this could >> > B B B B be >> > B B B B an option. >> > >> > >> > Of course if the attacker can gain remote access to the machine, IPSec >> > is not very useful since the attacker can probably retrieve the >> > encryption keys from the kernel :) >> > >> > >> > IPSec is only useful to prevent attacks (replay, sniff, etc.) from the >> > network. >> > Thanks for pointing this out. >> > >> > >> > B B B B But even if that's sound, which i neither claim nor deny, it's >> > B B B B still >> > B B B B a bad idea to run purely internal services on a firewall, no >> > B B B B matter >> > B B B B whether they use encrtption or not. >> > >> > >> > And I totally agree with you, Mixing firewall services with services >> > like Web or file/print services is a recipe for disaster. >> >> > > > -- > http://www.felipe-alfaro.org/blog/disclaimer/ > > -- http://www.openbsd.org/lyrics.html
