Re: Is there any encrypted or secure NFS?

Mon, 05 Jan 2004 20:30:35 -0800 

On Mon, 5 Jan 2004, Brett Carrington wrote:

> On Mon, Jan 05, 2004 at 09:14:27PM -0500, Mark Roach wrote:
> > > This might be encrypted, but hardly secure, for instance if user A has 
> > > physical access to NFS client
> > > and user B has physical access to nfs client, what prevents user A from 
> > > accessing user B's files through VPN?
> > 
> > File permissions.

wont help ...  the user has acces to their files on the other end

> Even so, you'd have this problem with or without an IPSec VPN. The VPN's
> job, in this case, is lower-layer encryption. File systems on your
> host/NFS Client are out of the spectrum of what a VPN can do. A VPN is
> only going to protect your data from snoopers of NFS packets.

"maybe"

places where the cracker can see your "credit card" ( sensitive data )
        - while you're away from your desk
        - while its still in netscape cache
        - in transit to the webstore
        - while its in memory (-- you've got bigger problems --)
        - vpn/ssh snoopping of the wire  (-- you've gove bigger problems--)
        - from your home network ssh'd/vpn'd into the corp lan
        - trash can

- i think the major comment, was what if the dude just sits at the
  terminal while your away ..
        - encrypted traffic or encrypted fs will not prevent the cracker
        from seeing the "good data" they're not supposed to have seen

        - always passwd protect your screen 
        and always use different passwds for each pc
 
"encryption" is still uselsess if you use ez 2 remember pass phrase or
words from the dictionary or common phrases and "misstyped" passwds ..
        or written down on a piece of paper that is easy to find on the
        keyboard, monitor, mousepad, drawers, rolodex, bookmarkers, ...

        - it's even more trivial to go snooping if you use passwdless
        logins

- allowing nfs just makes all the snooping easier ...
        too many old holes - that may or may not be patched

        nfs --> "Not For Security"

        setting up and properly running a "secure nfs" is a whole other
        ballgame

c ya
alvin   


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to