On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze <schwa...@usta.de> wrote:
> Hi Jean-Francois, > > Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: > > > I actually built the following system : > > - OpenBSD running on a standard AMD platform > > - This box is actually used as firewall > > - This box is also used as webserver > > - This box is finally used as local shared drives via NFS file > > but only open to subnetwork through PF > > It's hard to tell what this is supposed to say, but in case you intend > to use the same physical machine as a firewall, as a public webserver > and as a private NFS server, that's almost certainly a very bad idea > and not at all secure. > > Never put your private NFS server on the same host as either your > firewall or your webserver. Never. If you don't own and can't > afford enough hardware to physically seperate the NFS server > from the firewall and the webserver, do not use NFS at all. > If your network is so small that you consider putting everything > on one single server, just use some old 200MHz i386 for the firewall > and some old 500MHz i386 for the NFS server. People will almost > certainly give you such hardware for free, at least in Europe. > That's probably sufficient, and lets you use your shiny new amd64 > box as the webserver. Just to clarify, NFSv4 does not necessarily transmit data in clear text. NFSv4 allows one to use encryption and/or data authentication. NFSv3 and older versions do not use encryption at all, but you can use IPSec to protect it at the network layer. NFS is not designed with security in mind. It transmits data > unencrypted. It has no real authentication and no real access > control. If is designed for strictly private networks with > no external access that no potential attackers have access to. > > If you can afford it, also seperate the webserver from the > firewall. Webservers tend to run lots of crappy software, > and thus, they tend to get hacked. Well, perhaps that's > somewhat mitigated by running the webserver chrooted, but > anyway, it is clearly better to make the firewall a three-leg > router and physically seperate the network segment containing the > webserver (DMZ) and the internal NFS server (private intranet). > > > Assuming that subnetwork computers might be hacked or infected by > > any threat > > You mean, attackers might gain access to either the hardware of > your internal network, or any of the computers in your internal > network might get hacked from the Internet? > > If i understood that correctly, you cannot use NFS at all, > not even on a dedicated server inside your intranet, physically > well seperated from the firewall. There is basically no way to > secure it. > > > Assuming that there is no mistake in PF rules > > Assuming that there is nothing of a third party installed > > on the box (basically it's only a tuned system) > > -> Would you please confirm that hacking is almost impossible ? > > If i understood your setup and threat scenario correctly -- > computers inside your internal network might be compromised, > and you want to run an NFS server inside your internal network -- > then no, that's not secure. Spying out the private data on the > NFS server is trivial and does not even need script kiddie skills. > All the attacker needs to do is: Use an IP number having access > to the NFS server, locally create an account with the UID he is > interested in, mount the NFS volume(s) and read the data. > No hacking is required. This is completely insecure. > > > -> Would you confirm any personnal datas hosted on server are safe > > as long as the (subnet is not compromised by false manipulation > > of course) > > I don't know what you mean by "subnet is not compromised", but > it doesn't matter. If "subnetwork computers might be hacked", > then the data is not at all secure. > > No idea why so many other posters said there's no problem... :-( > > Yours > Ingo > > -- http://www.felipe-alfaro.org/blog/disclaimer/
