On Sat, Feb 28, 2009 at 6:40 PM, Jean-Francois <jfsimon1...@gmail.com>wrote:
> Hi, > "And I totally agree with you, Mixing firewall services with services > like Web or file/print services is a recipe for disaster." > > True since hacking the web server is entering the firewall itself. > But the web server, httpd, is chrooted ... so why would there be a > problem here ? There are ways to evade chroots, although I'm not sure how feasible they are for OpenBSD. > Le samedi 28 fC)vrier 2009 C 17:49 +0100, Felipe Alfaro Solana a C)crit : > > On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze <schwa...@usta.de> > > wrote: > > Hi Felipe, > > > > Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM > > +0100: > > > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze > > <schwa...@usta.de> wrote: > > > > >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM > > +0100: > > > > >>> I actually built the following system : > > >>> - OpenBSD running on a standard AMD platform > > >>> - This box is actually used as firewall > > >>> - This box is also used as webserver > > >>> - This box is finally used as local shared drives via NFS > > file > > >>> but only open to subnetwork through PF > > > > > > >> NFS is not designed with security in mind. It transmits > > data > > >> unencrypted. It has no real authentication and no real > > access > > >> control. If is designed for strictly private networks with > > >> no external access that no potential attackers have access > > to. > > > > > > > Just to clarify, > > > > On an OpenBSD list, i am talking about NFS on OpenBSD > > (-current > > and -stable), and that's NFSv3. ;-) > > Of course, you are right that i could have mentioned that. > > > > > NFSv4 does not necessarily transmit data in clear text. > > > NFSv4 allows one to use encryption and/or data > > authentication. > > > > > > That doesn't help the original poster because NFSv4 is not > > available on OpenBSD. See > > > > http://marc.info/?l=openbsd-misc&m=123469849717017 > > Peter Hessler wrote on Feb 15, 2009: > > "openbsd uses nfsv3 over ipv4. > > nfsv4 is still being worked on, but is not ready." > > > > > > Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS > > on OpenBSD is a very poor choice due to lack of proper authentication > > and encryption :) > > > > > NFSv3 and older versions do not use encryption at all, > > > but you can use IPSec to protect it at the network layer. > > > > > > I do not know enough about IPSec to judge whether and under > > which > > conditions it's viable, effective and efficient to secure NFS > > usage > > in an internal network that attackers have access to by using > > IPSec > > between the NFS server and each NFS client. Maybe this could > > be > > an option. > > > > > > Of course if the attacker can gain remote access to the machine, IPSec > > is not very useful since the attacker can probably retrieve the > > encryption keys from the kernel :) > > > > > > IPSec is only useful to prevent attacks (replay, sniff, etc.) from the > > network. > > Thanks for pointing this out. > > > > > > But even if that's sound, which i neither claim nor deny, it's > > still > > a bad idea to run purely internal services on a firewall, no > > matter > > whether they use encrtption or not. > > > > > > And I totally agree with you, Mixing firewall services with services > > like Web or file/print services is a recipe for disaster. > > -- http://www.felipe-alfaro.org/blog/disclaimer/