On 03/04/2016 04:04 PM, Steve Gaarder wrote:
While I really like the concept of AFS as a world-wide filesystem, I'm
starting to wonder if it's a good idea in the modern age of cyberattacks.
How safe is it to leave AFS open to the world?
Some of the data we store in AFS does not need to be accessed from
outside of our network; is there a good way of blocking access to it
from outside while preserving access to other data in the cell?
Guess this would work on a per-volume base, but not with a mix of
restricted content and other data in a single volume (unless you just
trust the AFS ACL protections, per Brandon's reply).
Put the restricted data (AFS volumes) and all replicas on separate
fileservers, have these on a non-routed (but accessible within your
site) network or at the minimum firewalled on the AFS
fileserver/volservers ports (UDP 7000,7005; add UDP 7007 = bosserver for
good measure).
Keep the VolDB servers accessible from the evil internet.
Cheers
jan
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
