Sorry for the direct e-mail, Jon. I saw a reply of yours to an NFS-firewall question. I frequently read security-related NFS information that ends with the conclusion, "Don't allow NFS mounts through a firewall." Isn't the real vulnerabilty associates with NFS and firewalls the NFS service itself? If you have an NFS server running on a DMZ, for example, then it puts the other DMZ servers at potential risk because of the vulnerabilities assoctiated with the NFS service. Or it may allow changes to be made to data on the NFS server by someone not authorized to do so. Is that correct?
We have internal firewalls that we use to isolate servers and data that warrant a higher level of security than the rest of the internal network. We recently got a request to allow a secured server (secured by an internal firewall) to mount the drive of a server located on the internal network. So the client would run on a secured server and the NFS service is already running on a host on our internal network. No external access (Internet or otherwise) is involved. I'm being told we shouldn't do it because the NFS protocol itself is not secure and that allowing the access through the firewall somehow makes the firewall itself or other activities through the firewall more vulnerable. I would argure that the NFS server adds a certain amount of vulnerability to the internal network but enabling access to it from a secured location wouldn't affect that vulnerability. Would you agree? --Mike Brown NCR Corporation -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
