Re: Is NFS export r/o safe from lan to dmz?
On Mon, March 3, 2008 06:56, NN_il_Confusionario wrote:
> On Sun, Mar 02, 2008 at 11:13:20PM +0100, Peter Teunissen wrote:
>> Are there other ways to make the files available on my dmz other than
>> nfs.
>
> (sorry for the double answer)
>
> perhaps a minimal and secure (or at lest much less complex and so safer
> than the portmap/nfsd deamons) web server on the machine hawing the
> files, plus a reverse proxy web server on the machine in the dmz (or a
> direct port forwarding on the router/firewall).
I was thinking of using the reverse proxy setup. Port forwarding feels
like a bad idea, you'd be putting you lan on the web. I don't regard
webservers as very secure. That's why we put them on a dmz in the first
place.
The reverse proxy would be another barrier between wan and lan, just like
the nfs export would be. But, I'd think that a reverse proxy still would
make the lan webserver accessible to script exploits etc. Webservers are
allways being probed for weaknesses once they're on the net. When my lan
webserver would be compromised, the attacker would gain immediate access
to my lan. If the same would happen to my dmz webserver, it would only
give access to the lan data on the export. The export itself would be yet
another barrier before complete access to the lan.
I don't have any knowledge on the complexity of nfs compared to apache2,
both seem like complicated software to me. How would portmapper/nfs be
more vulnerable then apache2?
--
Groet,
Peter Teunissen
Reply to: