[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is NFS export r/o safe from lan to dmz?

On Sun, Mar 02, 2008 at 11:13:20PM +0100, Peter Teunissen wrote:
> If the export would be r/o, what would be the risk of such a setup?

I don't know their current status off the top of my head, but I seem to
recall nfs/portmapper having a somewhat questionable early security
history.  They may be completely cleaned up now.  They may not.
Personally, I wouldn't want to risk it.

Also, just as a matter of principle, I'm something of a purist about
maintaining the closest possible approximation of a "the DMZ can open
very limited connections to the outside world and absolutely nothing
into the secure network" model.  Every protocol on which the DMZ can
contact the secure network is a ready-made attack vector for anyone who
compromises a DMZ host.

> (I don't  
> have the diskspace to keep a complete copy of all the files on the  
> dmz, so something involving rsync is out of the question).

Disk is cheap these days.  Go to newegg.com and drop $60 on a 250G hard
drive.  That should be large enough for you to rsync your entire music
collection to the DMZ box (with periodic updates initiated from the
secure network, so the DMZ is only receiving connections, not initiating
them) and, even if you're making minimum wage, will probably cost less
than the equivalent value of the time you would have spent on securing
nfs and ensuring that it stays secure afterwards.  Not to mention the
headaches of synchronizing numeric user ids across the nfs-using hosts
without using nis...  (I haven't used nis for a few years either, but I
seem to recall it having a number of avenues by which it can be abused
even without needing to compromise it per se, so using nis in the DMZ,
whether it's able to connect to the secure network or not, seems like a
really bad idea.)

News aggregation meets world domination.  Can you see the fnews?

Reply to: