...
Compromised Credential Attack: For our purpose we mean leveraging a compromise of one machine to access multi users's data. For example with NFSv3 if you own a machine then you have full access to any machine even with root squash you can still "become/su" that user and do things as that user.
Adv | Dis | Speed | |
---|---|---|---|
NFS V3 | Speed Simplicity | MiTM attack. Compromised Credential Attack | 10Gbps+ |
Kerberos | Relatively Secure Stops MiTM Attack Can reduce Compromised Credential attack Configure on a per share basis so some shares can be "raw" Standard | Requires NFSv4 Kerberos credentials expire Complicated keytabs can be stolen | 50%(untested) 100% if unsecured |
IPSEC | Stops MiTM attack Can be used for other ports (but not required) Standard | Does not stop Compromised Credential Attack | 25% |
STUNNEL | Faster(currently) then ipsec (as tested) Can be used to secure a single machine (or set ) against MiTM attack | Hard to use to stop MiTM attack with multiple trust boundaries Does not stop Compromised Credential Attack | 50% |