Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Compromised Credential Attack: For our purpose we mean leveraging a compromise of one machine to access multi users's data.  For example with NFSv3 if you own a machine then you have full access to any machine even with root squash you can still "become/su" that user and do things as that user. 



AdvDisSpeed
NFS V3

Speed

Simplicity

MiTM attack.

Compromised Credential Attack

10Gbps+
Kerberos

Relatively Secure

Stops MiTM Attack

Can reduce Compromised Credential  attack

Configure on a per share basis so some shares can be "raw"

Standard

Requires NFSv4

Kerberos credentials expire

Complicated

keytabs can be stolen 

50%(untested)

100% if unsecured

IPSEC

Stops MiTM attack

Can be used for other ports (but not required)

Standard

Does not stop Compromised Credential  Attack25%
STUNNEL

Faster(currently) then ipsec (as tested)

Can be used to secure a single machine (or set ) against MiTM attack

Hard to use to stop MiTM attack with multiple trust boundaries

Does not stop Compromised Credential  Attack

50%


Linux IPSEC

Linux Kerberos