Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

NFS v3 security is based upon IP address and machines provided UIDs, v4 adds the options for kerberos (krb,krb5i,krb5e) for authentication ,integrity, or privacy(encryption), but there is a lot of overhead in Kerberos. Below are the general discussions with links to details implementations. However there are several other options including IPSEC and STUNNEL. I've listed speed as that is a huge component. 


Attacks:

MiTM attack.  NFS sessions can be taken over by a host on either side that can continue to relay packets to both machines and change/inject it's own packets. For NFS that does IP based security this allows you to masquerade as another machine. To protect against this attack you need per IP/machine credentials or per user credentials. You can also microsegment your networks based upon the trust model of a host

Compromised Credential Attack: For our purpose we mean leveraging a compromise of one machine to access multi users's data.  For example with NFSv3 if you own a machine then you have full access to any machine even with root squash you can still "become/su" that user and do things as that user. 



AdvDisSpeed
NFS V3

Speed

Simplicity

MiTM attack.

Compromised Credential Attack

10Gbps+
Kerberos

Relatively Secure

Stops MiTM Attack

Can reduce Compromised Credential  attack

Configure on a per share basis so some shares can be "raw"

Standard

Requires NFSv4

Kerberos credentials expire

Complicated

keytabs can be stolen 

50%(untested)

100% if unsecured

IPSEC

Stops MiTM attack

Can be used for other ports (but not required)

Standard

Does not stop Compromised Credential  Attack
STUNNEL



  • No labels