NFS v3 security is based upon IP address and machines provided UIDs, v4 adds the options for kerberos (krb,krb5i,krb5e) for authentication ,integrity, or privacy(encryption), but there is a lot of overhead in Kerberos. Below are the general discussions with links to details implementations. However there are several other options including IPSEC and STUNNEL. I've listed speed as that is a huge component.
Attacks:
MiTM attack. NFS sessions can be taken over by a host on either side that can continue to relay packets to both machines and change/inject it's own packets. For NFS that does IP based security this allows you to masquerade as another machine. To protect against this attack you need per IP/machine credentials or per user credentials. You can also microsegment your networks based upon the trust model of a host
Compromised Credential Attack: For our purpose we mean leveraging a compromise of one machine to access multi users's data. For example with NFSv3 if you own a machine then you have full access to any machine even with root squash you can still "become/su" that user and do things as that user.
Adv | Dis | Speed | |
---|---|---|---|
NFS V3 | Speed Simplicity | MiTM attack. Compromised Credential Attack | 10Gbps+ |
Kerberos | Relatively Secure Stops MiTM Attack Can reduce Compromised Credential attack Configure on a per share basis so some shares can be "raw" Standard | Requires NFSv4 Kerberos credentials expire Complicated keytabs can be stolen | 50%(untested) 100% if unsecured |
IPSEC | Stops MiTM attack Can be used for other ports (but not required) Standard | Does not stop Compromised Credential Attack | 25% |
STUNNEL | Faster(currently) then ipsec (as tested) Can be used to secure a single machine (or set ) against MiTM attack | Hard to use to stop MiTM attack with multiple trust boundries Does not stop Compromised Credential Attack | 50% |