SUMMARY: NFS over WAN

From: Michel Pilon (pilonm@CCG.RNCan.gc.ca)
Date: Wed Oct 23 1996 - 10:53:28 CDT


Content-MD5: FvVJGyavIoaHAxIGWQTdrQ==
Precedence: bulk

Hello Sun Gurus,

Here is my original question:
 
> We are thinking to connect a new remote site using NFS for some specific
> partitions.
>
> But I am really concerned with the security aspect. Is it safe to
> use NFS over an Internet network. We have a Firewall here and that means
> that I will have to let mountd accessing us (from a specific host of course).
> One bug I am thinking of is what if an impostor attacks us?
> ie. Somebody configuring his system to look like our remote NFS client node.
> What about spoofing the network?
>
> How do you solve these problems? And is it a common way to use NFS over a WAN
> all the time? Are there problems between NFS and routers? Our connection to
> the remote site is over a Frame Relay Network.

And the answer are...:

1) It ia a big security hole!!! But some vendors are working on an extension of
NFS (like SUN) for that purpose. But for now, do not use NFS through Internet!!!

2) Using firewall-1 (from CheckPoint) at both sites will allow me encryption
between.

3) The majority of system broken by crackers are through NFS.

4) Using AFS (instead of NFS) in conjunction with Kerberos will be secure.

5) Sun is supposed to come with a new product called WebNFS

6) NFS version 3 can use UDP or TCP. TCP
gives NFS a "connection-oriented" transport mechanism, a must in
WAN areas of high latency (satellite).

7) Cisco's
PIX (Private Internet eXchange) and Network Systems Corp's security
router both allow two sites to use the Internet as a WAN backbone
by providing a secure link between

8) NFS UDP (nfs v2) can drop a lot of
packets over the internet if the connection is congested, and so it may be
slow.... v3 (Solaris 2.5 or better) can use TCP

9) mountd does a lookup of the IP address doing gethostbyaddr()
   and compares the name found with the name in your "share". In SunOS 4
   and Solaris 2.4 there is a bug which means they didn't do a gethostbyname
   afterwards to verify the forward and reverse lookups match. There is a
   patch for Solaris 2.4, and 2.5 has it fixed ( I believe). So to spoof
   names you need to control both forward and reverse DNS lookups. Pretty
   safe....

10) The Linux community is currently building an encrypted NFS system.

Here is the original answer of Dave Roberts:

> But I am really concerned with the security aspect. Is it safe to
> use NFS over an Internet network. We have a Firewall here and that means
> that I will have to let mountd accessing us (from a specific host of course).
> One bug I am thinking of is what if an impostor attacks us?

You should be concerned. About a year ago, I had a conversation with a
couple of respected cracker type d00dz. They claimed that the majority of
systems they broke into, were through NFS.

NFS, as you probably know, uses UDP. UDP is a connection-less protocol,
and is very difficult to manage through a firewall. Also, there is no
guarantee that NFS will run on the same port every time, as it is
portmap'ed by RPC. This means allowing a range of UDP ports through the
firewall. Not good.

UDP is also easier to spoof than TCP.

If that isn't enough to make you worried:-
NFS uses a process where the client requests are associated with a "root
handle". This is a unique ID given to the exported filesystem from your
machine. When a client attempts to mount your filesystem, the checks are
done, and if OK, the server tells the client about this handle. Further
client requeests, are now taken care of by the use of this root handle.

So, anyone sniffing the root handle, or being told it (hackers tell each
other the root handles of certain systems), can simply make a request by
patching the handle into the NFS request call.

Have I convinced you yet?
My recommendation is do NOT allow NFS across the firewall, over the
Internet. You will regret it.

OK, let's be positive now... You can achieve this using AFS (Andrew File
System). This uses Kerberos for authentication, and I think it can also
encrypt as well. It was specifically designed for WAN's, and is more
tolerant about delays and lost packets etc. AFS is not a standard part of
most O/S's and you'll probably need a good deal of training in kerberos
and AFS - but it will do what you want.

FWIW, in the AIX Support Centre in the UK, only 1 guy has access to the
AIX source code held on the machines at Austin, TX. This is done over
AFS. This to me highlights that it is a) workable and secure, b) a pain
in the arse to set up.

A BIG Thank you to:

Kevin P. Inscoe" <kpi@hobbes.crc.com>
"Todd LeRoy" <leroy@norland.com>
Rich Casto <rich@loopexpert.com>
gibian@stars1.hanscom.af.mil (Marc S. Gibian)
Rick Dipper - IT <rick.dipper@national-vulcan.co.uk>
Dave Roberts <djr@saa-cons.co.uk>
Steve Phelps <steve@epic.co.uk>
Don Lenamond <dlenamon@troika.net>
Stephen Harris <sweh@mpn.com> (who have run NFS over the internet to a
               _close_ host (minimal routing) and it worked)
Bruce Cota <cota@dpg.rnb.com>
"Nicholas R LeRoy" <nleroy@norland.com>
donf@brother.com (DON FREELEY)



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:13 CDT