NFS 3 and the specter of the spoof attack
What should the CIO do differently next time? The best solution is to upgrade to NFS 4, which comes with much more sophisticated security features, such as Kerberos authentication and GSS-API support. Configuring these additional components definitely takes some effort, but the result is a much more secure environment.
If, for whatever reason, you have a need to continue with NFS 3, keep the following tips in mind:
- Make sure you don't export rw-volumes to everyone.
- Keep reasonable control over your IP addresses. For instance, use a physically separate address space and make sure no one has logical access to it, impose some form of Layer 2 authentication (such as IEEE 802.1x) for all clients on the segment,or use VLANs with IEEE 801.1q tagging for communication between NFS servers and clients.
- If feasible, use dedicated VPN tunnels to protect and authenticate NFS traffic.
Of course, if you add all these additional security structures to your NFS 3 configuration, your system could end up much more complex than if you had simply upgraded to NFS 4, but at least you'll sleep better knowing you have patched some of the cracks in NFS.
Buy this article as PDF
But you can still be a non-voting “individual supporter” if you pay the money
Several current systems could fall victim to the attack
Latest Linux engine comes with better graphics and support for Intel's new power-saving chips.
Hackers send a message of beauty and liberation to server logs
Citrix gets excited about new Pi-Powered XenDesktop client system
Linux on Azure cert heralds a new era for Redmond.
Proposals for presentations at the CeBIT Open Source Forum will be accepted through 24 January 2016.
Adobe looks for a new start; renames its embattled Flash tool.
The Pi's popular Raspbian OS pursues secrecy without entropy.
VMware bids for a stake in the container industry with a bold effort to integrate containers with its classic virtualization system.