NFS 3 and the specter of the spoof attack

Conclusions

What should the CIO do differently next time? The best solution is to upgrade to NFS 4, which comes with much more sophisticated security features, such as Kerberos authentication and GSS-API support. Configuring these additional components definitely takes some effort, but the result is a much more secure environment.

If, for whatever reason, you have a need to continue with NFS 3, keep the following tips in mind:

  • Make sure you don't export rw-volumes to everyone.
  • Keep reasonable control over your IP addresses. For instance, use a physically separate address space and make sure no one has logical access to it, impose some form of Layer 2 authentication (such as IEEE 802.1x) for all clients on the segment,or use VLANs with IEEE 801.1q tagging for communication between NFS servers and clients.
  • If feasible, use dedicated VPN tunnels to protect and authenticate NFS traffic.

Of course, if you add all these additional security structures to your NFS 3 configuration, your system could end up much more complex than if you had simply upgraded to NFS 4, but at least you'll sleep better knowing you have patched some of the cracks in NFS.

Read full article as PDF:

068-070_nfs.pdf (670.22 kB)

Related content

  • ARP Spoofing

    Any user on a LAN can sniff and manipulate local traffic. ARP spoofing and poisoning techniques give an attacker an easy way in.

  • Security Lessons

    Are your systems secure against DNS attacks? We'll show you why they matter and help you determine whether you are vulnerable.

  • Wireless LAN Security

    WLANs give you Internet access without a bird's nest of wiring. But if you don't take security seriously, you might find yourself with uninvited guests.

  • XSA Attack

    A new form of phishing attack deposits an HTML tag on the vulnerable service to trap users into authenticating.

  • Hotspotter

    Security experts are always concerned with WLAN access points, but they sometimes forget that the client is also open to attack. Public hotspots make it quite easy for attackers to hijack connections, as the Hotspotter tool demonstrates.

comments powered by Disqus

Direct Download

Read full article as PDF:

068-070_nfs.pdf (670.22 kB)

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia