71.Discuss security issues in Network File system.
Ans.
1. NFS protocol version 3 and older have some security problems that make it unsuitable for use across the Internet and potentially unsafe for use even in trusted network.
2. One NFS weakness, in general terms, is the /etc/exports file, if a cracker is able to spoof or take over a trusted address, an address listed in /etc/exports then your exported NFS mount are accessible.
3. NFS has normal Linux file system access controls that take over once a client has mounted an NFS export, once this happens normal user and group permissions on the files take over access control.
4. The 1st way to defense is to use host access control, to limit access to services , particularly the portmapper, which has long been target of exploits attempts.
5. For this add the entries in /etc/hosts.clevy lockd, statd, mountd and rquoted.
6. Careful use of IS packet firewall, using netfilter, dramatically increases NFS server security.
7. Netfilter is stronger than NFS daemon level security or even TCP wrappers because it restricts access to your server at the packet level.
8. mountd, lockd, statd and rquotad do not bind to any specific port i.e. they use a port number randomly assigned by the portampper.
Ans.
1. NFS protocol version 3 and older have some security problems that make it unsuitable for use across the Internet and potentially unsafe for use even in trusted network.
2. One NFS weakness, in general terms, is the /etc/exports file, if a cracker is able to spoof or take over a trusted address, an address listed in /etc/exports then your exported NFS mount are accessible.
3. NFS has normal Linux file system access controls that take over once a client has mounted an NFS export, once this happens normal user and group permissions on the files take over access control.
4. The 1st way to defense is to use host access control, to limit access to services , particularly the portmapper, which has long been target of exploits attempts.
5. For this add the entries in /etc/hosts.clevy lockd, statd, mountd and rquoted.
6. Careful use of IS packet firewall, using netfilter, dramatically increases NFS server security.
7. Netfilter is stronger than NFS daemon level security or even TCP wrappers because it restricts access to your server at the packet level.
8. mountd, lockd, statd and rquotad do not bind to any specific port i.e. they use a port number randomly assigned by the portampper.
Comments
Post a Comment