Date: Sun, 4 Jul 2004 08:47:49 -0400 From: "Grant Peel" <gpeel@thenetnow.com> To: <cpghost@cordula.ws> Cc: freebsd-questions@freebsd.org Subject: Re: NFS and Backups Message-ID: <00b901c461c5$1d265700$6601a8c0@grant> References: <00ba01c460fe$d9cae910$6601a8c0@grant> <40E6FBF2.1060201@mac.com> <002301c46153$9302a360$6601a8c0@grant> <20040704011213.AB4694AC36@fw.farid-hajji.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hmm, Perhaps a complete layout and network explanations is in order here....
- I have a total of 5 servers, all running freebsd.
- All servers have two NICS, 1 LAN and 1 WAN, all are hardwired to my
switch. (No wireless involved.
- The switch IS configured to allow WAN access to WAN ports only, and LAN
access to LAN ports only.
- WAN is using serveral hundered IPS on serveral subnets. LAN is using a
single ssubnet of 254 (using the 192.168 scema).
-The servers are locked in a very secure cage, accesssable by me, my partner
(who never goes there), and a bonded network technician.
- Peerl 1 is the Colo provider (In the Toronto NOC).
- Two of my servers are our primary and secondary nameservers. The other
three use those nameservers excelusively.
- The hosts files include two names for each server, the fully qualified
domain i.e. "machine1.mydomain.com" and the LAN name which is just the local
machine name i.e. "machine1"
- The exports files use the local machine name only i.e.
"/backups -alldirs -maproot=0 machine1 machine2 ..."
-Just to be clear, each machine is plugged directly into the main switch
shown below, no hubs or anything in between.
Here is the layout:
POP
|
|
|
Perr1 Router-------------------------------
|
__________________My Switch (Dell 3324)______________
| | | | | | | | | |
Lan Wan Lan Wan Lan Wan Lan Wan Lan Wan
Machine1 Machine2 Machine3 Machine4 Machine5
----- Original Message -----
From: "cpghost" <cpghost@cordula.ws>
To: <gpeel@thenetnow.com>
Cc: <cswiger@mac.com>; <freebsd-questions@freebsd.org>
Sent: Saturday, July 03, 2004 9:12 PM
Subject: Re: NFS and Backups
> > > > I have recently decided to use some extra disk space on one of my
> > servers as
> > > > backup space. I have NFS client and Servers running OK, but was
> > wondering how
> > > > secure it really is.
> > >
> > > NFS is not secure at all. If you don't trust the local subnet, don't
use
> > NFS
> > > there. Certainly don't use NFS across the Internet, unless using a
secure
> > > tunnelling/VPN protocol....
> >
> > So, If I set the exports so that it used 192.168.x.x, and, my managed
switch
> > is only set to alow members of my vlan to use those IPs, I should be OK
in
> > that case?
>
> Careful here! If you have a WLAN access point hooked to your switch,
> you're still vulnerable to war driving. Even if you don't use wireless
> LAN, you still have to be sure that the client can't be replaced
> with a rogue machine without you immediately knowing it (it happens
> in real life more frequently than you think, esp. in big offices
> with lots of computers). If you could avoid NFS for backups, then
> by all means, you should try. As said, building reliable backup/restore
> as well as ad hoc file swapping schemes on top of scp and ssh is a tried
> and quite secure method.
>
> --
> Cordula's Web. http://www.cordula.ws/
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00b901c461c5$1d265700$6601a8c0>