Date: Sun, 14 Jan 2001 00:17:20 +0100 From: "David Andreas Alderud" <aaldv97@student.vxu.se> To: "_Security" <security@FreeBSD.ORG> Subject: Re: Encrypted networked filesystem needed Message-ID: <003e01c07db6$fac4b850$6400a8c0@xgod> References: <Pine.NEB.3.96L.1010112213123.14123C-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
It might be a good idea to take a look at NIS+ if you want to use NFS, there still some problems but considering how simple it is to
use NIS+ it's really good, NIS+ removes most if the problems with DNS.
The reasons for using NIS+ is mainly because it's designed to work with NFS, both coming from Sun Microsystems.
/Kind regards,
David A. Alderud
:From: "Robert Watson" <rwatson@FreeBSD.ORG>
:Subject: Re: Encrypted networked filesystem needed
:
: It's important to note that even if you use IPsec, you still need to be
: careful with NFS, for a number of reasons. The easiest attack is a DNS
: spoofing attack: clients often use DNS to resolve the IP address of the
: server they connect to, and if they rely on unprotected DNS traffic, then
: they may be vulnerable to spoofing, causing them to access a different
: server than the one they intended to mount. And, needless to say, IPsec
: policy must be set appropriately for relevant IP addresses at both ends,
: which also need to be specified in a spoof-free manner. The best rule is
: to hard-code IP addresses wherever possible, or rely on /etc/hosts and
: appropriate resolution ordering, or to use DNSsec (if available). There
: are other attacks against NFS also.
:
: Robert N M Watson FreeBSD Core Team, TrustedBSD Project
: robert@fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003e01c07db6$fac4b850$6400a8c0>