From owner-freebsd-security Sat Jan 13 15:17:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from eken.vxu.se (eken.vxu.se [194.47.65.11]) by hub.freebsd.org (Postfix) with ESMTP id BAF0637B402 for ; Sat, 13 Jan 2001 15:17:34 -0800 (PST) Received: from xgod (aaldv97.idet.vxu.se [194.47.111.20]) by eken.vxu.se (8.8.7/8.8.7) with SMTP id AAA07417 for ; Sun, 14 Jan 2001 00:17:32 +0100 (MET) Message-ID: <003e01c07db6$fac4b850$6400a8c0@xgod> From: "David Andreas Alderud" To: "_Security" References: Subject: Re: Encrypted networked filesystem needed Date: Sun, 14 Jan 2001 00:17:20 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It might be a good idea to take a look at NIS+ if you want to use NFS, there still some problems but considering how simple it is to use NIS+ it's really good, NIS+ removes most if the problems with DNS. The reasons for using NIS+ is mainly because it's designed to work with NFS, both coming from Sun Microsystems. /Kind regards, David A. Alderud :From: "Robert Watson" :Subject: Re: Encrypted networked filesystem needed : : It's important to note that even if you use IPsec, you still need to be : careful with NFS, for a number of reasons. The easiest attack is a DNS : spoofing attack: clients often use DNS to resolve the IP address of the : server they connect to, and if they rely on unprotected DNS traffic, then : they may be vulnerable to spoofing, causing them to access a different : server than the one they intended to mount. And, needless to say, IPsec : policy must be set appropriately for relevant IP addresses at both ends, : which also need to be specified in a spoof-free manner. The best rule is : to hard-code IP addresses wherever possible, or rely on /etc/hosts and : appropriate resolution ordering, or to use DNSsec (if available). There : are other attacks against NFS also. : : Robert N M Watson FreeBSD Core Team, TrustedBSD Project : robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message