Date: Fri, 12 Jan 2001 21:34:07 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: Roman Shterenzon <roman@xpert.com> Cc: Artem Koutchine <matrix@ipform.ru>, freebsd-security@freebsd.org Subject: Re: Encrypted networked filesystem needed Message-ID: <Pine.NEB.3.96L.1010112213123.14123C-100000@fledge.watson.org> In-Reply-To: <Pine.LNX.4.30.0101122013350.25136-100000@jamus.xpert.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It's important to note that even if you use IPsec, you still need to be careful with NFS, for a number of reasons. The easiest attack is a DNS spoofing attack: clients often use DNS to resolve the IP address of the server they connect to, and if they rely on unprotected DNS traffic, then they may be vulnerable to spoofing, causing them to access a different server than the one they intended to mount. And, needless to say, IPsec policy must be set appropriately for relevant IP addresses at both ends, which also need to be specified in a spoof-free manner. The best rule is to hard-code IP addresses wherever possible, or rely on /etc/hosts and appropriate resolution ordering, or to use DNSsec (if available). There are other attacks against NFS also. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010112213123.14123C-100000>