[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC and NFS
Michael R. Eisler wrote:
>
> > Angelos D. Keromytis wrote:
> >
> > >
> > > I've been using NFS over IPsec to protect against outsider attacks for
> > > a while now, but I don't see how NFS can be made insider-resistant
> > > without major restructuring of the protocol. There's the implicit
> > > assumption that the client kernel is behaving. Of course, you didn't
> > > quite explain what your threat model was (hostile users on the client
> > > machine I presume -- in which case IPsec+priviledged ports required
> > > for the client can do wonders).
> > > Cheers,
> > Fair enough, I wasn't very clear on the threat model.
> >
> > I'm particularly concerned about things like PCs participating in
> > NFS services, in which it's sooooo easy for the client to "cheat"
> > in the sense of claiming a uid/gid that it has no "right" to.
> > I'm afraid that your analysis of NFS requiring major restructuring
> > to protect agaist this is correct. Secure RPC doesn't appear to
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> > be a reasonable fix for this either. Sigh.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> why?
>
The last time I looked at the way secure RPC worked, it was, to be
polite, less than wonderful. RSA keypairs were limited to some very
small size, and private keys were stored on a central server, with
encrypted private keys flying over the network, making it easy to
launch a passwd-style cracking attack. Unless secure RPC has come
a long way since I read about it (a couple of years ago), then I still
claim that it isn't a reasonable solution.
> >
> > If I restrict an NFS server to only allowing SAs with hosts it
> > knows "play by the rules"--in that user processes cannot fake
> > legitimate NFS protocol (because they can't get a privileged port),
>
> not all operating systems support the concept of privileged users having
> exclusive access to "privileged" ports.
Right, but if I restrict my NFS servers to only dealing with operating
systems
that HAVE that concept, then this kludge works.
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M86, MS 012, FITZ
Systems Security Architect Phone: (ESN) 393-9145 +1 613
763 9145
Messaging and Security Infrastructure Fax: (ESN) 395-1407 +1 613
765 1407
Nortel Technology mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------
References: