HPE Community
Operating System - HP-UX
1820397 Members
3547 Online
109624 Solutions
New Discussion юеВ

NFS though a firewall

 
SOLVED
Go to solution
Philip J. Priest_1
Frequent Advisor

тАО11-04-2005 06:44 AM

тАО11-04-2005 06:44 AM

NFS though a firewall

Want the forum's opinion of this.

DBA's say we will need NFS exported from SAP web app on solaris 9 box that will be in the DMZ.

Needs a hpux rp7400 to mount the NFS volume.

response center says its not recommended.

Opinions, comments, recommendations?

thanks!
Phil
0 Kudos
6 REPLIES 6
Mel Burslan
Honored Contributor

тАО11-04-2005 07:34 AM

тАО11-04-2005 07:34 AM

Re: NFS though a firewall

it is not recommended because firewalls timout connections after a certain period of inactvity over that given port and this timeout value is set to 30 minutes on cisco PIX firewalls I presume. If you make a hard NFS mount and session times out and drops, your rp7400 will not release the NFS link and you will find yourself between a rock and a hard place as the only way to clear this connection (in order to re-establish it) is to reboot the client, i.e. rp7400 server.

Instead, use autofs and it will drop the connection from the client side after certain duration of inactivity, which, in turn, will let you remount it when you need it again, atoMAGICally.

Hard NFS thru firewalls is not recommended at all DMZ or otherwise. AutoFS has matured enough to replace the hard NFS anyway.

HTH
________________________________
UNIX because I majored in cryptology...
0 Kudos
Ralph Grothe
Honored Contributor

тАО11-04-2005 12:53 PM

тАО11-04-2005 12:53 PM

Re: NFS though a firewall

Is the rp7400 NFS client also part of the same DMZ?
But gathering from your question you probably require to export the share to a host in your shielded LAN.
Apart from the perils of stale lingering NFS mounts already mentioned by Mel I personally would regard this as an infringement of security, defeating the purpose of a DMZ.
If you cannot avoid it however, I would strongly put SecureNFS into consideration.
I have no experience setting this up
but I would imagine NFS as an RPC based protocol to be very intricate to configure the DMZ's firewalls securely for.

You will most likely find many references describing the implementation of SNFS or some sort of NFS tunnelling.
I just googled these two with emphasis on a Solaris NFS server:

http://docs.sun.com/app/docs/doc/816-4555/6maoqui98?a=view

http://www.sunhelp.org/faq/nfs.html#nfs13

Good luck
Madness, thy name is system administration
0 Kudos
Bill Hassell
Honored Contributor

тАО11-05-2005 05:30 AM

тАО11-05-2005 05:30 AM

Solution

Re: NFS though a firewall

Just to re-emphasize: NFS is totally unsecure so as long as your DBAs are using it to exchange test data and not rely on stability (NFS requires a very stable network connection) then you're OK. Otherwise, you might as well get used to sharing your files with hundreds of hackers ready to copy and corrupt your data.


Bill Hassell, sysadmin
0 Kudos
Steven E. Protter
Exalted Contributor

тАО11-05-2005 07:30 PM

тАО11-05-2005 07:30 PM

Re: NFS though a firewall

NFS tranmits data in clear text. Anyone that wants can see the data in transmission. Oracle (if you are using oracle) encryption can mitigate this effect.

The bigger problem is that NFS takes a random port number and you need to open a large range to accommodate it.

This is a security nightmare.

My recommendation is redesign the system.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Robert Fritz
Regular Advisor

тАО11-07-2005 04:07 AM

тАО11-07-2005 04:07 AM

Re: NFS though a firewall

So I agree with the posts thus far in that NFS is a clear-text/unauthenticated protocol. If you really need that protocol, and you need that data to be integrity-protected, you'd have to deploy some sort of compensating controls.

Compensating control examples: 1) VPN 2) SSL tunnel 3) IPSec

Depending on your available infrastructure, this could be a pain, especially as NFS uses a large port range.

NFSv4 does have native integrity protection, but I don't think that's available yet. You may want to consider CIFS(Samba). It does have per-packet integrity protection (though not privacy), and can be used to share files/directories.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Philip J. Priest_1
Frequent Advisor

тАО11-30-2005 03:33 AM

тАО11-30-2005 03:33 AM

Re: NFS though a firewall

close
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.