I've had a bit of a read on NFS and there seems to be an inherent issue with security in that there is none. Do you need to protect NFS shares using VLANs? As far as I can tell I just put an IP address into Xen and it adds it, it doesn't ask for a password or anything.
Am I missing some settings?
NFS Security - The Community's Center for Security
Duke (22nd July 2009)
In short, yes VLAN it. Great performance, crap security.
cookie_monster (21st July 2009), Duke (22nd July 2009)
I asked about this a few times too and wondered if I was just missing something... That's more than a little worrying, I personally wouldn't consider VLANs a security tool (more a traffic management tool) and I would definitely want some kind of access control on the actual file host, especially if it's storing the data of all my servers!
[ame=http://en.wikipedia.org/wiki/VLAN_hopping]VLAN hopping[/ame]
I know iSCSI security isn't exactly perfect, but with initiator access lists and forward/reverse CHAP I'd be a lot happier...
Chris
@Duke: Rather than a VLAN, use a separate switch - far more secure than ACLs on iSCSI
I've got mine set up like so:
In order to connect to NFS you have to have a NIC plugged into the storage switch and even on that switch, NFS-connected ports are on a separate vlan. The storage network uses a different IP range to make things easier under Xen - that's mainly for my sanity.
The green line going from the 7110 to the main switch is for ntp and sending reports back to Sun - there's no storage available on that interface.
Of course, that doesn't stop someone plugging the wrong cable into the storage switch, but it'd need to be a fairly long cable (by design - it's hard to screw it up) and I have a cluebat for that.
Duke (22nd July 2009)
Yeah, that crossed my mind too. If we're doing things properly here next summer then all iSCSI/NFS traffic will be completely physically separate from the rest of the network. I'm not sure if this has been asked before (judging from Pete's reply it can be done), but is it possible to lock down an iSCSI LUN or CIFS/NFS share to a particular port on the S7000? Or do it the other way around and stop a particular port accessing them? If not, then what's to stop someone using the 'curriculum network' port to access 'iSCSI/NFS data' network port? Even if they're on different IP ranges they're both still getting data from the SAN...Originally Posted by Ric_
@Duke: Rather than a VLAN, use a separate switch - far more secure than ACLs on iSCSI
Cheers,
Chris
So is that card on the production network then, if so how do you stop people connecting over that card to your NFS share?The green line going from the 7110 to the main switch is for ntp and sending reports back to Sun
I have three cards on the 7110 on a seperate VLAN and IP range that I can connect to an NFS share over, the problem is that I also have one card on the production network for management and connecting to Sun like you but I can can't see a way to prevent an NFS connection on that card as well.
Currently to connect to an iSCSI LUN someone would have to find the right IP range, join the VLAN then brute force the iSCSI CHAP password. Then they have the problem that unlike NFS a LUN can't be shared so they still couldn't connect as the Xenserver would have it locked.
http://searchstorage.techtarget.com/...7_mem1,00.html
Last edited by cookie_monster; 22nd July 2009 at 10:47 AM.
The card is on the production network in a 3 port vlan (dns server, itself, proxy server). My NFS shares are default deny and I filter* the switchports it connects to.
It would be great if we could say "disallow access to NFS on $interface01", but iirc you can't do that in OpenSolaris without firewalling on the box and that's suboptimal on a file storage device.
My problem is I need an accurate source of time for a) domain time b) storage & switches. Either needs to be accessible without the other. I could buy a GPS time source and use that, but I still would like the 7110 to have phone-home functionality.
*NFS, smb and iscsi traffic is blocked.
Last edited by pete; 22nd July 2009 at 01:34 PM.
What are you using for this?
One of the switches allows me to filter based on tcp/udp ports and protocols. If it was a high traffic port it would be terribly sub-optimal, but since it consists of the occasional "what's the time" and "hello, I'm ok/not ok" from one host it's not really a problem.
Another solution would be a (physical) $firewall_distro_of_choice box sat between production network and the 7110 - only allow in or outbound stuff that you want. An itx/atom/alix board running m0n0wall from CF would do fine and use minimal power.
So if you wanted to use that NIC to offer a high traffic CIFS share then you couldn't use that system right? So you would then have the same issue with your NFS share.One of the switches allows me to filter based on tcp/udp ports and protocols. If it was a high traffic port it would be terribly sub-optimal
Yeah, it'd cause unacceptable slowdown on the switch and cifs performance would be affected. To work around the problem I'd probably connect that interface back to the storage switch and place the firewall between the storage and the backbone switch. Then I'd connect another (physical) server to the storage switch, mount storage via iSCSI and share it using cifs from that server.
Unless there's a better way of protecting NFS shares that the Cutter people and Phil know about?
What would be nice would be a way to specify what NICs NFS could be shared over, so you would say these cards on 192.168 can share NFS but NFS cannot be seen on the public card.
I may have lost the track of this thread, but NFS does have security. I will agree its not 100% robust but if you trust IP address and user authentication/mapping (LDAP/NIS/Local users) then your OK.
With the 7110 storage you get close to this. You can restrict which hosts and/or networks can access the a NFS share, then your down to user permissions/ACL's for fine grain file access.
I've used this method for XenSever and ESX, this leaves the PUBLIC network open to CIFS and iSCSI only, as already discussed in this thread.
But could someone still spoof an IP and connect if so it's still limited security for what could be sensitive data?You can restrict which hosts and/or networks can access the a NFS share
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote