+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
Hardware Thread, NFS security on Sun 7110 SAN in Technical; I've had a bit of a read on NFS and there seems to be an inherent issue with security in ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,201
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74

    NFS security on Sun 7110 SAN

    I've had a bit of a read on NFS and there seems to be an inherent issue with security in that there is none. Do you need to protect NFS shares using VLANs? As far as I can tell I just put an IP address into Xen and it adds it, it doesn't ask for a password or anything.

    Am I missing some settings?

    NFS Security - The Community's Center for Security

  2. Thanks to cookie_monster from:

    Duke (22nd July 2009)

  3. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,638
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223
    In short, yes VLAN it. Great performance, crap security.

  4. 2 Thanks to pete:

    cookie_monster (21st July 2009), Duke (22nd July 2009)

  5. #3
    Duke's Avatar
    Join Date
    May 2009
    Posts
    1,017
    Thank Post
    300
    Thanked 174 Times in 160 Posts
    Rep Power
    57
    I asked about this a few times too and wondered if I was just missing something... That's more than a little worrying, I personally wouldn't consider VLANs a security tool (more a traffic management tool) and I would definitely want some kind of access control on the actual file host, especially if it's storing the data of all my servers!

    [ame=http://en.wikipedia.org/wiki/VLAN_hopping]VLAN hopping[/ame]


    I know iSCSI security isn't exactly perfect, but with initiator access lists and forward/reverse CHAP I'd be a lot happier...

    Chris

  6. #4

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,596
    Thank Post
    109
    Thanked 764 Times in 595 Posts
    Rep Power
    181
    @Duke: Rather than a VLAN, use a separate switch - far more secure than ACLs on iSCSI

  7. #5


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,638
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223
    I've got mine set up like so:

    In order to connect to NFS you have to have a NIC plugged into the storage switch and even on that switch, NFS-connected ports are on a separate vlan. The storage network uses a different IP range to make things easier under Xen - that's mainly for my sanity.

    The green line going from the 7110 to the main switch is for ntp and sending reports back to Sun - there's no storage available on that interface.

    Of course, that doesn't stop someone plugging the wrong cable into the storage switch, but it'd need to be a fairly long cable (by design - it's hard to screw it up) and I have a cluebat for that.
    Attached Images Attached Images

  8. Thanks to pete from:

    Duke (22nd July 2009)

  9. #6
    Duke's Avatar
    Join Date
    May 2009
    Posts
    1,017
    Thank Post
    300
    Thanked 174 Times in 160 Posts
    Rep Power
    57
    Quote Originally Posted by Ric_ View Post
    @Duke: Rather than a VLAN, use a separate switch - far more secure than ACLs on iSCSI
    Yeah, that crossed my mind too. If we're doing things properly here next summer then all iSCSI/NFS traffic will be completely physically separate from the rest of the network. I'm not sure if this has been asked before (judging from Pete's reply it can be done), but is it possible to lock down an iSCSI LUN or CIFS/NFS share to a particular port on the S7000? Or do it the other way around and stop a particular port accessing them? If not, then what's to stop someone using the 'curriculum network' port to access 'iSCSI/NFS data' network port? Even if they're on different IP ranges they're both still getting data from the SAN...

    Cheers,
    Chris

  10. #7
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,201
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    The green line going from the 7110 to the main switch is for ntp and sending reports back to Sun
    So is that card on the production network then, if so how do you stop people connecting over that card to your NFS share?

    I have three cards on the 7110 on a seperate VLAN and IP range that I can connect to an NFS share over, the problem is that I also have one card on the production network for management and connecting to Sun like you but I can can't see a way to prevent an NFS connection on that card as well.

    Currently to connect to an iSCSI LUN someone would have to find the right IP range, join the VLAN then brute force the iSCSI CHAP password. Then they have the problem that unlike NFS a LUN can't be shared so they still couldn't connect as the Xenserver would have it locked.


    http://searchstorage.techtarget.com/...7_mem1,00.html
    Last edited by cookie_monster; 22nd July 2009 at 10:47 AM.

  11. #8


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,638
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223
    Quote Originally Posted by cookie_monster View Post
    So is that card on the production network then, if so how do you stop people connecting over that card to your NFS share?
    The card is on the production network in a 3 port vlan (dns server, itself, proxy server). My NFS shares are default deny and I filter* the switchports it connects to.

    It would be great if we could say "disallow access to NFS on $interface01", but iirc you can't do that in OpenSolaris without firewalling on the box and that's suboptimal on a file storage device.

    My problem is I need an accurate source of time for a) domain time b) storage & switches. Either needs to be accessible without the other. I could buy a GPS time source and use that, but I still would like the 7110 to have phone-home functionality.

    *NFS, smb and iscsi traffic is blocked.
    Last edited by pete; 22nd July 2009 at 01:34 PM.

  12. #9

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,596
    Thank Post
    109
    Thanked 764 Times in 595 Posts
    Rep Power
    181
    Quote Originally Posted by pete View Post
    *NFS, smb and iscsi traffic is blocked.
    What are you using for this?

  13. #10


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,638
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223
    One of the switches allows me to filter based on tcp/udp ports and protocols. If it was a high traffic port it would be terribly sub-optimal, but since it consists of the occasional "what's the time" and "hello, I'm ok/not ok" from one host it's not really a problem.

    Another solution would be a (physical) $firewall_distro_of_choice box sat between production network and the 7110 - only allow in or outbound stuff that you want. An itx/atom/alix board running m0n0wall from CF would do fine and use minimal power.

  14. #11
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,201
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    One of the switches allows me to filter based on tcp/udp ports and protocols. If it was a high traffic port it would be terribly sub-optimal
    So if you wanted to use that NIC to offer a high traffic CIFS share then you couldn't use that system right? So you would then have the same issue with your NFS share.

  15. #12


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,638
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223
    Quote Originally Posted by cookie_monster View Post
    So if you wanted to use that NIC to offer a high traffic CIFS share then you couldn't use that system right? So you would then have the same issue with your NFS share.
    Yeah, it'd cause unacceptable slowdown on the switch and cifs performance would be affected. To work around the problem I'd probably connect that interface back to the storage switch and place the firewall between the storage and the backbone switch. Then I'd connect another (physical) server to the storage switch, mount storage via iSCSI and share it using cifs from that server.

    Unless there's a better way of protecting NFS shares that the Cutter people and Phil know about?

  16. #13
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,201
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    What would be nice would be a way to specify what NICs NFS could be shared over, so you would say these cards on 192.168 can share NFS but NFS cannot be seen on the public card.

  17. #14
    apaton's Avatar
    Join Date
    Jun 2009
    Location
    Kings Norton
    Posts
    283
    Thank Post
    54
    Thanked 106 Times in 87 Posts
    Rep Power
    36
    I may have lost the track of this thread , but NFS does have security. I will agree its not 100% robust but if you trust IP address and user authentication/mapping (LDAP/NIS/Local users) then your OK.

    Quote Originally Posted by cookie_monster View Post
    What would be nice would be a way to specify what NICs NFS could be shared over, so you would say these cards on 192.168 can share NFS but NFS cannot be seen on the public card.
    With the 7110 storage you get close to this. You can restrict which hosts and/or networks can access the a NFS share, then your down to user permissions/ACL's for fine grain file access.

    I've used this method for XenSever and ESX, this leaves the PUBLIC network open to CIFS and iSCSI only, as already discussed in this thread.

  18. #15
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,201
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    You can restrict which hosts and/or networks can access the a NFS share
    But could someone still spoof an IP and connect if so it's still limited security for what could be sensitive data?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Sun Storage 7110
    By Ric_ in forum Hardware
    Replies: 663
    Last Post: 17th August 2012, 07:34 AM
  2. Sun Storage 7110 Performance
    By Ric_ in forum Hardware
    Replies: 64
    Last Post: 7th November 2011, 07:52 PM
  3. XEN Pool with Sun 7110 NFS
    By dan400007 in forum Thin Client and Virtual Machines
    Replies: 7
    Last Post: 30th June 2009, 12:46 PM
  4. Sun 7000 - NFS with ESX How-To?
    By Duke in forum Hardware
    Replies: 0
    Last Post: 12th June 2009, 02:33 PM
  5. Xenserver 5 and SUN 7110 SAN
    By cookie_monster in forum Thin Client and Virtual Machines
    Replies: 9
    Last Post: 1st June 2009, 06:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •