Duke (22nd July 2009)
I've had a bit of a read on NFS and there seems to be an inherent issue with security in that there is none. Do you need to protect NFS shares using VLANs? As far as I can tell I just put an IP address into Xen and it adds it, it doesn't ask for a password or anything.
Am I missing some settings?
NFS Security - The Community's Center for Security
In short, yes VLAN it. Great performance, crap security.
I asked about this a few times too and wondered if I was just missing something... That's more than a little worrying, I personally wouldn't consider VLANs a security tool (more a traffic management tool) and I would definitely want some kind of access control on the actual file host, especially if it's storing the data of all my servers!
I know iSCSI security isn't exactly perfect, but with initiator access lists and forward/reverse CHAP I'd be a lot happier...
@Duke: Rather than a VLAN, use a separate switch - far more secure than ACLs on iSCSI
I've got mine set up like so:
In order to connect to NFS you have to have a NIC plugged into the storage switch and even on that switch, NFS-connected ports are on a separate vlan. The storage network uses a different IP range to make things easier under Xen - that's mainly for my sanity.
The green line going from the 7110 to the main switch is for ntp and sending reports back to Sun - there's no storage available on that interface.
Of course, that doesn't stop someone plugging the wrong cable into the storage switch, but it'd need to be a fairly long cable (by design - it's hard to screw it up) and I have a cluebat for that.
So is that card on the production network then, if so how do you stop people connecting over that card to your NFS share?The green line going from the 7110 to the main switch is for ntp and sending reports back to Sun
I have three cards on the 7110 on a seperate VLAN and IP range that I can connect to an NFS share over, the problem is that I also have one card on the production network for management and connecting to Sun like you but I can can't see a way to prevent an NFS connection on that card as well.
Currently to connect to an iSCSI LUN someone would have to find the right IP range, join the VLAN then brute force the iSCSI CHAP password. Then they have the problem that unlike NFS a LUN can't be shared so they still couldn't connect as the Xenserver would have it locked.
Last edited by cookie_monster; 22nd July 2009 at 10:47 AM.
It would be great if we could say "disallow access to NFS on $interface01", but iirc you can't do that in OpenSolaris without firewalling on the box and that's suboptimal on a file storage device.
My problem is I need an accurate source of time for a) domain time b) storage & switches. Either needs to be accessible without the other. I could buy a GPS time source and use that, but I still would like the 7110 to have phone-home functionality.
*NFS, smb and iscsi traffic is blocked.
Last edited by pete; 22nd July 2009 at 01:34 PM.
One of the switches allows me to filter based on tcp/udp ports and protocols. If it was a high traffic port it would be terribly sub-optimal, but since it consists of the occasional "what's the time" and "hello, I'm ok/not ok" from one host it's not really a problem.
Another solution would be a (physical) $firewall_distro_of_choice box sat between production network and the 7110 - only allow in or outbound stuff that you want. An itx/atom/alix board running m0n0wall from CF would do fine and use minimal power.
So if you wanted to use that NIC to offer a high traffic CIFS share then you couldn't use that system right? So you would then have the same issue with your NFS share.One of the switches allows me to filter based on tcp/udp ports and protocols. If it was a high traffic port it would be terribly sub-optimal
Unless there's a better way of protecting NFS shares that the Cutter people and Phil know about?
What would be nice would be a way to specify what NICs NFS could be shared over, so you would say these cards on 192.168 can share NFS but NFS cannot be seen on the public card.
I may have lost the track of this thread , but NFS does have security. I will agree its not 100% robust but if you trust IP address and user authentication/mapping (LDAP/NIS/Local users) then your OK.
I've used this method for XenSever and ESX, this leaves the PUBLIC network open to CIFS and iSCSI only, as already discussed in this thread.
But could someone still spoof an IP and connect if so it's still limited security for what could be sensitive data?You can restrict which hosts and/or networks can access the a NFS share
There are currently 1 users browsing this thread. (0 members and 1 guests)