[TriLUG] NFS Through Firewalls

Brown, Michael E MB100012 at ncr.com
Mon Apr 26 13:48:06 EDT 2004


Sorry for the direct e-mail, Jon.  I saw a reply of yours to an NFS-firewall
question.  I frequently read security-related NFS information that ends with
the conclusion, "Don't allow NFS mounts through a firewall."  Isn't the real
vulnerabilty associates with NFS and firewalls the NFS service itself?  If
you have an NFS server running on a DMZ, for example, then it puts the other
DMZ servers at potential risk because of the vulnerabilities assoctiated
with the NFS service.  Or it may allow changes to be made to data on the NFS
server by someone not authorized to do so.  Is that correct?

We have internal firewalls that we use to isolate servers and data that
warrant a higher level of security than the rest of the internal network.
We recently got a request to allow a secured server (secured by an internal
firewall) to mount the drive of a server located on the internal network.
So the client would run on a secured server and the NFS service is already
running on a host on our internal network.  No external access (Internet or
otherwise) is involved.  I'm being told we shouldn't do it because the NFS
protocol itself is not secure and that allowing the access through the
firewall somehow makes the firewall itself or other activities through the
firewall more vulnerable.  I would argure that the NFS server adds a certain
amount of vulnerability to the internal network but enabling access to it
from a secured location wouldn't affect that vulnerability.  Would you
agree?

--Mike Brown
NCR Corporation



More information about the TriLUG mailing list