On Oct 9, 2006, at 2:17 PM, Andy Ruhl wrote:
> On 10/9/06, Chuck Swiger <cswiger@mac.com> wrote:
>> I would not want to run NFS filesharing on an machine directly
>> connected to the Internet without having a firewall in the way.
>
> This is probably off topic, but please explain this.
>
> I assume what you are saying is, due to your previous comments about
> the insecurity of NFS, you wouldn't want to expose those services to
> the internet.

Yes, I would not want portmap, mountd, rpc.lockd, etc to be reachable  
by arbitrary Internet hosts.  The classic version of NFS uses a "host  
trust" model without any real verification that a host actually is  
the machine it claims to be, unlike, for example, the RSA or DSA  
keypair used for host-based authentication in SSH.

NFS is therefore highly vulnerable to host-based spoofing attacks,  
and the general filesharing model of NFS requires root permissions  
and a lot of code running in the kernel, in contrast to a mostly  
userland implementation running as a particular user without  
superuser permissions that something like smbd of Samba can do.

> If it were possible to bind NFS to an IP and not expose them to the
> internet (thereby implying a multi homed host), would your answer be
> the same?

Largely, yes, although my reasoning would be a little different.

It is often the case that an NFS fileserver is used for important or  
critical roles, and thus is a central point which contains a lot of  
the data which the organization would like to protect and control  
access to.  If the machine is multihomed and is routable to and from  
the Internet at large, it is much more exposed-- even if the ports  
used by NFS filesharing are off or firewalled via the NIC connected  
to the Internet.

By contrast, if you put your fileserver on a LAN, and do not add a  
default route so that it cannot reach or talk with hosts outside the  
LAN, an attacker has to break into a host which is Internet-routable  
first, and then break into the fileserver, which is at least mildly  
more difficult to accomplish than simply breaking into a fileserver  
which is multihomed and directly reachable from the Internet.

> Seems to me that all these operating systems coming with built in
> firewalls are really just avoiding issues rather than solving them...

Sort of.  Software like PF or IPFW are valuable tools which can be  
used to implement your security policy, but they do not help people  
create a good security policy, nor will they prevent vulnerable  
services from being exploited unless the firewalls are configured  
properly.

-- 
-Chuck