On Sun, 2 Apr 2000, Jim Klun 7183 wrote:
Question: 1. Does this make sense?
You will have to allow RPC as well as NFS traffic in through the internal interface on the firewall. Since the FTP server is on the DMZ, you should be able to protect it fairly well from external attacks. Is the PIX capable of doing stateful packet inspection of RPC and NFS traffic? If so, that's another avenue of defense.
2. Are there known exploits against filers doing UDP NFS as I describe above. Could the Netapp be attacked if the FTP box were hacked?
It is conceivable that someone could gain privileged access to your FTP server, spoof a root filesystem mount request to the Netapp and change the contents of the filer's /etc directory. If you do not otherwise block inbound access from the DMZ, that could eventually lead to console access on the filer. From there, the attacker can sniff your internal network traffic, assuming they know about the pktt command. Granted, the chances of this hypothetical situation actually happening are pretty darned slim, if you take the necessary precautions and vigilantly maintain your DMZ security.
3. Related question: Can admin access to the filer be to ONLY the console port or ONLY a single interface?
Only with what you can do with /etc/hosts.equiv (i.e., only put in allowed IP's that will appear on one of the interfaces, or not put in any at all and turn off "options telnet.enable").