Question: 1. Does this make sense?
The goal? Yes.
Does anyopne use filers this way or in related ways?
Yes, lots of people.
2. Are there known exploits against filers doing UDP NFS as I describe above.
None that I know of, but there are probably some that are denial of service attacks or the like. However, I doubt any data could be compromised or the internal network.
Could the Netapp be attacked if the FTP box were hacked?
Sure, if they can get past the password or spoof root access from the FTP box before your monitoring can detect it. The latter is quite unlikely... you DO have monitoring set up in this scheme, right?
3. Related question: Can admin access to the filer be to ONLY the console port or ONLY a single interface?
No, although there are options to restrict what hosts can rsh/telnet in.
Personally, I favor a model similar to the one Might Wright mentioned, with the filer serving as a "firewall" of it's own, with two interfaces, one on the inside and one to the FTP host. The main security issue is making sure if they get into the filer, they can't rsh or telnet back out somehow. You'll have to sacrifice the data integrity of the filer, but that's a small price to pay.
Hmm... I wonder if it's possible to use the console to write Java code that the filer would then execute...
Netapp really should hire one of those ex-hacker security companies to take a whack at the filer sometime.
Bruce