If anyone has been able to get IPsec protected NFS working between a NetApp filer and a Unix machine, I'd love to hear about it.
I can get it to work using a Solaris 8 box as both the server and the client, but when I try to use a NetApp (6.4.4R1) as the server, no luck.
I opened a case (697672), but was told that the only clients supported are windows 2K and later. This doc reinforces that:
http://now.netapp.com/NOW/knowledge/docs/ontap/rel65/html/ontap/nag/ipsec2.h...
Towards the end of the page, under the section:
About the Network Appliance IPsec implementation
...
Only clients running Windows 2000 or greater are supported for IPsec connections.
An RFE is filed:
http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=130292
though the page is pretty useless, as it only says "Bug information not available". I enabled "watching" for that RFE, but haven't heard anything back since April, 2004.
I've also tried using kerberos to secure the NFS exported data, but the way we share the data between heterogeneous platforms, it means that unless we can get all of our supported clients to use kerberized NFS, then it doesn't help to do any subset. At this point, MacOS X is holding us back. I'm praying that Tiger (10.4?) release will address the issue, but I'm not holding my breath. Even if they do, another hurdle is CAP. We re-export NFS mounted data via CAP to MacOS 9 boxes. Getting CAP to track kerberos credentials is not something we're willing to invest time in.
Has anyone else come up with some alternate means by which to secure NFS exported data, where the server is a NetApp filer? (For years I've been losing the battle to get the physical network secure, using locking wall jacks in our public access labs.) I've been using NetApp file servers since 1995, and have been generally happy, but this security problem is making me seriously reconsider.
Has anyone else come up with some alternate means by which to secure NFS exported data, where the server is a NetApp filer? (For years I've been losing the battle to get the physical network secure, using locking wall jacks in our public access labs.) I've been using NetApp file servers since 1995, and have been generally happy, but this security problem is making me seriously reconsider.
We came up with a pretty ugly hack to prevent folks from installing impostor NFS clients on a physically insecure network, such as in a student Unix lab. We were aware of the risk, but were finally motivated to do something when some little bastard (ahem, student) replaced a lab machine with his Linux laptop, so he was able to NFS mount the home directories, and because he had root on his laptop, he could su to any user and have read/write access to their home directory.
So here is what we did. We export to a netgroup. We discovered that once a NFS client has an NFS mount, it doesn't matter if you remove the NFS client from the netgroup map. NFS keeps working fine.
So we removed all the lab machines from the netgroup. We wrote a little client/server application in perl that temporarily puts the NFS client in the netgroup. The NFS client connects to the NIS master and identifies itself with a "secret handshake" The NIS master adds the NFS client to the netgroup map and the NFS client mounts the home directory volume. Then the NIS master removes the NFS client from the netgroup map. The NIS master has a list of machines that are allowed to be added to the netgroup.
This prevents the attack we experienced. Physical access to the network is not enough any more. You also need to know the "secret handshake" to get added to the netgroup map, and only root has access to that file. (If someone gets root on a lab machine, then they don't need an impostor machine.)
This is certainly far from perfect. There is no protection against a man in the middle attack. I suppose someone could put a Linux box with two ethernet interfaces between the lab machine and the ethernet switch. The Linux box could be programmed to pass through network packets, except that it would intercept NFS packets and modify them. Perhaps the uid field could be changed. That way the hacker could make NFS requests as himself on the lab machine, but his Linux box would change the uid field to another user. Does NFS have any protection against this sort of tampering? IPsec would prevent this, of course.
There is also a brief window of vulnerability while the lab machine is in the netgroup. Perhaps with some determined trial and error a hacker could quickly slip in an impostor machine and mount the volume during this window. But he would need to power cycle the lab machine to make it boot and he would need to slip in the impostor at just the moment that the lab machine was in the netgroup. Not easy, but certainly possible.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
Very clever! Thanks for the tip, I might just use it. As you said, it's not bulletproof, but it raises the level of difficulty and would hopefully dissuade the average miscreant.
Of course, highly preferable would be to use IPsec.
Re:
To: Brian Parent bparent@calvin.ucsd.edu Cc: toasters@mathworks.com Subject: Re: IPsec NFS to Unix clients Date: Fri, 20 Aug 2004 10:07:39 -0400 From: Steve Losen scl@sasha.acc.Virginia.EDU
Has anyone else come up with some alternate means by which to secure NFS exported data, where the server is a NetApp filer? (For years I've been losing the battle to get the physical network secure, using locking wall jacks in our public access labs.) I've been using NetApp file servers since 1995, and have been generally happy, but this security problem is making me seriously reconsider.
We came up with a pretty ugly hack to prevent folks from installing impostor NFS clients on a physically insecure network, such as in a student Unix lab. We were aware of the risk, but were finally motivated to do something when some little bastard (ahem, student) replaced a lab machine with his Linux laptop, so he was able to NFS mount the home directories, and because he had root on his laptop, he could su to any user and have read/write access to their home directory.
So here is what we did.
...[remainder elided]
Brian Parent wrote:
Very clever! Thanks for the tip, I might just use it. As you said, it's not bulletproof, but it raises the level of difficulty and would hopefully dissuade the average miscreant.
until the bast.. the student is not a netapp toaster fan
NFS is still unable to export to a specific MAC address instead of IP
but putting a firewall working at the MAC adress level should be able to work this way , am i wrong ?
Brian Parent wrote:
Very clever! Thanks for the tip, I might just use it. As you said, it's not bulletproof, but it raises the level of difficulty and would hopefully dissuade the average miscreant.
until the bast.. the student is not a netapp toaster fan
NFS is still unable to export to a specific MAC address instead of IP
but putting a firewall working at the MAC adress level should be able to work this way , am i wrong ?
I believe that some ethernet cards let you set the MAC address to whatever you want.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
-
Brian Parent -
Steve Losen -
Stéphane Bentebba