Jim Davis wrote:
Would you feel safe running your filer attached to potentially hostile web servers running user-uploaded CGI programs?
No. But that's a trick question, since user-uploaded CGI programs are always going to potentially defeat any security system you might use.
That's a rather pessimistic way of looking at it :-) What I am after is more like: if some script kiddies upload stuff that goes portscanning and otherwise mucking with the filer, is it going to wig out and die ? I mean people seem to find bugs in the networking code of NT every month- how stable is the filer's OS? Barring any misconfiguration or inherent bugs in the protocols (nfs), is it gonna be rock solid? Or are we gonna have to pamper it behind a firewall or something?
+--- In a previous state of mind, Brian Atkins brian@posthuman.com wrote: | | is it going to wig out and die ? I mean people seem to find | bugs in the networking code of NT every month- how stable | is the filer's OS? Barring any misconfiguration or inherent | bugs in the protocols (nfs), is it gonna be rock solid? Or | are we gonna have to pamper it behind a firewall or something?
No. Since the filer only runs a finite set of services (telnet, rsh, nfs, cifs, http, I think I may have missed something), a port scan will only hit those you have enabled.
This is not an NT server. The filers are pretty well tested. I would not put the filer on an insecure network, but this is all part of the architecture you have.
I would definitely take all the steps toward making the filer safe (ie: use private IPs, no routing, no dns, restrict exports to specific hosts, no hosts.equiv, etc).
Perhaps others have beaten on their filers more than I have in this regard.
Alex
-
alexei@cimedia.com -
Brian Atkins