Weaknesses & mitigations for using NFS on Solaris

In one apps project, they requested to use NFS (Netw File Share)  on Solaris:
My concern is
a) unlike Windows which can have Windows firewall to restrict who can access the NFS share
    (ie endpoint firewall), Solaris are not known to have its own endpoint firewall
b) NFS traffic are not encrypted, correct?
c) NFS authentication is weak?  : Pls elaborate in what way?

What are the mitigations we can put in place if the apps team still wants it?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

robocatCommented:
NFS was not very secure in version 2 and 3.  This is why it got a bad name.

NFSv4 has lots of security features, but they are not enabled by default:

- kerberos authentication allows for secure authentication and integration with AD
- nfsv4 traffic can optionally be encrypted
- nfs shares can be exported to a limited set of hosts
- nfsv4 allows ACLs.

NFSv4 can be a bit of a challenge to set up, but when done correctly it can be very secure.  However it is still recommended not to expose it directly to the internet but over a VPN if needed for remote sites.
1
sunhuxAuthor Commented:
Thanks.

>kerberos authentication allows for secure authentication and integration with AD
In our case, we're on Solaris, so it won't be AD integration: will it still use Kerberos authentication?
0
sunhuxAuthor Commented:
And with NFSv4, can we enable encryption for data in motion & data at rest??
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

robocatCommented:
If you have (or set up) a Kerberos service, then NFS can be configured for Kerberos. Many companies that use Solaris also have an AD, which makes things a bit easier than maintaining a separate Kerberos service.

Data at rest has nothing to do with NFS, which is only a transport service. Depending on your choice of file system, you may or may not have encryption. Eg. if you choose ZFS for file system, you can encrypt data on disk.

All of this requires an experienced Solaris admin to configure things properly and get good security.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Can  "Data in Motion" ie when copying to/from  NFSv4 be encrypted?
0
robocatCommented:
Yes, as already stated in my first reply.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.