--- Adam Bower abower@zeus.com wrote:
On Thu, 12 Apr 2001, Neill Newman wrote:
David Freeman scribbled in yet another email:
--- Neill Newman neill@entora.co.uk wrote:
most secure method is definatly not NFS !! use samba instead...
Yeah but the network is firewalled so it is not a problem, most big ISP's use NFS for serving webpages from NetApp's and big Sun's (trust me on this). I would also argue you are completly wrong about using Samba instead.
Despite being behind what is probably the biggest firewall in th UK I am still skeptical. A few months back a friend and I had a HackFest(no its not what you might think) in which we set up a network of machines and attempted to hack it. The results will be published on my web site when we have it all finished. Basically the Mac was impossible to get into! The un hardened Linux and Solaris box where very easy, just run brutus at the machine over night, result access. This isn't a great test as the password used(on all machines for consistancy) was zombie which is a dictionary work, using a better password like Z0mb1e might have given different results. Lophtcrack against Nt was very quick in only a couple of hows we had zombie and it was brute forcing a non dictionary word quite nicely.
I am deadly serious.. NFS assumes that the client is responsible
for the
authentication, and therefore anybody who has root access on a
linux box
can 'become' another use, and mount their files, not very
secure!!!...
Aah there are some very simple ways of spoofing with the M$ protocols, I know which one I would choose, also it you look at the man pages for nfs you can see it is very easy enable some fairly strong access controls.
I think I may use samba as I use it at home and understand it better than nfs.
Samba, although used by MS, was designed with the authentication
stage
in the server, thus getting around this problem.. Between NFS and
SMB,
SMB is more secure (not to mention faster!)...
just noticed acontradiction here, MS designed something with authentication in mind? that must be a first :o)
SMB faster than NFS?!?! I really don't think so. Also the way passwords get chucked around the network with SMB is dangerously insecure as If you grab a copy of L0phtcrack and a packet sniffer you can get them dead easily, or if you are on a switched network you can easily craft a message to exploit SMB. SMB doesn't support real host access controls which NFS does, this makes a big difference in real security.
The speed isn't much of a problem both machines are running 100Mbps ethernet dirrectly connected to a router! I only want access from the two machines, so I can mount a drive from one machine on the other to back it up.
There are some other network filessystems (such as Coda) which may
be
better than SMB, but I don't really know much about them...
Coda is a really good idea, just not quite there yet most of the people I know who have used it have reported the same as me and that it breaks severely at random.
I want to stick with standard systems. But I will watch this one carefully.
Thanks
D
Adam
Adam Bower, abower@zeus.com Tel: +44 1223 525000 System Administrator Fax: +44 1223 525100 Zeus Technology Ltd http://www.zeus.com Zeus House, Cowley Road Cambridge CB4 0ZT England
__________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/