| View previous topic :: View next topic |
| Author |
Message |
mr666white
n00b
Joined: 24 Aug 2004
Posts: 52
|
 Posted: Mon Nov 14, 2005 3:17 am Post subject: Secureing network filesystems |
 |
|
Background
My household mostly runs gentoo linux. There are maybe 10 gentoo boxen, all heavily using nfs3 and autofs to transparrently mount shares of the follwing types:
/home/username (mostly on communal machienes)
Large shared directories that are readable by anyone and only writeable by the owner
/usr/portage/distfiles
We also have 2 windows boxen that are given much reduced privalages and use samba for read only access to certain shares.
There is a wireless access point using WEP security.
There is a very hadrcore dedicated firewall /dns/dccp/proxy/IDS/gateway etc box that will only communicate with MAC addresses on the allow list and can only be admiistered by physical access.
Several machienes allow users to ssh in from outside the network.
The problem:
The 2 windows boxes are owned/administered by muppets and are not considered secure
Having a scary looking firewall tends to invite a lot of people trying to break in
WEP is easily broken and thus are internal network is easily browsable
nfs3 relies on trusted hosts and trusted networks
Most of us are very paranoid
I would like to use a more secure means of network file shareing that supports a similar level of transparency. I understand that NFS4 supports additional security mechanisms, but I have so far failed to find useable documentation that describes this. Can anyone point me in the right direction?
Also are there alternative mechanisms that would be appropriate that are a viable alternative to the above approach?
TIA
_________________
www.technomancer.me.uk |
|
| Back to top |
|
 |
Monkeh
Veteran
Joined: 06 Aug 2005
Posts: 1656
Location: England
|
| Posted: Mon Nov 14, 2005 4:54 am Post subject: |
|
|
| If your boxes are half decent, you could use shfs. |
|
| Back to top |
|
|
groovin
Guru
Joined: 07 Feb 2004
Posts: 429
Location: California, USA
|
| Posted: Mon Nov 14, 2005 6:34 am Post subject: |
|
|
| Quote: | | The 2 windows boxes are owned/administered by muppets and are not considered secure |
if all they have is read only access then it should be ok. firewall them off except for the shares they need.
| Quote: | | Having a scary looking firewall tends to invite a lot of people trying to break in |
a scary looking firewall will probaly make you a less attractive target since there are so many easier ones out there.
| Quote: | | WEP is easily broken and thus are internal network is easily browsable |
use wpa/radius. isnt wpa2 making its rounds now too?
| Quote: | | nfs3 relies on trusted hosts and trusted networks |
yes, and this is my biggest problem with nfs as well. there are other ways of locking it down better like locking down ip/mac address mappings, using nfs over a dedicated storage network, etc.
| Quote: | | Most of us are very paranoid |
who can afford not to be at least a bit paranoid? |
|
| Back to top |
|
|
mr666white
n00b
Joined: 24 Aug 2004
Posts: 52
|
| Posted: Mon Nov 14, 2005 7:02 am Post subject: |
|
|
| Monkeh wrote: | | If your boxes are half decent, you could use shfs. |
Is there a way to automount shfs without storeing passwords in plaintext
_________________
www.technomancer.me.uk |
|
| Back to top |
|
|
Monkeh
Veteran
Joined: 06 Aug 2005
Posts: 1656
Location: England
|
| Posted: Mon Nov 14, 2005 7:19 am Post subject: |
|
|
| mr666white wrote: | | Monkeh wrote: | | If your boxes are half decent, you could use shfs. |
Is there a way to automount shfs without storeing passwords in plaintext |
I'm almost certain you can use pubkey auth for it. |
|
| Back to top |
|
|
mr666white
n00b
Joined: 24 Aug 2004
Posts: 52
|
| Posted: Mon Nov 14, 2005 7:25 am Post subject: |
|
|
| groovin wrote: |
use wpa/radius. isnt wpa2 making its rounds now too?
| Quote: | | nfs3 relies on trusted hosts and trusted networks |
yes, and this is my biggest problem with nfs as well. there are other ways of locking it down better like locking down ip/mac address mappings, using nfs over a dedicated storage network, etc.
|
The wireless insecurity relates to having to support old hardware and keeping it simple enough for one of my minions (ie housemates that know enough to go near the firewall) to be able to set up for a random guest when i'm not physically in the house.
If this was an enterprise and not a rented shared geek house dedicated storage networks would be viable, as would better wireless hardware, although I may set up a box as some kind of packet filtering bridge between the wireless and the rest of the network, maybe as a VPN server and ditch any wireless scurity itself. That kinda system works well enough to keep the dept. of computer geeks happy at uni.
Locking things down by ip+mac address is easy to get round, all you have todo is steal a mac address. This is EASY to do under linux and certain M$ drivers have a habit of changing mac addresses in order to annoy me.
Has anyone tried CODA or NFS4 set up for secure file shareing?
_________________
www.technomancer.me.uk |
|
| Back to top |
|
|
groovin
Guru
Joined: 07 Feb 2004
Posts: 429
Location: California, USA
|
| Posted: Tue Nov 15, 2005 8:53 pm Post subject: |
|
|
| mr666white wrote: |
The wireless insecurity relates to having to support old hardware and keeping it simple enough for one of my minions (ie housemates that know enough to go near the firewall) to be able to set up for a random guest when i'm not physically in the house.
If this was an enterprise and not a rented shared geek house dedicated storage networks would be viable, as would better wireless hardware, although I may set up a box as some kind of packet filtering bridge between the wireless and the rest of the network, maybe as a VPN server and ditch any wireless scurity itself. That kinda system works well enough to keep the dept. of computer geeks happy at uni.
Locking things down by ip+mac address is easy to get round, all you have todo is steal a mac address. This is EASY to do under linux and certain M$ drivers have a habit of changing mac addresses in order to annoy me.
Has anyone tried CODA or NFS4 set up for secure file shareing? |
its funny, nowdays a geeks own home net might get as complex as a real company's!
yeah, nfs isnt the safest thing out there, thats why i only use it over trusted networks. shfs is really cool too... as already stated, you can probaly use passwordless logins + ssh-agent to mount it without having to type anything, shfs is afterall, just a front end to ssh.
im curious about NFS4 now too... time to do some reading! |
|
| Back to top |
|
|
drax_
n00b
Joined: 18 Mar 2005
Posts: 32
Location: France
|
| Posted: Tue Nov 15, 2005 9:45 pm Post subject: |
|
|
I'll re-state shfs. It's been working well for me, with pubkey authentication.
Concerning your wifi network. I hope you have MAC filtering as well as the WEP right?
Depending on your setup, I would try to seperate the wifi network, from the wired network. ie: make all traffic pass thru your (or another) firewall, before reaching the internal network. Therefor apply diferrent rules, have different IP mapping, etc
I would also force the use of VPN to connect to anything on your wired network. Be it using wifi, or from the internet.
_________________
Mail: drax@sweon.net
UIN: 123093451 - AIM: drax8080 - Jabber: swe@jabber.org
--=======================================================--
Unix Systems and Network Administrator - www.sweon.net |
|
| Back to top |
|
|
mr666white
n00b
Joined: 24 Aug 2004
Posts: 52
|
| Posted: Tue Nov 15, 2005 11:29 pm Post subject: |
|
|
shfs works really well for copyig large files around. Playing music and watching videos over it seems to be causing us all kinds of client side segfaults and some very bizzarre brokenness on one of the servers. One of the disk partitions refused to be read after a few client-side crashes, untill I rebooted the box.
MAC filtering for wireless is a usefull addition however it is far too easy to circumvent:
1) realise MAC fileting is in use
2) Wait for a client to use wireles card, and record MAC address with wireless sniffer
3) Wait for client to go away
4) Use recorded mac address
I recon I'm going to have to have to install selinux on the coffee table and use it as vpn-bridge type jobby
_________________
www.technomancer.me.uk |
|
| Back to top |
|
|
drax_
n00b
Joined: 18 Mar 2005
Posts: 32
Location: France
|
| Posted: Tue Nov 15, 2005 11:42 pm Post subject: |
|
|
| Quote: |
shfs works really well for copyig large files around. Playing music and watching videos over it seems to be causing us all kinds of client side segfaults and some very bizzarre brokenness on one of the servers. One of the disk partitions refused to be read after a few client-side crashes, untill I rebooted the box. |
I admit I've also reported no problem for my "casual" usage, but I tried using shfs to stream video and got slowdowns, jumps, etc. I put that on the account of the internet links we were using since streaming just music, worked fine.
I'll try stress shfs out in the futur and see ....
As for MAC filtering, I was relating to the casual wanabee, who stumble on a hotspot. If you've got someone ready to hack away, sniff a mac, wait for the guy to leave, etc, he might aswell hack your wep key, seeing as he has so much time 
_________________
Mail: drax@sweon.net
UIN: 123093451 - AIM: drax8080 - Jabber: swe@jabber.org
--=======================================================--
Unix Systems and Network Administrator - www.sweon.net |
|
| Back to top |
|
|
allucid
Veteran
Joined: 02 Nov 2002
Posts: 1314
Location: atlanta
|
| Posted: Wed Nov 16, 2005 1:05 am Post subject: |
|
|
| For the wireless I would reccomend keeping WEP and also using OpenVPN. |
|
| Back to top |
|
|
|
Networking & Security
