From: Jeff Weinstein <jsw@netscape.com> Date: Wed, 11 Oct 1995 16:03:11 -0700
Patrick Horgan wrote:
From: "K. M. Ellis" <kelli@zeus.towson.edu>
This one is _really ripe_ for a response to the editor. Ideas?
We could start something off-list if there are several interested in co-authoring.
I'd love to see something in there about most commercial sites being behind firewalls without nfs access across the firewall. This greatly reduces the risk from the nfs problems. If you get your binary via nfs from a trusted host inaccessible from the internet, then if you have this problem management can handle it as an employee problem;) There are ways to make secure firewalls, it's fairly well understood. Sometimes people point to things like the hack Mitnick did last Christmas, but his attack took advantage of a couple of things a security expert shouldn't have allowed, first and foremost two machines were accesible from the internet, and one of them trusted root logins from the other without a password:(
It might also be worth noting that people accessing the net via an ISP from home do not typically use NFS either.
--Jeff
It might be even better to note that the amount of NFS traffic that passes outside of a given local network/geographical area is small NFS does reasonably poorly from a performance perspective over WAN connections in general so most organizations don't use it for more local are use. WUarchive allowed it for a while but it was infinitely slow compared to ftp. I suspect that a protocol analysis of a major interchange point (MAE's, NAP's, etc) would show NFS traffic at far less than 1% of the total. The NFS threat should be delegated to that class of problems which are characterized as locally insecure, which can be easily exploited by a malicious user (internal or external who has broken in), locally useful, something which can be made better (kerberos version for example), but generally isn't for ease of use. ---> Phil (BTW my 'mount ftp.netscape.com:/pub /mnt' command failed for some reason, can you look into it :-)