How to secure NFS access to NAS devices

Bits & Bytes: Security expert Vijay Ahuja discusses several approaches to prevent unwarranted user access to NAS devices, when made via the Network File System (NFS).

Network Attached Storage (NAS) uses file systems to allow clients to share and access files from a central server. Storage devices are made LAN-addressable, thereby storage is freed from its direct attachment to a specific server. So, in principle, any user running any operating system can access the storage system over the LAN.

A common protocol to access files is the Network File System (NFS) using TCP/IP protocols. The NFS file system allows clients to read, write, create or delete directories and files located on a remote (NFS) server as if those files and directories were located on the local computer. The NAS servers often incorporate the NFS server and provide file-level access to various clients. This is distinctly different than the block-level access in Storage Area Networks (SAN).

Several approaches can be adopted to secure the NFS accesses. The NFS server has to trust each client, at least the root-level user of each client system. So the very basic benefit of NFS leads to a potential risk. As such, it is important that the superuser privilege is restricted on the client computers. If superuser privilege is not restricted, a client user can impersonate the owner of a file.

NFS uses Remote Procedure Call (RPC) to allow disparate systems communicate between the client computer and the NFS server. RPC is secured by providing a DES Authentication, as described next. Through this scheme, every RPC message may be optionally authenticated.

The client and the server exchange the timestamp to authenticate each other. The timestamp is encrypted using DES encryption scheme. To accomplish authentication: the two sides must agree to a common time; must have the same encryption key; and must securely store it for each user.

If the network has a time synchronization program, then it automatically synchronizes time between the client and the server. If the time synchronization program is not available, time stamp can be computed using the server's time. In that case, the client asks the server for the time before starting a session. On receiving the time, the client machine computes and maintains the time difference in its clock and that of the server. This difference is used in any future authentication exchange with the server that sent the time value.

More resources on NFS and NAS

ISCSI vs. NFS for virtualization shared storage

NFS 4.1's pNFS: Big NAS performance boost

The musings of an IT Consultant

The common encryption key is computed by using the Diffie-Hellman scheme. The Diffie-Hellman scheme allows the clients and server to generate the same key without transmitting it over the network.

The encryption key for each user may be stored by encrypting it with the user's password. In this way, the computer uses the user password to decrypt the user's encryption key for encrypting the timestamp. Some systems allow other authentication schemes also such as Kerberos or RADIUS.

While authentication ensures the identity of client and server, it does not necessarily protect the contents of the file during transmission. The traffic may be protected by encrypting it using the common encryption key. There are performance implications if this encryption is performed in the software.

There is more to NAS security than simply protecting the NFS exchange. A NAS server may be using a different file-sharing scheme and must protect against other attacks. This will be addressed in another newsletter.

Next Steps

SAN/NAS security considerations

SAN vs. NAS security

Using NAS NFS with VMware ESX: Technology pros and cons

This was first published in November 2003

Dig deeper on SAN management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSolidStateStorage

SearchVirtualStorage

SearchCloudStorage

SearchDisasterRecovery

SearchDataBackup

Close