How to secure NFS access to NAS devices
Network Attached Storage (NAS) uses file systems to allow clients to share and access files from a central server. Storage devices are made LAN-addressable, thereby storage is freed from its direct attachment to a specific server. So, in principle, any user running any operating system can access the storage system over the LAN.
A common protocol to access files is the Network File System (NFS) using TCP/IP protocols. The NFS file system allows clients to read, write, create or delete directories and files located on a remote (NFS) server as if those files and directories were located on the local computer. The NAS servers often incorporate the NFS server and provide file-level access to various clients. This is distinctly different than the block-level access in Storage Area Networks (SAN).
Several approaches can be adopted to secure the NFS accesses. The NFS server has to trust each client, at least the root-level user of each client system. So the very basic benefit of NFS leads to a potential risk. As such, it is important that the superuser privilege is restricted on the client computers. If superuser privilege is not restricted, a client user can impersonate the owner of a file.
NFS uses Remote Procedure Call (RPC) to allow disparate systems communicate between the client computer and the NFS server. RPC is secured by providing a DES Authentication, as described next. Through this scheme, every RPC message may be optionally authenticated.
and the server exchange the timestamp to authenticate each other. The timestamp is encrypted using DES encryption scheme. To accomplish authentication: the two sides must agree to a common time; must have the same encryption key; and must securely store it for each user.
If the network has a time synchronization program, then it automatically synchronizes time between the client and the server. If the time synchronization program is not available, time stamp can be computed using the server's time. In that case, the client asks the server for the time before starting a session. On receiving the time, the client machine computes and maintains the time difference in its clock and that of the server. This difference is used in any future authentication exchange with the server that sent the time value.
The common encryption key is computed by using the Diffie-Hellman scheme. The Diffie-Hellman scheme allows the clients and server to generate the same key without transmitting it over the network.
The encryption key for each user may be stored by encrypting it with the user's password. In this way, the computer uses the user password to decrypt the user's encryption key for encrypting the timestamp. Some systems allow other authentication schemes also such as Kerberos or RADIUS.
While authentication ensures the identity of client and server, it does not necessarily protect the contents of the file during transmission. The traffic may be protected by encrypting it using the common encryption key. There are performance implications if this encryption is performed in the software.
There is more to NAS security than simply protecting the NFS exchange. A NAS server may be using a different file-sharing scheme and must protect against other attacks. This will be addressed in another newsletter.
This was first published in November 2003
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.