Manage Learn to apply best practices and optimize your operations.

How to secure NFS access to NAS devices

Bits & Bytes: Security expert Vijay Ahuja discusses several approaches to prevent unwarranted user access to NAS devices, when made via the Network File System (NFS).

Network Attached Storage (NAS) uses file systems to allow clients to share and access files from a central server. Storage devices are made LAN-addressable, thereby storage is freed from its direct attachment to a specific server. So, in principle, any user running any operating system can access the storage system over the LAN.

A common protocol to access files is the Network File System (NFS) using TCP/IP protocols. The NFS file system allows clients to read, write, create or delete directories and files located on a remote (NFS) server as if those files and directories were located on the local computer. The NAS servers often incorporate the NFS server and provide file-level access to various clients. This is distinctly different than the block-level access in Storage Area Networks (SAN).

Common steps for securing NFS access

Several approaches can be adopted to secure the NFS accesses. The NFS server has to trust each client, at least the root-level user of each client system. So the very basic benefit of NFS leads to a potential risk. As such, it is important that the superuser privilege is restricted on the client computers. If superuser privilege is not restricted, a client user can impersonate the owner of a file.

NFS uses Remote Procedure Call (RPC) to allow disparate systems communicate between the client computer and the NFS server. RPC is secured by providing a DES Authentication, as described next. Through this scheme, every RPC message may be optionally authenticated.

The client and the server exchange the timestamp to authenticate each other. The timestamp is encrypted using DES encryption scheme. To accomplish authentication: the two sides must agree to a common time; must have the same encryption key; and must securely store it for each user.

If the network has a time synchronization program, then it automatically synchronizes time between the client and the server. If the time synchronization program is not available, time stamp can be computed using the server's time. In that case, the client asks the server for the time before starting a session. On receiving the time, the client machine computes and maintains the time difference in its clock and that of the server. This difference is used in any future authentication exchange with the server that sent the time value.

More resources on NFS and NAS

ISCSI vs. NFS for virtualization shared storage

NFS 4.1's pNFS: Big NAS performance boost

The musings of an IT Consultant

The common encryption key is computed by using the Diffie-Hellman scheme. The Diffie-Hellman scheme allows the clients and server to generate the same key without transmitting it over the network.

The encryption key for each user may be stored by encrypting it with the user's password. In this way, the computer uses the user password to decrypt the user's encryption key for encrypting the timestamp. Some systems allow other authentication schemes also such as Kerberos or RADIUS.

While authentication ensures the identity of client and server, it does not necessarily protect the contents of the file during transmission. The traffic may be protected by encrypting it using the common encryption key. There are performance implications if this encryption is performed in the software.

There is more to NAS security than simply protecting the NFS exchange. A NAS server may be using a different file-sharing scheme and must protect against other attacks.

Next Steps

SAN/NAS security considerations

SAN vs. NAS security

Using NAS NFS with VMware ESX: Technology pros and cons

Dig Deeper on NAS devices