Re: shared home directory placement

[Mike Lococo <mike.lococo () nyu edu>]

> hello all, I have a best practices question. I have a large pool of unix
> folks that have shared storage for home directories (NFS). Right now,
> they only have access to these directories from systems that are located
> in the TRUST zone of our network, but we are redesigning things to
> segment systems further which will put some systems into a less trusted
> zone.  When it's all said and done, hosts that will be in a dmz and
> hosts that will be in trust will still need access to this NFS server.

Are you using NFSv3?  If so, note that passing NFSv3 through a firewall 
in a reasonably intelligent manner is non-trivial.  Also, note that NFS 
file-permissions are enforced on the client, not on the server, so a 
root compromise on a client in the DMZ would allow an attacker full RW 
access any NFS mounts it has.  RW access to a shared filesystem is a 
pretty big hole to punch through a security zone boundary, and that 
along with the firewall difficulties leads me to discourage folks from 
using it across security zones.

The following is a good background document on NFSv3 security issues, 
the best-available workarounds, and the issues that remain and can't be 
worked around:

   http://nfs.sourceforge.net/nfs-howto/ar01s06.html

> What I was wondering is if it would be a Terrible Idea  to move the NFS
> server into a DMZ of it's own, out of the Trust zone, and allow access
> to it from the hosts in different DMZs as well as hosts in the trust
> zone. If the NFS server is compromised by an upstream system, policy
> won't allow that system to initiate connections outside of it's own DMZ.

I would worry more than an attacker in your DMZ will use their file 
system privileges on the NFS server to attack clients in the trusted 
zone, and if you're using NFSv3 that vector will exist regardless of how 
good the rest of your zone boundary controls are.

Thanks,
Mike Lococo