Re: shared home directory placement

[Mike Lococo <mike.lococo () nyu edu>]

Jason wrote:
> excellent response, thank you very much!   I'm actually in a rare
> situation where I don't have to worry about legacy systems, so I was
> shooting for NFSv4 and all Linux/Solaris 10 hosts.

Then none of my previous response applies to you, since NFSv4 is both 
firewallable and has sane authentication which is enforced by the server 
(not the client).

As to your original question about whether you should leave your NFS 
server in the trusted zone or move it to a new zone, you should decouple 
the question of zoning from your NFS project.  Make an asset 
classification scheme, create the number of zones needed to provide 
security partitioning between them, and put your NFS server in the zone 
where it belongs.  In simple cases you often end up with:

- a client/workstation network
- a low-security server network (the DMZ)
- a high-security server network (the DB/backend/internal network)

But jumping to the above technical implementation without doing the work 
of understanding your asset categories is quite likely to leave you with 
an infrastructure that is ill-suited to your partitioning needs.

As always, YMMV.

Thanks,
Mike Lococo