[831] in Intrusion Detection Systems


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Securing NSF

daemon@ATHENA.MIT.EDU (Larry J. Hughes Jr.)
Mon Jan 6 07:26:13 1997

Date: Thu, 2 Jan 1997 16:53:48 -0800 (PST)
From: "Larry J. Hughes Jr." <larry@nwnet.net>
To: ids@uow.edu.au
In-Reply-To: <199612292259.JAA22310@solarnum.itd.uts.edu.au>
Reply-To: ids@uow.edu.au

> try SecureNFS or Kerberos NFS
[snip]

They're both minor improvements over vanilla NFS, but be aware of their
limitations.

Secure NFS uses Secure RPC (i.e. AUTH_DES authentication), which is based
on a 192-bit Diffie-Hellman modulus -- small enough to be cryptanalyzed.
(I think there's even a crack program for it.)

Kerberos NFS, at least of the MIT variety (is there another?),
authenticates only the mount, not filesystem I/O.  Trouble is, you can
altogether bypass mounts with NFS, and go right to the I/O, if you know, 
sniff, or can guess the filehandle.

---
Larry J. Hughes Jr.    larry@nwnet.net     http://www.nwnet.net/~larry/


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[831] in Intrusion Detection Systems

Re: Securing NSF

daemon@ATHENA.MIT.EDU (Larry J. Hughes Jr.)Mon Jan 6 07:26:13 1997

daemon@ATHENA.MIT.EDU (Larry J. Hughes Jr.)
Mon Jan 6 07:26:13 1997