[2770] in bugtraq
Re: Read only devices (Re: BoS: amodload.tar.gz - ...)
daemon@ATHENA.MIT.EDU (Mark Riggins Mark.Riggins@att.com)
Fri Jun 21 11:34:26 1996
Date: Fri, 21 Jun 1996 09:58:32 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Mark Riggins Mark.Riggins@att.com" <mdr@vodka.sse.att.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.92.960620231254.8172B-100000@netrail.net> from "Matt
Zimmerman" at Jun 20, 96 11:15:25 pm
> // Matt Zimmerman wrote:
> Right...which makes a good case for using NFS instead, and exporting the
> filesystems read-only from a server which is hopefully less accessible to
> the general public and/or intruders (offering a very limited set of
> network services, etc.). Of course, then you have to deal with the usual
> NFS security issues (most of which can be avoided within reasonable limits
> by well-configured firewalls and TCP wrappers).
This opens up new avenues of attack. (the server may now be
suseptible to attacks from the inside. )
A attacking system could answer NFS reads with its own
data. Not a trivial attack, but I did read about it being done. If the
hardened server is serving as a firewall platform it may not be able
to trust *either* side.
The r/o disk idea is a better solution.
Mark Riggins
Secure Systems Engineering
AT&T Bell Labs
