2

I have a debian NFS server on an internal network, that I want to protect from modification by malicious agents. I want something stronger than per-IP or per-mac firewall rules. The clients are all linux.

From what I have read/skimmed so far, use of kerberos with NFS requires per-user authentication, which in turn requires users log in via the KDC. Some users of the server are mobile, so this is an unappealing option.

I have so far not pursued a VPN as an option, mostly due to the performance implications.

What is the simplest way to achieve the above?

Note, I'm not overly concerned with preventing sniffing of network traffic, only with modification of data.

Michael Slade
  • 451
  • 1
  • 4
  • 7
  • 1
    MIT Kerberos itself was designed to work and be secure over the open Internet. (Though this might not be true of other Kerberos implementations.) Running NFS with sec=krb5p should also be safe, depending on your cipher choices. A VPN is still a good idea. But before any of that, you should more clearly define your threat model. The solution you propose is primarily going to mitigate _insider_ threats such as disgruntled employees, not outside threats. – Michael Hampton Aug 20 '20 at 11:31

1 Answers1

0

There is is nice article by Charles Fisher on how to use stunnel to protect NFS traffic. With a mutual TLS handshake (client+server certificates) you can get IP independent protection.

Inspired by that document, the IETF nfs working group have started the NFS-over-TLS project that currently under development and atopted by many nfs client/server implementations.

kofemann
  • 4,626
  • 1
  • 25
  • 30