Network File System (NFS) is a widely-used primitive protocol, which is helpful for sharing files in a network. The files are stored in servers, and clients can get access to these files in order to save storage space. The protocol can be used both for business purposes and for domestic use, such as sharing music collection for all devices. NFS is used to unite computers operating on Linux, and it cannot be used for “talking” between Linux and Windows computers (Day, n.d.).
The protocol was developed in the 1980s when security was not an issue (Sheinin, 2019). Therefore, it has numerous security vulnerabilities, which are being addressed with security patches and upgrades in protocols. The present paper offers an overview of NFS security issues and solutions that have been implemented to address these problems.
Security Issues
Initially, NFS is a somewhat vulnerable protocol that can be quickly overrun by malicious users. The primary problem with NFS is that it relies on an inherently insecure UDP protocol, in which transactions are not encrypted while hosts and users cannot be easily authenticated (Day, n.d.). According to Sheinin (2019), NFS is vulnerable to eavesdropping and impostor attacks similar to any other unprotected network. The reasons for these issues are numerous and not quickly addressed.
First, an NFS server is unable to distinguish between falsified filehandles from the file handles established by the mounted daemon (Sheinin, 2019). Second, even though each mounting post has a list of hosts to which the file system can be exported, an intruder can use a port map daemon to ask the mount daemon to forward the files. Third, it is possible for any user to run a program to generate an NFS request on behalf of any other user. However, some steps can be implemented to protect the information.
Security Measures
The inherent problems of NFS are addressed in recent Linux distributions. The primary way of addressing the issue is implementing NFS version 4 (NFSv4), which has improved security features. According to Haynes and Noveck (2015), the protocol has a robust security model, which is maintained using the GSS-API framework for all client-server interactions. Kerberos, LIPKEY, and SPKM-3 are now required for all Linux machines to utilize NFS (Haynes & Noveck, 2015).
This means that all the data now is encrypted and decrypted, and the client and server negotiate the methods for these actions. Moreover, to address the third problem discussed in the previous paragraph, NFSv4 uses strings rather than user IDs for security principles. At the same time, NFSv4 utilizes both UNIX-like permissions as well as Windows ACLs. In short, the implementation of the NFSv4 protocol is associated with increased protection from malicious users.
Some simple precautions mechanisms can be utilized for protecting Linux-run clients and servers. These recommendations include installing the latest security patches, exporting file systems as read-only, configuring NFS so that t requests are only accepted from privileged system programs, blocking TCP and UDP ports 2049 and port map on firewalls and routers, and disabling NFS when it is not needed (Sheinin, 2019). While these measures are not a part of new features of NFS protocol, they are applicable for openSUSE and other Linux distributions for security purposes.
Conclusion
Security issues among Linux NFS servers are numerous since the protocol was initially designed when data protection was not an issue. Like any other unprotected protocol, NFS is vulnerable to eavesdropping and impostor attacks due to three issues identified in the present paper. However, NFSv4 has improved security performance due to the utilization of the GSS-API framework for all client-server interactions. Implementation of NFSv4, together with standard precautions, can help to minimize the chance of attacks from malicious users.
References
Day, B. (n.d.). NFS Security. Web.
Haynes, T., & Noveck, D. (2015). Network file system (NFS) version 4 protocol.
Sheinin, S. (2019). Global information assurance certification paper: NFS security.