Information Security Best Practices: 205 Basic Rules


9.6: Network File Sharing Security

9.6 Network File Sharing Security

Most network file systems have some type of security weakness. The administrator must be aware of these problems and decide between the convenience of having network file services and the security holes that may be open when these services are used.

INFOSEC Best Practice #104

Do not have virtual file services enabled for bastion host machines.

Virtual file services can be a method of accessing multiple machines once a single machine is compromised. Especially, do not have file services across your firewall. The firewall will need to have a port(s) open for that service and thereby provide a hole for entry into your internal network.

INFOSEC Best Practice #105

Deploy NFS on an internal network, separated from a public network via a firewall.

If you need to use NFS (Network File System), then it must be deployed on an internal network because it uses simple clear-text authentication (e.g., host name user ID and group ID). This may be barely acceptable in secure networks where there is limited access to the network, but is not secure on public networks. UNIX systems will typically use this network file system to share files between users and to set up virtual drives for users. If NFS is to be used in an organization, then it should at a minimum be deployed behind a firewall separating the internal network from an external, public network. To increase security when using NFS, but with a performance decrease, use Secure NFS which...