E N D
NFS and NIS • Network File System (NFS) is a protocol originally developed by Sun Microsystems in 1984 and defined in RFCs 1094, 1813, and 3530 (obsoletes 3010), as a distributed file system which allows a computer to access files over a network as easily as if they were on its local disks. NFS is one of many protocols built on the Open Network Computing Remote Procedure Call system (ONC RPC).
NFS • Version 2 of the protocol originally operated entirely over UDP and was meant to keep the protocol stateless, with locking (for example) implemented outside of the core protocol. • Version 3 introduced support for using TCP as transport. While it is true several vendors had already extended NFS Version 2 to support TCP as transport, Sun Microsystems introduced TCP as a transport for NFS at the same time it introduced Version 3. Using TCP as transport made using NFS over a WAN more feasible. • Version 4, influenced by AFS, and CIFS includes performance improvements, mandates strong security, and introduces a stateful protocol. Version 4 was the first version developed with the Internet Engineering Task Force (IETF) after Sun Microsystems handed over the development of the NFS protocols.
NFS • Problems with NFS. • -- Not Secure. • -- Performance is average at best and doesn’t scale well. • -- Maintaining a truly distributed file system can be complicated if many machines supply data. • -- Locking is not good and can cause problems when used simultaneously by multiple applications.
NFS • Why is NFS used then? • -- It is ubiquotous. • -- It is easy to setup and administer. • -- It provides a better solution than the alternative of not sharing files.
NFS • Virtual File System • VFS was developed as a generic interface to the unix file system. It defines a set of operations to perform on the file system independent of the underlying file system. VFS provides a consistent interface to the file system whether files are accessed locally (ufs) or remotely (NFS). For example the stat call is handled on a local system via the standard kernel call to stat. • On a nfs mounted system it is done via a rpc to the server machine. From the programmer or users perspective nothing has changed. Fundamental to VFS is the concept of a file handle. A file handle is nothing more than a reference to a file. For a local file system this is the inode. On a remote system this is a name supplied by the server. Via the handle name the file system can determine the correct file to use.
NIS • NIS and NIS+ (formally known as “yellow pages”) stands for Network Information Service. • Essentially NIS and NIS+ provide a means to distribute password files, group files, and other configuration files across many machines, providing account and password synchronization (among other services). • NIS+ is essentially NIS with several enhancements (mostly security related), otherwise they are very similar.
NIS • To use NIS you set up a master NIS server that will contain the records and allow them to be changed (add users, etc) • This server can distribute the records to slave NIS machines that contain a read only copy of the records (but they can be promoted to master and set read/write if something bad happens). • Clients of the NIS network essentially request portions of the information and copy it directly into their configuration files (such as /etc/passwd), thus making them accessible locally.
NIS • Using NIS you can provide several thousand workstations and servers with identical sets of usernames, user information, passwords and the like, significantly reducing administration nightmares.
NIS • However this is a problem: in sharing this information you make it accessible to attackers. • NIS+ attempts to resolve this issue however, but NIS+ is an pain to set up. • NIS+ uses secure RPC, which can make use of single DES encryption (which is pretty weak encryption).
Sharing Passwords • Several ways to do it! LDAP, NIS, NIS+.. • Most people use LDAP • NIS used somewhat • NIS+ generally avoided – SUN may discontinue support in the future
VPNS • What is a VPN? • Many different definitions – ideas of what they are • Basically, a virtual private network is a group of two or more computer systems, typically connected to a private network (a network built and maintained by an organization solely for its own use) with limited public-network access, that communicates "securely" over a public network.
VPNs • VPNs may exist between an individual machine and a private network (client-to-server) or a remote LAN and a private network (server-to-server). Security features differ from product to product, but most security experts agree that VPNs include encryption, strong authentication of remote users or hosts, and mechanisms for hiding or masking information about the private network topology from potential attackers on the public network.
VPNS • Why are these needs? • Computers communicate via ports. For example, Port 139 NetBIOS is used for all Windows file and printer sharing. • This is a dangerous port on the Internet and the site for common hostile scans, worms, and attacks.
VPNS • If you have an off site computer that connects to on-site Windows shares (e.g., Windows “Map Network Drive”feature, directories, files, or printers) or login to Windows boxes on site from off site, you will not be able to do this. • But, you can use a VPN to securely access those files from your off-site locations.
VPNS • Ok, so how does this work if the ports are blocked?? • The current generation of VPNs is an advanced combination of tunneling, encryption, authentication and access control technologies and services used to carry traffic over the Internet, a managed IP network or a provider's backbone.
Tunneling • Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packed within another packet and sending it over a network. • The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network.
Tunneling • Tunneling requires three different protocols: • Carrier protocol - The protocol used by the network that the information is traveling over • Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data • Passenger protocol - The original data (IPX, NetBeui, IP) being carried
Tunneling • Tunneling has amazing implications for VPNs. For example, you can place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside an IP packet and send it safely over the Internet. Or you could put a packet that uses a private (non-routable) IP address inside a packet that uses a globally unique IP to extend a private network over the Internet.
VPN Security A well-designed VPN uses several methods for keeping your connection and data secure: • Firewalls • Encryption • IPSec
Firewalls • A firewall provides a strong barrier between your private network and the Internet. • You can set firewalls to restrict the number of open ports, what type of packets are passed through and which protocols are allowed through. • You should already have a good firewall in place before you implement a VPN, but a firewall can also be used to terminate the VPN sessions
Encryption • Generally, information sent over a public network is also Encrypted. • Encryption can be either symmetric key or public key encryption • Symmetric often easier to implement for a wide scale enterprise.
IPSEC • VPN’s can also utilize IPSec for additional security. • For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates.
IPSec • IPSec has two encryption modes: tunnel and transport. • Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. • Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up.
IPSec • IPSec can encrypt data between various devices, such as: • Router to router • Firewall to router • PC to router • PC to server