Date: Tue, 17 Oct 1995 09:42:47 -0700
From: Jonathan Kamens <email@example.com>
Subject: Re: Basic Flaws in Internet Security (RISKS-17.39)
I saw their attack in one of the security newsgroups, and I was
unimpressed by it. It doesn't report anything new.
People have known for years that NFS was vulnerable to spoofing attacks.
This is not news. People have known for years that even the commonly-used
authenticated file-service protocols (e.g., Kerberized NFS, AFS)
authenticate only the connection without authenticating the file data being
sent over it. This is not news.
The solutions to this problem are known and have been for a long time. The
easy solution is to install security-related binaries on the local disk
instead of on a fileserver. Of course, this blows the diskless workstation
model, but I think that was on its way out anyway :-). The hard solution is
to fix the file-service protocols to integrity-protect and/or encrypt their
data (and to get people to use secure file-service protocols like Kerberized
NFS or AFS, instead of relying on tried-and-true insecure NFS). Perhaps
some work in that direction will arise from the attack published by Brewer
et al, and that would be a good thing to come out of what they published,
but otherwise, I don't see much point to it.
(An aside: I suspect that one of the reasons why integrity-protection
and/or encryption weren't put into Kerberized NFS and AFS originally
was that such protection significantly increases the CPU load on the
servers and clients using it; however, CPU speeds have increased so
much in the past few years that perhaps now we can spare the cycles to
make our files secure.)
Jonathan Kamens | OpenVision Technologies, Inc. | firstname.lastname@example.org