• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login
    1. Home
    2. MasterOfUs
    M
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 2
    • Best 0
    • Controversial 0
    • Groups 0

    MasterOfUs

    @MasterOfUs

    0
    Reputation
    1
    Profile views
    2
    Posts
    0
    Followers
    0
    Following
    Joined Last Online
    MasterOfUs Unfollow Follow

    Latest posts made by MasterOfUs

    • RE: Security concerns

      Hi George,

      “Hiding the NFS path, that’s possible since if its printed, the print command can be removed.”

      By removing the [IP/PATH/] and just showing the [image name] would be enough information to validate the active task on the computer and would limit any leaked information to a spying eye, say, looking thru the door bay. I don’t think NFS shares are broadcast on the network (or by querying the server), is it? Someone would need to know the actual folder name before mounting it.

      “Now one of the things I experimented with was NFSv4.”

      That’s a good idea. I think you can use ACL with NFSv4.

      If we go real simple, limiting access to the share would prevent any image leaks. I don’t think it’s a problem sending the user:pass in plain text (cmd) to each LAN computer when deploying. As long as it’s invisible on the clients screen.

      I’ll try to come up with something on my side.

      posted in General
      M
      MasterOfUs
    • Security concerns

      So, I’ve tested Fog and it’s great but I’m concerned about the lack of security for the NFS image folder.

      By default, from my test, anyone that has LAN access (same as fogserver) could simply connect to the “advertised” NFS ip/path you see on the deploying screen ("using image from 192.168…/images/nameofimage) and copy the files for future investigation from another linux.

      Why secure the web interface with SSL, login page and MySQL passwords when you could simply copy the entire structure remotely and reclone from another FOG install ?

      I’ve lurked the forums searching for NFS security to find answers. Maybe I’m wrong, I don’t know?

      • NFS is faster
      • No security needed in intranet
      • Don’t put FOG on the public side
      • Use an IP filter or limit IPs in exportfile
      • SMB is slower and not native to Linux

      What are the solutions ? You’d think students would not try anything but in fact they will.

      • Are the DD images crypted on the fly ?
      • Is there a way to hide, on screen, the NFS path used when deploying ? That way, you can randomize a NFS folder. (security thru obscurity)

      I’m just trying to secure the image depot and it’s strange nobody cares ? Maybe the users don’t know their files aren’t secure at all?

      Thank you for your time.

      posted in General
      M
      MasterOfUs