I fear I must wade into this thread, despite it being thick with FUD. On Wed, Oct 18, 2017 at 07:27:42PM +0200, WhiteWinterWolf (Simon) wrote: > Hi Ronald, > > Le 18/10/2017 à 06:00, Ronald F. Guilmette a écrit : > > > > In message <49252eda-3d48-f7bc-95e7-db716db4e...@whitewinterwolf.com>, > > "WhiteWinterWolf (Simon)" <freebsd.li...@whitewinterwolf.com> wrote: > > > >> Ideally, you would use a specific protection for each of these layers, > >> so that an vulnerability affecting one layer would be compensated by > >> other layers. > > > > A good point. > > > > Right about now, I wish that I knew one hell of a lot more about both > > NFS and SMB than I do... and also SSH and TLS. I suspect that the > > file sharing protocols I am most concerned about (NFS & SMB) could > > perhaps be run in a manner such that both initial volume mounts and > > also data blocks (to & from) the share volumes would be additionally > > encrypted, so that I could be running everything securely, even if > > some attacker managed to do maximally evil things to my WiFi/WPA2 > > network. > > > > Do NFS and/or SMB have their own built-in encryption? > > No, not really. > > NFS has no built-in encryption, it may be possible to tunnel it but this > is out-of-scope here (using a VPN and tunnel everything would be easier > than nitpicking and tunnel only the NFS data flow).
This statement is either false or highly misleading. NFS (both v3 and v4) is an RPC protocol, and RPCSEC_GSS exists and can provide per-message confidentiality protection. It may be true that Kerberos is basically the only GSS-API mechanism implemented for RPCSEC_GSS, and the necessary Kerberos setup is far more painful to set up than it needs to be, but all modern NFS implementations support it. > SMB has no widely compatible encryption: > > - Microsoft has built its own, proprietary encryption available and > compatible only with the latest Windows versions. > - Open source implementations rely on TLS, natively supported by some > client but requiring (AFAIK) `stunnel` server-side. I am not a SMB/CIFS expert, but (e.g.) https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1670508 seems to indicate that "proprietary" is false, and does not give much support to the claim that it requires TLS. (I believe in-kernel TLS support had not landed by June, when Xenial was getting its fix.) I am aware that this is a FreeBSD list and the offerings on FreeBSD for SMB are somewhat limited, but you did not scope your statement to FreeBSD and so neither do I. -Ben _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
