Network and Storage Protocols

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

Hide NFS exports

cschnidr
NetApp
‎2009-09-04 01:33 AM
9,023 Views

Hi,

Is it somehow possible to "hide" NFS exports?

E.g. with showmount anyone who has connectivity to a Filer sees all exports:

---

correctie:~ cschnidr$ showmount -e 10.68.20.10
Exports list on 10.68.20.10:
/vol/vol4com                       10.68.21.0/24 10.68.20.0/24
/vol/vol1src                       10.68.20.0/24 10.68.21.0/24
/vol/vol0                           Everyone
/vol/chdiflr01_vol0                 Everyone
/vol/vol3usr                       10.68.21.0/24 10.68.20.0/24
/vol/vol2bkp                        Everyone
/vol/vol6www                       10.68.21.0/24 10.68.20.0/24
/vol/vol8fieldsup                  10.68.20.30
/vol/vol5pub                       10.68.21.0/24 10.68.20.0/24

---

A customer asks if it is possible to hide exports here, that it is only possible to mount if the correct path is known.

Thanks

Christoph

0 Kudos
View By:
1 ACCEPTED SOLUTION

chriskranz
‎2009-09-04 01:42 AM
9,023 Views

I think this is unfortunately a limitation of the NFS protocol, and not the NetApp implementation of it. The reality is that this offers no security, only obscurity, and if you use a standard naming convention, volume names would be easy to guess.

Real security should be employed from within NFS, such as restricted network access, and UNIX permissions on the file system. NFS v4 adds better support for the security aspects also, so if the customer is concerned that the default NFS v3 doesn't offer them enough, you may want to look at using NFS v4.

It would be nice to see the ability to restrict NFS over certain interfaces only (like we can with iSCSI), and I can see that being easier for NetApp to implement, but I'm unsure whether that is road-mapped any time soon to be honest.

View solution in original post

4 REPLIES 4

chriskranz
‎2009-09-04 01:42 AM
9,024 Views

I think this is unfortunately a limitation of the NFS protocol, and not the NetApp implementation of it. The reality is that this offers no security, only obscurity, and if you use a standard naming convention, volume names would be easy to guess.

Real security should be employed from within NFS, such as restricted network access, and UNIX permissions on the file system. NFS v4 adds better support for the security aspects also, so if the customer is concerned that the default NFS v3 doesn't offer them enough, you may want to look at using NFS v4.

It would be nice to see the ability to restrict NFS over certain interfaces only (like we can with iSCSI), and I can see that being easier for NetApp to implement, but I'm unsure whether that is road-mapped any time soon to be honest.

pascalduk
‎2009-09-04 01:55 AM
In response to chriskranz
9,023 Views 
chriskranz wrote:
 
It would be nice to see the ability to restrict NFS over certain interfaces only (like we can with iSCSI), and I can see that being easier for NetApp to implement, but I'm unsure whether that is road-mapped any time soon to be honest.

In Ontap 7.3 it is possible to block a protocol on specific interfaces:

options interface.cifs.blocked
options interface.nfs.blocked

chriskranz
‎2009-09-04 01:58 AM
In response to pascalduk
9,023 Views

Thanks for that Pascal, I hadn't realised. In that case that is definitely how I would secure and "hide" the NFS shares. Create a dedicated NFS network and block the protocol on all other interfaces. Anything more advanced than this I'm afraid is the limitation of the NFS protocol.

0 Kudos

cschnidr
NetApp
‎2009-09-04 03:40 AM
In response to chriskranz
9,023 Views

It seems that unix derivates like HP-UX can do that. They disable any output from showmount requests.

0 Kudos
Announcements
All Community Forums
Public