Submitted by RSistla (not verified) on Fri, 2008/05/23 - 05:05.
The bank data center is the point. NFSv4 was designed to overcome the limitations of previous versions. Using NFSv4 with a mature authentication/encryption system, like kerberos/ldap/certificates, allows one to design better bank data centers. Think NetAPP filers with terabytes of data as the backend in the corporate network and the centos/redhat systems in the DMZ as the front ends. There is no reason why the systems in the front end cant use the backend filers thru firewall, especially a mount point that only has patches, packages, etc. - you can even export it read only. I'll bet money that NFSv4/kerberos natively will out perform tunneled thru ssh any day.
In the case of Centos/Redhat, coupled with SELinux enabled on the front end dmz servers and virtualized via XEN/KVM/OpenVZ to only perform the tasks assigned to them, the risk is very minimal. You get the benefits of performance, simplicity, separation and security.
SSH has been used as "glueware" for far too long. This is due to the fact that most network file systems historically have had a bad reputation for insecurity. Modern network protocols, like NFSv4, do not require SSH when implemented properly.
The problem is one of transition from older versions of NFSv2/3 to the newer one and implementing a solid directory/kerberos AAA system. The bigger problem though for most enterprises is to go with what they know so they continue to use old school methods. Lack of investment in training the sysadmins kills the spirit of innovation. Not sure what your workplace is like.
SSH use, IMHO, should be limited to network terminal access, sftp and maybe X. I think I'll write a doc on implementing NFSv4 and Kerberos/LDAP and toss it on the Centos wiki as a project.
Not even sure how I got onto this blog. Oh yeah, I was trying to get a release date for Centos 5.2.
NFSv4/Kerberos
The bank data center is the point. NFSv4 was designed to overcome the limitations of previous versions. Using NFSv4 with a mature authentication/encryption system, like kerberos/ldap/certificates, allows one to design better bank data centers. Think NetAPP filers with terabytes of data as the backend in the corporate network and the centos/redhat systems in the DMZ as the front ends. There is no reason why the systems in the front end cant use the backend filers thru firewall, especially a mount point that only has patches, packages, etc. - you can even export it read only. I'll bet money that NFSv4/kerberos natively will out perform tunneled thru ssh any day.
In the case of Centos/Redhat, coupled with SELinux enabled on the front end dmz servers and virtualized via XEN/KVM/OpenVZ to only perform the tasks assigned to them, the risk is very minimal. You get the benefits of performance, simplicity, separation and security.
SSH has been used as "glueware" for far too long. This is due to the fact that most network file systems historically have had a bad reputation for insecurity. Modern network protocols, like NFSv4, do not require SSH when implemented properly.
The problem is one of transition from older versions of NFSv2/3 to the newer one and implementing a solid directory/kerberos AAA system. The bigger problem though for most enterprises is to go with what they know so they continue to use old school methods. Lack of investment in training the sysadmins kills the spirit of innovation. Not sure what your workplace is like.
SSH use, IMHO, should be limited to network terminal access, sftp and maybe X. I think I'll write a doc on implementing NFSv4 and Kerberos/LDAP and toss it on the Centos wiki as a project.
Not even sure how I got onto this blog. Oh yeah, I was trying to get a release date for Centos 5.2.
/RS