By default NFS version 3 (Default in RHEL5) use TCP protocol for transport layer communication but UDP protocol use can be forced by NFS client by specifying UDP in mount option.
NFS4 (Default in RHEL6) doesn’t allow use of UDP as transport layer protocol so use of UDP can’t be forced .
In NFS Version 3 ,
- NFS Client connect to NFS Server portmap service running on port 111.
- Client connect to NFS Server rpc.mountd service which perform host authentication .
- If authenticated a file handle returned to NFS Client by NFS Server .
- Further access managed by rpc.nfsd (Port 2049)
- Locking handled by rpc.statd and rpc.lockd
Now Lets highlight some of the major weakness inherited in design of NFS3 or earlier version
- Authentication is weak . There is no concept of user based authentication only host authentication performed.
- Data transmitted in clear text so very much vulnerable for Man in the Middle attack.
- NFS service depend on portmapper service for dynamic port assignment which makes Firewall configuration difficult.
- Internal ownership of file/folder stored as UID/GID . The Server trust whatever UID/GID client claim to be . So client can access privileged information by performing inconsistent UID/GID mapping .
Most of above given weaknesses can be overcome by applying the trick . I will discuss that in next post . NFS4 address many of these security weaknesses in its design and provide robust NFS by including following feature
- Remove Client and Server dependency on portmapper service.
- Subsidiary NFS RPC services like mountd , statd and lockd services integrated in NFS4.
- Use single port 2049 , so easy to apply firewall rules to filter NFS traffic .
- Connections are always statefull, UDP not even allowed for connection.