On Jul 13, 2010, at 8:23 PM, Kwan Lowe <kwan.lowe at gmail.com> wrote: > On Tue, Jul 13, 2010 at 6:40 PM, Ross Walker <rswwalker at gmail.com> wrote: > >> Well on the 2008 box you can have a share available by NFSv3 AND CIFS and on the old Redhat boxes you might be able to mount the CIFS share since they don't support NFSv3, though if they don't support NFSv3 I have my doubts they support mounting CIFS as well. >> >> Is it that NFSv2 itself is insecure, or only the Windows implementation of NFSv2? Is NFSv2 on CentOS an acceptable substitute? Can you relocate the data? >> >> You might be painted into a corner here, being forced to upgrade under duress. >> > > It's not specifically NFS, but more related to how the application > stack was designed. We are essentially working around some 6 year old > design decisions. When they were built, little thought was placed on > allowing full access as the systems are on an isolated network. Over > the years, other systems began to interface to the original > application. Because one of those systems fall is a compliance target > system, the original box needs to be compliant also. Hmmm, maybe the problem isn't necessarily the NFS setup but the interface of the lower trusted systems. Maybe developing a bastion host between the trusted and non-trusted networks would solve the compliance issue? Separate VLANs, firewall host that uses forward and reverse NAT or possibly application proxy to limit the protocols and the hosts that use them across the trusted network. Detailed logging to a central log host for auditing. If done with care it could be done with minimal interruption. -Ross