sNFS: secure NFS
sNFS provides NFS over SSL
using our SSL wrapper library
Transporting NFS over SSL means that:
The server is designed to be run from inetd and without a portmapper
and supports UPD and plain TCP in addition to SSL. Obviously SSL
should be used for security.
- The NFS traffic is encrypted with all that that implies.
- Mount authentication is via X.509 certificate. This allows quite
strong authentication of mount requests, while being able to
automagically recover from a server reset - an annoying problem with
the previous release when using challenge/response authenticion.
- You no longer need the TIS fwtk for authentication.
- You can safely mount sNFS filesystems from beyond your firewall -
provided your HTTP proxy allows connections to the port the remote sNFS
server is using. Don't expect high throughput though.
sNFS is focused on being secure rather than fast.
Performance of the server is about 25% of a kernel based NFS running on
the same machine. The performance of snfsc (the RPC shuffler needed
for SSL and for TCP on many platforms) is even worse as it has to
unpack/pack each RPC twice.
Note though that we have heard of sNFS being used for nightly backup
of more than 50Gb of filesystems.
The server snfsd has been tested by us on NetBSD, SunOS 4.X, Solaris
5.X, and HP-UX 10. It is reasonably portable.
The client snfsc is much more system specific. It has only been
ported and tested on NetBSD, SunOS 4.X and Solaris 5.X. Porting to
source based systems such as FreeBSD, OpenBSD and Linux should not be
a problem, but ports to other commercial systems are likely to require
We are in the process of re-evaluating how to make sNFS available now that
we are located in the U.S. Feel free to e-mail
sales with questions.
$Id: sNFS.html,v 1.2 1999/10/01 02:00:46 sjg Exp $