The National Security Agency (NSA) is pitching its own high-security access control technology for the next version of the Network File System (NFS) protocol.
NSA presented its so-called Labeled NFS technology, which is based on its mandatory access control (MAC) technology in the Security-Enhanced Linux (SELinux) operating system, earlier this week at the Internet Engineering Task Force meeting in Philadelphia.
Incorporating the MAC-driven technology into NFS would allow a “trusted” user or system to read and write sensitive files and run programs stored on NFS-based networked storage systems. MAC basically makes sure that users only access files for which they’re authorized, and that malicious code can’t run in NFS environments.
The IETF is now awaiting an official request for comments (RFC) from the NSA to begin the process of considering the new security feature for NFS.
“We suggested that they go ahead and [write an] Internet draft that provides some pointers to labeled mechanisms, and document what they’ve done, the design choices they’ve made… focusing on the requirements so we can [better] understand them,” says Spencer Shepler, co-chair of the IETF’s NFSv4 Working Group.
NSA was unavailable for comment at the time of this posting.
I haven't read this draft, but I can't help but wonder: If access-control is done my MAC address, what is stop me from spoofing my MAC address and surreptitiously hijacking someone else's credentials to gain access?
ReplyDelete- ferg
mandatory access control (MAC), not MAC address. They are taking SELinux to the NFS, basically.
ReplyDelete