SlideShare a Scribd company logo

CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)

Download as PPTX, PDF
PROIDEA
PROIDEA

In this session I will share our experience of deploying Secure NFS throughout a large enterprise with hundreds of NFS servers and thousands of hosts. I will be talking about challenges of managing Kerberos credentials for thousands of non-interactive service accounts running a multitude of business applications. I will explore how we are overcoming these hurdles and our approach to securing the NFS protocol.

Technology
1 of 13
Public May 18, 2017 Moritz Willers Secure NFS Deploying Secure NFS in a Large Enterprise Head of Identity & Access Management Engineering
1 Table of contents Section 1 Why are we deploying Secure NFS? 2 Section 2 Deploying Secure NFS 5 Section 3 Recap 10
Why are we deploying Secure NFS? Section 1
3 … Because of the Auditors
4  Updated thousands of hosts to support Secure NFS  Migrated thousands of users' home directories  Migrated hundreds of applications Up to now This is a journey – we are not yet done
Deploying Secure NFS Section 2
6  Requires a sound Kerberos installation  Security Negotiation  Encryption support  rpc.gssd behaviour  Access as root Secure NFS Deployment Challenges
7 Secure NFS User Home Directories
8 Secure NFS Applications …
9  Kharon  S4U – every app? – pam? – gss-proxy?  Keytab – cron – kstart – autosys – app code (kinit) – pam – gss-proxy Secure NFS How to provide Applications with Credentials
Recap Section 3
11  It works  Unified Name Space is the biggest initial hurdle  Must have Kerberos well established and understood  We need a better way to provide non-interactive users with credentials. Secure NFS Recap
12 Contact information Moritz.Willers@ubs.com UBS AG London Branch 1 Golden Lane London, EC1Y 0RR Tel. +44-20-7567 8000 www.ubs.com

Recommended

MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppNGINX, Inc.
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Transforming IT Ops - AWS Boston Meetup - Zenoss Presentation
Transforming IT Ops - AWS Boston Meetup - Zenoss PresentationTransforming IT Ops - AWS Boston Meetup - Zenoss Presentation
Transforming IT Ops - AWS Boston Meetup - Zenoss PresentationZenoss
 
Secure Your Apps with NGINX Plus and the ModSecurity WAF
Secure Your Apps with NGINX Plus and the ModSecurity WAFSecure Your Apps with NGINX Plus and the ModSecurity WAF
Secure Your Apps with NGINX Plus and the ModSecurity WAFNGINX, Inc.
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...North Texas Chapter of the ISSA
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsOPNFV
 
Leveraging the JSON API as a Self-Service Tool
Leveraging the JSON API as a Self-Service ToolLeveraging the JSON API as a Self-Service Tool
Leveraging the JSON API as a Self-Service ToolZenoss
 
'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFVOPNFV
 

Recommended

MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppNGINX, Inc.
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Transforming IT Ops - AWS Boston Meetup - Zenoss Presentation
Transforming IT Ops - AWS Boston Meetup - Zenoss PresentationTransforming IT Ops - AWS Boston Meetup - Zenoss Presentation
Transforming IT Ops - AWS Boston Meetup - Zenoss PresentationZenoss
 
Secure Your Apps with NGINX Plus and the ModSecurity WAF
Secure Your Apps with NGINX Plus and the ModSecurity WAFSecure Your Apps with NGINX Plus and the ModSecurity WAF
Secure Your Apps with NGINX Plus and the ModSecurity WAFNGINX, Inc.
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...North Texas Chapter of the ISSA
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsOPNFV
 
Leveraging the JSON API as a Self-Service Tool
Leveraging the JSON API as a Self-Service ToolLeveraging the JSON API as a Self-Service Tool
Leveraging the JSON API as a Self-Service ToolZenoss
 
'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFVOPNFV
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
 
How to slice your monolithic webapp using MicroApps architecture
How to slice your monolithic webapp using MicroApps architectureHow to slice your monolithic webapp using MicroApps architecture
How to slice your monolithic webapp using MicroApps architectureYonatan Maman
 
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87Olle E Johansson
 
Docker monitoring
Docker monitoringDocker monitoring
Docker monitoringGoogle Developer Group Zürich
 
TechEvent Data Encryption in Azure
TechEvent Data Encryption in AzureTechEvent Data Encryption in Azure
TechEvent Data Encryption in AzureTrivadis
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
Qualys lab
Qualys labQualys lab
Qualys labKhizra Sammad
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments DevOps.com
 
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)Scott Lowe
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
Saas Based Mail Solution
Saas Based Mail SolutionSaas Based Mail Solution
Saas Based Mail SolutionNetmagic Solutions Pvt. Ltd.
 
Overview of Blue Medora - New Relic Plugin for Cisco Nexus
Overview of Blue Medora - New Relic Plugin for Cisco NexusOverview of Blue Medora - New Relic Plugin for Cisco Nexus
Overview of Blue Medora - New Relic Plugin for Cisco NexusBlue Medora
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon HashiCorp User Group
 
SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017Ales Lichtenberg
 
MAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE LondonMAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE LondonJames Littlejohn
 
Decentralized possibilities with filecoin & ipfs_encode filecoin club
Decentralized possibilities with filecoin & ipfs_encode filecoin clubDecentralized possibilities with filecoin & ipfs_encode filecoin club
Decentralized possibilities with filecoin & ipfs_encode filecoin clubKlaraOrban
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN'sn|u - The Open Security Community
 
Migrating .NET Apps to CF, A Strategy for Enterprises
Migrating .NET Apps to CF, A Strategy for EnterprisesMigrating .NET Apps to CF, A Strategy for Enterprises
Migrating .NET Apps to CF, A Strategy for EnterprisesVMware Tanzu
 
Novosco: Citrix tips and best practices
Novosco: Citrix tips and best practicesNovosco: Citrix tips and best practices
Novosco: Citrix tips and best practicesNovosco
 
Cl115
Cl115Cl115
Cl115Juliette Ponnet
 
F5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructureF5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructureDSorensenCPR
 

More Related Content

What's hot

MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
 
How to slice your monolithic webapp using MicroApps architecture
How to slice your monolithic webapp using MicroApps architectureHow to slice your monolithic webapp using MicroApps architecture
How to slice your monolithic webapp using MicroApps architectureYonatan Maman
 
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87Olle E Johansson
 
TechEvent Data Encryption in Azure
TechEvent Data Encryption in AzureTechEvent Data Encryption in Azure
TechEvent Data Encryption in AzureTrivadis
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments DevOps.com
 
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)Scott Lowe
 
Overview of Blue Medora - New Relic Plugin for Cisco Nexus
Overview of Blue Medora - New Relic Plugin for Cisco NexusOverview of Blue Medora - New Relic Plugin for Cisco Nexus
Overview of Blue Medora - New Relic Plugin for Cisco NexusBlue Medora
 
SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017Ales Lichtenberg
 
MAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE LondonMAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE LondonJames Littlejohn
 
Decentralized possibilities with filecoin & ipfs_encode filecoin club
Decentralized possibilities with filecoin & ipfs_encode filecoin clubDecentralized possibilities with filecoin & ipfs_encode filecoin club
Decentralized possibilities with filecoin & ipfs_encode filecoin clubKlaraOrban
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 
Migrating .NET Apps to CF, A Strategy for Enterprises
Migrating .NET Apps to CF, A Strategy for EnterprisesMigrating .NET Apps to CF, A Strategy for Enterprises
Migrating .NET Apps to CF, A Strategy for EnterprisesVMware Tanzu
 
Novosco: Citrix tips and best practices
Novosco: Citrix tips and best practicesNovosco: Citrix tips and best practices
Novosco: Citrix tips and best practicesNovosco
 

What's hot (20)

MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
 
How to slice your monolithic webapp using MicroApps architecture
How to slice your monolithic webapp using MicroApps architectureHow to slice your monolithic webapp using MicroApps architecture
How to slice your monolithic webapp using MicroApps architecture
 
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
 
Docker monitoring
Docker monitoringDocker monitoring
Docker monitoring
 
TechEvent Data Encryption in Azure
TechEvent Data Encryption in AzureTechEvent Data Encryption in Azure
TechEvent Data Encryption in Azure
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the Network
 
Qualys lab
Qualys labQualys lab
Qualys lab
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments
 
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)
The Vision for the Future of Network Virtualization with VMware NSX (Q2 2016)
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
 
Saas Based Mail Solution
Saas Based Mail SolutionSaas Based Mail Solution
Saas Based Mail Solution
 
Overview of Blue Medora - New Relic Plugin for Cisco Nexus
Overview of Blue Medora - New Relic Plugin for Cisco NexusOverview of Blue Medora - New Relic Plugin for Cisco Nexus
Overview of Blue Medora - New Relic Plugin for Cisco Nexus
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
 
SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017
 
MAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE LondonMAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE London
 
Decentralized possibilities with filecoin & ipfs_encode filecoin club
Decentralized possibilities with filecoin & ipfs_encode filecoin clubDecentralized possibilities with filecoin & ipfs_encode filecoin club
Decentralized possibilities with filecoin & ipfs_encode filecoin club
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
 
Migrating .NET Apps to CF, A Strategy for Enterprises
Migrating .NET Apps to CF, A Strategy for EnterprisesMigrating .NET Apps to CF, A Strategy for Enterprises
Migrating .NET Apps to CF, A Strategy for Enterprises
 
Novosco: Citrix tips and best practices
Novosco: Citrix tips and best practicesNovosco: Citrix tips and best practices
Novosco: Citrix tips and best practices
 

Similar to CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)

F5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructureF5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructureDSorensenCPR
 
Ulf troppens - kerberized NFSv4 and secure data access to personalized patien...
Ulf troppens - kerberized NFSv4 and secure data access to personalized patien...Ulf troppens - kerberized NFSv4 and secure data access to personalized patien...
Ulf troppens - kerberized NFSv4 and secure data access to personalized patien...Ulf Troppens
 
Research Assignment For Active Directory
Research Assignment For Active DirectoryResearch Assignment For Active Directory
Research Assignment For Active DirectoryJessica Myers
 
Cloud Storage - Nirvanix Overview
Cloud Storage - Nirvanix OverviewCloud Storage - Nirvanix Overview
Cloud Storage - Nirvanix OverviewNirvanix
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2Vincent Mercier
 
Alessandro Confetti - Learn how to build decentralized and serverless html5 a...
Alessandro Confetti - Learn how to build decentralized and serverless html5 a...Alessandro Confetti - Learn how to build decentralized and serverless html5 a...
Alessandro Confetti - Learn how to build decentralized and serverless html5 a...Codemotion
 
Citrix Cloud Master Class June 2014
Citrix Cloud Master Class June 2014Citrix Cloud Master Class June 2014
Citrix Cloud Master Class June 2014Citrix
 
utf-8''VRP_3.2_Technical_overview_deck_July_2018.pptx
utf-8''VRP_3.2_Technical_overview_deck_July_2018.pptxutf-8''VRP_3.2_Technical_overview_deck_July_2018.pptx
utf-8''VRP_3.2_Technical_overview_deck_July_2018.pptxRousalValino1
 
Cisco Connect 2018 Singapore - Cisco SD-WAN
Cisco Connect 2018 Singapore - Cisco SD-WANCisco Connect 2018 Singapore - Cisco SD-WAN
Cisco Connect 2018 Singapore - Cisco SD-WANNetworkCollaborators
 
CV_Staneslaus_John_Sanjaya_Amin_B1
CV_Staneslaus_John_Sanjaya_Amin_B1CV_Staneslaus_John_Sanjaya_Amin_B1
CV_Staneslaus_John_Sanjaya_Amin_B1Amin S. John Sanjay
 
Linux Administration Training | Linux Administration Will Never Go Out Of Fas...
Linux Administration Training | Linux Administration Will Never Go Out Of Fas...Linux Administration Training | Linux Administration Will Never Go Out Of Fas...
Linux Administration Training | Linux Administration Will Never Go Out Of Fas...Edureka!
 
Sfo17 109 containerized vn fs with data plane acceleration on arm platform
Sfo17 109 containerized vn fs with data plane acceleration on arm platformSfo17 109 containerized vn fs with data plane acceleration on arm platform
Sfo17 109 containerized vn fs with data plane acceleration on arm platformLinaro
 

Similar to CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers) (20)

Cl115
Cl115Cl115
Cl115
 
F5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructureF5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructure
 
Ulf troppens - kerberized NFSv4 and secure data access to personalized patien...
Ulf troppens - kerberized NFSv4 and secure data access to personalized patien...Ulf troppens - kerberized NFSv4 and secure data access to personalized patien...
Ulf troppens - kerberized NFSv4 and secure data access to personalized patien...
 
ION Djibouti: KENIC DNSSEC Case Study
ION Djibouti: KENIC DNSSEC Case StudyION Djibouti: KENIC DNSSEC Case Study
ION Djibouti: KENIC DNSSEC Case Study
 
Vinoth_resume
Vinoth_resumeVinoth_resume
Vinoth_resume
 
Cisco SecureX.pdf
Cisco SecureX.pdfCisco SecureX.pdf
Cisco SecureX.pdf
 
Research Assignment For Active Directory
Research Assignment For Active DirectoryResearch Assignment For Active Directory
Research Assignment For Active Directory
 
Cloud Storage - Nirvanix Overview
Cloud Storage - Nirvanix OverviewCloud Storage - Nirvanix Overview
Cloud Storage - Nirvanix Overview
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2
 
Hands on labs NSX
Hands on labs NSXHands on labs NSX
Hands on labs NSX
 
Alessandro Confetti - Learn how to build decentralized and serverless html5 a...
Alessandro Confetti - Learn how to build decentralized and serverless html5 a...Alessandro Confetti - Learn how to build decentralized and serverless html5 a...
Alessandro Confetti - Learn how to build decentralized and serverless html5 a...
 
Citrix Cloud Master Class June 2014
Citrix Cloud Master Class June 2014Citrix Cloud Master Class June 2014
Citrix Cloud Master Class June 2014
 
utf-8''VRP_3.2_Technical_overview_deck_July_2018.pptx
utf-8''VRP_3.2_Technical_overview_deck_July_2018.pptxutf-8''VRP_3.2_Technical_overview_deck_July_2018.pptx
utf-8''VRP_3.2_Technical_overview_deck_July_2018.pptx
 
Cisco Connect 2018 Singapore - Cisco SD-WAN
Cisco Connect 2018 Singapore - Cisco SD-WANCisco Connect 2018 Singapore - Cisco SD-WAN
Cisco Connect 2018 Singapore - Cisco SD-WAN
 
CV_Staneslaus_John_Sanjaya_Amin_B1
CV_Staneslaus_John_Sanjaya_Amin_B1CV_Staneslaus_John_Sanjaya_Amin_B1
CV_Staneslaus_John_Sanjaya_Amin_B1
 
Linux Administration Training | Linux Administration Will Never Go Out Of Fas...
Linux Administration Training | Linux Administration Will Never Go Out Of Fas...Linux Administration Training | Linux Administration Will Never Go Out Of Fas...
Linux Administration Training | Linux Administration Will Never Go Out Of Fas...
 
Resume
ResumeResume
Resume
 
Asit_Resume
Asit_ResumeAsit_Resume
Asit_Resume
 
Resume
ResumeResume
Resume
 
Sfo17 109 containerized vn fs with data plane acceleration on arm platform
Sfo17 109 containerized vn fs with data plane acceleration on arm platformSfo17 109 containerized vn fs with data plane acceleration on arm platform
Sfo17 109 containerized vn fs with data plane acceleration on arm platform
 

Recently uploaded

The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligencePrecisely
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 

Recently uploaded (20)

The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 

CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)

Editor's Notes

  1. How are we / Why are we doing it? Thousands of hosts Thousands NFS shares Hundreds of filers Thousands of users Thousands of applications Front office / back office / infrastructure / everything - NFS is everywhere - NFS v3 with auth_sys is insecure - nothing new, we last tried introducing Secure NFS 15 years ago
  2. Auditors are your friends – they just see the world through a different lens Key Reasons: auth_sys is weak, trusts the client hosts, clients can no longer be trusted introduce authentication alternatives CIFS, AFS, local (SAN) -> all dismissed decided to leverage the existing Kerberos infrastructure and attempt Secure NFS again
  3. - we’re lucky. We started doing Kerberos 10 years ago - single realm across the globe, stringed together with our global name space - this might be the biggest obstacle for a lot of people, adopting Kerberos and it prevents us from using Secure NFS everywhere! - AD integration is a good option for many today. Good commercial products available. - more on this later - security mode is not visible. Security Negotiation takes they guessing out of it. - SECINFO call in protocol - badly implemented. Solaris was the only one when we started. As of RHEL 6.4 it is ok as well. NetApp implementation had bugs but better in Clustered Data ONTAP. FreeBSD doesn’t seem to have it implemented. - it would make adoption so much easier if it was just there, no adding of -sec=krb5 in all the automounter maps - Data ONTAP 7-mode only supports DES. weak cipher. bad. 3DES available in clustered Data ONTAP and AES next year. - credential cache location. - fixed in Solaris, SunSSH accounts for it. - not fixed in Linux, OpenSSH uses mktemp(). rpc.gssd goes looking for it. buggy. -> looking for the cc with the latest time stampe != valid cc! - rpc.gssd is fix in FreeBSD but SSH creates it using mktemp() ... needs a root/host.name principal RHEL 5 only uses nfs/host.name in root context, the user root is always mapped to the user nfs! Access as root is not possible from RHEL 5
  4. User Home Directories - Are easy They all have credentials to start with Logging in with Kerberos password, creates a cc Users adapt krenew comes in handy to long running jobs or cron/at with ‘kinit -R’
  5. - are hard - they don’t have credentials. They don’t log in. - how to give them credentials? - no standard - Microsoft got that right - there is too many ways to do it in UNIX - too many ways to authenticate users to start with! A lot of which do not result in a CC
  6. - derive a credential cache from a keytab - how to get a keytab in the first place when you have 100’000 to deploy?! - problems of keytabs as long living credential? How to mange/rotate it? - Kharon solves the keytab problem. - uses the host keytab to get valid CC for the applications - S4U - Microsoft Constrained Delegation
  7. I would be glad to hear your experience!