NFSv4: An Extensible Security Layer for Network Storage
pdf
ABSTRACT
The Network File System (NFS) is a popular method for computers to access files across networks. The latest major version of this IETF protocol, version 4, is widely accepted and includes numerous new features to improve security, performance, and usability when used over wide-area networks. However, the NFSv4's security focus is on network-wide encryption (ensuring that user data cannot be intercepted) and user authentication (ensuring that only legitimate users can access their files); it does not address end-to-end data security (i.e., persistently stored data), does not address data integrity (malicious or benign data corruptions), and more.
This project extends NFSv4 with a security layer that allows one to develop multiple, composable plugin modules to enhance the protocol's security. This layer allows for interception of protocol requests between clients and servers to perform various useful security functions: logging access to files by users and hosts, useful for regulatory compliance reports and audits; inspecting files for malware patterns and automatically quarantining them; verifying the integrity of long-lived files against malicious changes (e.g., Trojan intrusions) and benign but serious ones (e.g., storage media degradation and hardware corruptions); detecting denial-of-service attempts and ensuring quality-of-service to legitimate users through load-balancing and redirection; automatic snapshotting and logging to allow for forensic analysis and recovery from failures and intrusions. In a cloud-based era where more data lives longer and is accessed over wide-area insecure networks, this project helps elevate the level of security of every user's data files.
Award ID: 1223239
Submitted by Katie Dey
on
ABSTRACT
The Network File System (NFS) is a popular method for computers to access files across networks. The latest major version of this IETF protocol, version 4, is widely accepted and includes numerous new features to improve security, performance, and usability when used over wide-area networks. However, the NFSv4's security focus is on network-wide encryption (ensuring that user data cannot be intercepted) and user authentication (ensuring that only legitimate users can access their files); it does not address end-to-end data security (i.e., persistently stored data), does not address data integrity (malicious or benign data corruptions), and more.
This project extends NFSv4 with a security layer that allows one to develop multiple, composable plugin modules to enhance the protocol's security. This layer allows for interception of protocol requests between clients and servers to perform various useful security functions: logging access to files by users and hosts, useful for regulatory compliance reports and audits; inspecting files for malware patterns and automatically quarantining them; verifying the integrity of long-lived files against malicious changes (e.g., Trojan intrusions) and benign but serious ones (e.g., storage media degradation and hardware corruptions); detecting denial-of-service attempts and ensuring quality-of-service to legitimate users through load-balancing and redirection; automatic snapshotting and logging to allow for forensic analysis and recovery from failures and intrusions. In a cloud-based era where more data lives longer and is accessed over wide-area insecure networks, this project helps elevate the level of security of every user's data files.
Award ID: 1223239