NFS Security and the Delphix Engine (KBA1654)
- Last updated
- Save as PDF
NOTE: This article has been archived as it is no longer valid for current supported versions of the Delphix Continuous Data platform.
The /public
NFS Share
The Delphix Engine provides one NFS share, /public
, which is accessible to any server with connectivity to the Delphix Engine via NFS.
This may be raised as an issue by automated vulnerability scanning software, but poses little security risk. In versions prior to 4.1 the share runs with a very small quota (100k), and therefore it should not be possible for an NFS client to run the Delphix Engine out of space and deny service to legitimate activity on the Delphix Engine. In versions 4.1 and later the share was made read-only and removed from the list of exported filesystems.
The /public
share is used by the "hostchecker" tool, which is run on new target systems before they are added to Delphix. This tool attempts to mount /public
and transfer a test file to it, to validate network connectivity. Because this check is performed before the Delphix Engine has any information about the new target, it would not be possible to modify an ACL with information about the new target. In
IP restrictions on NFS exports
By default, when a VDB is provisioned, all NFS shares exported from the Delphix Engine to support that VDB are restricted to the IP address of the target host(s).
Removing IP restrictions on NFS exports
When a target server has multiple IP addresses or interfaces on the same network as the Delphix Engine, the target's network stack is likely to send traffic via multiple interfaces in an attempt to spread the load.
Due to the IP restrictions on NFS exports mentioned above, the Delphix Engine will only accept requests coming from the IP address configured in Delphix for that target. This may result in unexpected failures of NFS operations, including failure to mount NFS shares during VDB provisioning.
Wherever feasible, Delphix recommends configuring static host routes on the target server, ensuring that all traffic to the Delphix Engine is sent via the IP address configured for that target.
As a last resort in cases where this is not possible, Delphix may offer to make a configuration change which removes the IP restrictions on NFS exports. This setting is global, affecting all NFS mounts presented by that engine.
This configuration change has implications for data security, and should not be taken lightly. When IP restrictions on NFS exports are removed:
If IP restrictions are removed, implementing restrictions at the network level (via firewalls or ACLs) is essential to maintaining data security on the Delphix Engine. Even with appropriate controls in place at the network level, these changes should be carefully considered. |