VMware Communities
cam_macdonell
Contributor
Contributor
‎12-01-2009 03:38 PM

Is NFS over NAT secure?

Hi,

I'm curious if VMs on a NAT will be able to spoof being the host itself and therefore mount any NFS exports that the host can mount. My thought comes from the fact that the NFS server can't distinguish the guest traffic from the host traffic.

Thanks,

Cam

0 Kudos
2 Replies
purduecjs
Enthusiast
Enthusiast
‎12-01-2009 05:29 PM

Service Console and VM traffic should be on different networks ... additionally, the source IPs for the vm and the ESX host should be quite different so there is no identifiable security risk that I can see as long as 1) your SC and VM do not share the same network, and 2) your NFS exports are defined correctly so as to only allow those hosts/IP's that need access.

Hope that helps!

Cameron J. Smith

System Administrator, Purdue University

-- Cameron
purduecjs
Enthusiast
Enthusiast
‎12-01-2009 05:30 PM

You are correct in your assumptions. I would suggest segregating networks (using multiple external IP's) if possible and only NAT on a secondary IP, one that you would reserve for VM traffic. The only other alternative that I can think of would be to expose each VM to the network with its own IP.

Cameron J. Smith

System Administrator, Purdue University

-- Cameron