You can also have a look at the NFS over Static Ports mini-guide I put up a few weeks back.
NFS is a mapped drive technology for linux and unix like environments (which includes OSX). With static ports enabled, appropriate rules at the firewall can be implemented, and users can attach to and mount the NFS shares from anywhere on the internet (assuming the exports rules are configured that way. I STRONGLY advise against that, and STRONGLY advise only allowing internet access to trusted peers with static IPs-- but hey, what do I know, I am just a former SAN guy…)
Similar story with enabling all the needed ports for SMB protocol, if you need windows shares-- but that is just ASKING for trouble. (Many infamous botnets look for open ports used by MS Networking, including netbios over TCP/IP, which is how they tunnel and spread across the internet. Leaving those ports open is just asking for a dedicated attack to start. If you put devices like these on the internet, they NEED to be inside a DMZ!
The truly sensible way to do this is to set up a VPN, and then map the drive as if it were local over the VPN tunnel, and control access to the VPN using a strong 2 factor authentication system, with the file hosts being mirrored instances of the actual production data stores, living inside a special DMZ on your host network, with regular auditing logs, backup schedules, and redundant storage.
Security is NOT a “Nice thing to have”, it is “AN ESSENTIAL THING TO HAVE”
There is no such thing as a truly secure connection. Only connections that have minimized their attack surface. The more open ports you expose over your firewall, the greater your attack surface. larger attack surfaces almost guarantee eventual compromise, as we are not dealing with bored children today. We are dealing with massive swarms of millions of compromised devices doing distributed penetration attacks against any and every device they can scan in a fully automated, efficient manner. VPNs minimize the attack surface down to a single point of possible entry, which if you are using 2 factor auth, requires the attacker to have a physical item to gain access through. If they get through that, if you have set up the DMZ properly, they will end up inside the DMZ, and not have full access to the private network. They will have to continue their penetration efforts to get deeper, which if you have proper monitoring suites set up, will be flagged almost instantly, allowing you to cut the VPN connection, and begin santizing/auditing the penetration.
Unless you want your cloud storage array being used to distribute child pornography, or used for any number of other highly illegal and very undesirable actions by 3rd parties that honestly do not care a single bit about what is legal or moral, you NEED to take security of the device very seriously.
