RE: Operational impact of filtering SMB/NETBIOS traffic?
You'd have LOTs of complaint from me and many of my clients. Many of us log into our external gateway PDCs from foriegn locations. We have shares because we want shares. You are considering killing off a whole bunch of legitimate use because some are too brain-dead to not have unintentional shares on the internet? We use SMB/Samba INSTEAD of NFS because we believe SMB to be more secure. smb.conf certainly gives more security options than exports does.
-----Original Message----- From: Scott Call [mailto:scall@devolution.com] Sent: Tuesday, November 14, 2000 12:21 PM To: nanog@nanog.org Subject: Operational impact of filtering SMB/NETBIOS traffic?
Due to an increasing number of intrusions into windows-based machines through unprotected shares, I've started filtering both incoming and outgoing traffic for our customers on ports 138/139.
So far this has caught a fair amount of traffic coming from customers, but none have called to complain about a lack of connectivity.
Because this traffic is IP traffic, I wanted to ask others on this list how they treat SMB traffic on their backbones?
Thanks -Scott
On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland Meyer wrote:
You are considering killing off a whole bunch of legitimate use because some are too brain-dead to not have unintentional shares on the internet?
well, maybe if there was a global filter on SMB then the brain-dead company that produces the brain-dead software will wake up and realize that maybe it shouldn't produce software that by default leaves their users open to intrusion or viruses. geez, if the filter was there, are you saying that people who _need_ SMB shares are too brain-dead to come up with a straight forward way to make it get around the filter? -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
This is something I have already seen happen and the bad side of it. While working on a VPN project I came across many ISP's (mostly cable and DSL) who charged extra per month if you wanted to have VPN access to a remote network. We got several calls where New user A has setup the VPN software we gave them and they can't connect from home. Number one resolution was to call their ISP and move them to a "business account" where the ISP would then change their profile to allow IP Types other than just tcp and udp. It is for this reason that I am careful to only choose ISP's who either don't filter at all or who expressly detail their filtering policy before I use them. However in the case of Cable ISP's you can't always have a choice. So on that level I am against any filtering since it seems to have given many ISP's a new revenue stream for something they shouldn't really be charging extra for (IMHO). Derrick -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Jim Mercer Sent: Saturday, November 18, 2000 8:49 PM To: Roeland Meyer Cc: 'Scott Call'; nanog@nanog.org Subject: Re: Operational impact of filtering SMB/NETBIOS traffic? On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland Meyer wrote:
You are considering killing off a whole bunch of legitimate use because some are too brain-dead to not have unintentional shares on the internet?
well, maybe if there was a global filter on SMB then the brain-dead company that produces the brain-dead software will wake up and realize that maybe it shouldn't produce software that by default leaves their users open to intrusion or viruses. geez, if the filter was there, are you saying that people who _need_ SMB shares are too brain-dead to come up with a straight forward way to make it get around the filter? -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
VPN access would use more of the bandwidth more of the time than web surfing and e-mail. More file transfers and of course SMB keepalives and maybe some nice DCOM broadcasts etc. Personally I strongly prefer the use of a secure tunnel for access to a corporate network. ----- Original Message ----- From: "Derrick" <derrick@anei.com> To: <nanog@merit.edu> Sent: Sunday, November 19, 2000 3:04 AM Subject: RE: (Already happening) Operational impact of filtering SMB/NETBIOS traffic?
This is something I have already seen happen and the bad side of it.
While working on a VPN project I came across many ISP's (mostly cable and DSL) who charged extra per month if you wanted to have VPN access to a remote network. We got several calls where New user A has setup the VPN software we gave them and they can't connect from home. Number one resolution was to call their ISP and move them to a "business account" where the ISP would then change their profile to allow IP Types other than just tcp and udp. It is for this reason that I am careful to only choose ISP's who either don't filter at all or who expressly detail their filtering policy before I use them. However in the case of Cable ISP's you can't always have a choice. So on that level I am against any filtering since it seems to have given many ISP's a new revenue stream for something they shouldn't really be charging extra for (IMHO).
Derrick
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Jim Mercer Sent: Saturday, November 18, 2000 8:49 PM To: Roeland Meyer Cc: 'Scott Call'; nanog@nanog.org Subject: Re: Operational impact of filtering SMB/NETBIOS traffic?
On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland Meyer wrote:
You are considering killing off a whole bunch of legitimate use because some are too brain-dead to not have unintentional shares on the internet?
well, maybe if there was a global filter on SMB then the brain-dead company that produces the brain-dead software will wake up and realize that maybe it shouldn't produce software that by default leaves their users open to intrusion or viruses.
geez, if the filter was there, are you saying that people who _need_ SMB shares are too brain-dead to come up with a straight forward way to make it get around the filter?
-- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland Meyer wrote:
because we want shares. You are considering killing off a whole bunch of legitimate use because some are too brain-dead to not have unintentional shares on the internet?
There are other issues with Microsoft's networking protocols than just unintentional shares. It leaks potentially lethal information like a sieve. Letting it willy-nilly through your firewalls is an invitation to have compromised hosts on your network. It should be filtered by default, and only un-filtered by request; and that with the understanding that if it even looks like you might be owned, you get cut off until there's an explanation.
On Sun, 19 Nov 2000, Shawn McMahon wrote:
There are other issues with Microsoft's networking protocols than just unintentional shares. It leaks potentially lethal information like a sieve.
Letting it willy-nilly through your firewalls is an invitation to have compromised hosts on your network.
It should be filtered by default, and only un-filtered by request; and that with the understanding that if it even looks like you might be owned, you get cut off until there's an explanation.
This is a sound policy for the administrator of a firewall. I don't think it is a policy at all for the administrators of service-provider networks, since what the SP is providing is access. I'm not terribly excited about the idea of edge filtering on the ISP network. I don't think it is my job to tell customers what they can and cannot run, in terms of IP traffic, until it violates an AUP. If we need better tools to tell us when a customer is the source of a DoS attack or some other violation of AUP ... some sort of alarm to let the SP know if a customer has been compromised ... I'd be much happier implementing that rather than denying traffic because it is a potential method of attack. Carried to the extreme (which someone will always do) blocking NBT traffic doesn't make nearly as much sense as blocking ICMP by default. It would be much harder to source a DoS attack from one of my customers if they couldn't pass ICMP traffic. However, I think the customers would quickly decide that securing them wasn't my job and go in search of a less draconian ISP. -travis
On Sat, 18 Nov 2000 20:19:12 PST, Roeland Meyer <rmeyer@mhsc.com> said:
shares on the internet? We use SMB/Samba INSTEAD of NFS because we believe SMB to be more secure. smb.conf certainly gives more security options than exports does.
Don't confuse "more options" with "more security". A protocol can have dozens of options, but yet be fundementally insecure. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
participants (7)
-
Dana Hudes -
Derrick -
Jim Mercer -
Roeland Meyer -
Shawn McMahon -
Travis Pugh -
Valdis.Kletnieks@vt.edu