RE: Operational impact of filtering SMB/NETBIOS traffic?
The scenario that you miss is Win2K lap-tops and workstations with Unix servers. Our policies are unix-unix = local-only NFS, and win-unix = Samba. This is mainly because of known flaws with NFS over internet security, but also because of the expense and difficulty of getting win-anything to do NFS.
-----Original Message----- From: Jim Mercer [mailto:jim@reptiles.org] Sent: Sunday, November 19, 2000 9:29 AM
as far as samba working better than NFS, that is a religious argument.
No it isn't, NFS has known exploits. I've had a server owned three times in the past four years, twice via BIND and once via NFS. None via Samba.
if you are using SMB to share files between unix systems, then i have a bit of trouble with that last line of the above.
see: above
personally, i can't think of any applications where i would attempt to do any kinda filesystem sharing across the internet.
How about collaboration servers?
i suspect the widespread use of SMB on the internet is again, because of the brain-dead applications produced by a braindead company and software produced by lazy programmers working in the braindead company's API's.
why does the application need a "share"? can it not just negotiate the information needed without mounting the entire office over a 33.6K connection?
You ARE joking, right? I haven't seen a 33.6K connection in years. A part of every deal is LAN access that usually shares, at the least, a T1. Also, you are ignorant of the way Win PDCs operate. I DHCP connect to the local LAN and log into my home PDC, from the clients site. Otherwise, the client has to give me access to their PDC and their PDC winds up owning my lap-top and I have to re-configure this for every client (sometime three per day). Everytime my profile gets blown away. At the end of the day, my lap-top would be a useless piece of junk and I would have to re-install the OS...not!
geez, if the filter was there, are you saying that people who _need_ SMB shares are too brain-dead to come up with a straight forward way to make it get around the filter?
There is no straight-forward way around a filter, by definition the straight-forward way is to not have the filter!
no, the brain-dead easy way around the filter is to have no filter at all.
i'm not an SMB user (outside a few LAN's where we explicitly drop it all on the floor before it gets out of the network).
You just told me that you are not in marketing/management, you don't do docs, you don't collaborate on docs, and/or you never leave your corporate site to do any of the above.
could you not use an IPSec tunnel from one LAN to another, then run SMB over that tunnel?
is it not possible to use ssh port forwarding to move the packets through a secure tunnel that way?
When I can, that's what I do, via F-Secure port forwarding. However, many shops explicitly block port 22. This kills IPsec as well.
On Sun, Nov 19, 2000 at 10:25:18AM -0800, Roeland Meyer wrote:
why does the application need a "share"? can it not just negotiate the information needed without mounting the entire office over a 33.6K connection?
You ARE joking, right? I haven't seen a 33.6K connection in years.
well, you live a sheltered life. i'm kinda getting tired of people who design/implement wide area applications while wearing blinders.
could you not use an IPSec tunnel from one LAN to another, then run SMB over that tunnel?
is it not possible to use ssh port forwarding to move the packets through a secure tunnel that way?
When I can, that's what I do, via F-Secure port forwarding. However, many shops explicitly block port 22. This kills IPsec as well.
if many shops are explicitly blocking port 22, but allowing SMB, then they need their heads examined. i'm not sure how port 22 effects IPsec. it seems that you are arguing that filtering SMB will inadvertantly effect a bunch of boneheads that don't know what they are doing beyond point and click. i don't have a problem with that. sure would clear off a bunch of bandwidth from my networks to further enable the users who aren't boneheads (or being managed by boneheads). -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
[ On Sunday, November 19, 2000 at 10:25:18 (-0800), Roeland Meyer wrote: ]
Subject: RE: Operational impact of filtering SMB/NETBIOS traffic?
No it isn't, NFS has known exploits. I've had a server owned three times in the past four years, twice via BIND and once via NFS. None via Samba.
And you're sure there aren't any vulnerabilities in Samba, or more importantly in the actual protocols used by Samba? I'm sure bunches of crackers would be surprised to hear that! I know for sure that there are vulnerabilities in the client side! :-) Meanwhile I'll go on record as also saying that any bonehead who thinks he or she can run plain old NFS securely over a public network is in just as much a need of a clue-by-4 to the side of the head as the boneheads running SMB. Of course with my network operator hat on I'm not so sure I want to get into a position where both sets of boneheads are yelling at me for blocking their traffic. I don't have enough clue-by-4's handy to educate then all with, or even enough time to wield them. So long as those types of traffic don't present a DoS against my network then I'll happily let them all do damage to themselves by themselves -- it's just not my responsibility as a network operator to get in their way. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
"Greg A. Woods" wrote:
[ On Sunday, November 19, 2000 at 10:25:18 (-0800), Roeland Meyer wrote: ]
Subject: RE: Operational impact of filtering SMB/NETBIOS traffic?
No it isn't, NFS has known exploits. I've had a server owned three times in the past four years, twice via BIND and once via NFS. None via Samba.
And you're sure there aren't any vulnerabilities in Samba, or more importantly in the actual protocols used by Samba? I'm sure bunches of crackers would be surprised to hear that! I know for sure that there are vulnerabilities in the client side! :-)
ADM rocks has a special samba client version. Da bad guys love folk who want to run things like smb and nfs across LANs (not to mention the live internet). And that's just one for instance. I agree that the ISP shouldn't do filtering (although a little monitoring couldn't hurt), but a clueX4 is not enough for someone who wants to play chicken with the dark side. There are folk who will be happy to do penetration testing for free, and having any kind of open share, passworded or not, is a sure way to invite them. Fact is, I don't think I'd have announced in a public, archived forum, that I used NFS or SMB in quite that way. YMMV -- BOFH Excuse for the day: The network is down. The printer thinks it's a router. You know, that's not so far-fetched as it used to be...
participants (4)
-
Etaoin Shrdlu -
Jim Mercer -
Roeland Meyer -
woods@weird.com