RE: Operational impact of filtering SMB/NETBIOS traffic?
Are you going to provide consulting services -- for free -- when what the customer wants to do is not allowed because of your network filtering choices? -Mat -----Original Message----- From: Adam Rothschild [mailto:asr@latency.net] Sent: Monday, November 20, 2000 8:06 AM To: nanog@merit.edu Subject: Re: Operational impact of filtering SMB/NETBIOS traffic? On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland Meyer wrote:
You'd have LOTs of complaint from me and many of my clients. Many of us log into our external gateway PDCs from foriegn locations. We have shares because we want shares.
Yikes. Isn't that what secure road-warrior VPNs are for?
You are considering killing off a whole bunch of legitimate use because some are too brain-dead to not have unintentional shares on the internet?
Intentional or not, sniffing SMB passwords and share info doesn't require much skill.
We use SMB/Samba INSTEAD of NFS because we believe SMB to be more secure.
That's like saying the electrical chair may be far more appealing to some than lethal injection. NFS and SMB are both insecure and inefficient mechanisms for file transfer over the public Internet. SMB may be the lesser of the two evils, but it's really irrelevant. Why not use ssh/sftp, or for the Unix impaired, some https-based file transfer interface, instead? On Sun, Nov 19, 2000 at 09:06:06AM -0800, Roeland Meyer wrote:
[...] in addition, you block the NetBIOS ports then you block application-level access for 80% of internet users.
Howso? Sounds like you'd be promoting responsible usage instead. -adam
2000-11-20-18:37:15 Mathew Butler:
Are you going to provide consulting services -- for free -- when what the customer wants to do is not allowed because of your network filtering choices?
Are you going to provide consulting services -- for free -- when nobody can do anything because the swarms of windows PCs that are being burgled via worms propogating via SMB all start doing DDoS attacks? Or even, when the numbers of them climb to the point where simply their automnated scans for new victims succeed in melting down your net? If doing WIndows filesharing over the internet is the only job this grand toy is here for, and it's so critical that you're willing to sacrifice the whole thing to try and keep it limping along as long as possible, then I suppose your stance makes some kind of sense. Somehow I find that hard to believe. Are you just trolling? -Bennett
participants (2)
-
Bennett Todd
-
Mathew Butler