Operational impact of filtering SMB/NETBIOS traffic?
Due to an increasing number of intrusions into windows-based machines through unprotected shares, I've started filtering both incoming and outgoing traffic for our customers on ports 138/139. So far this has caught a fair amount of traffic coming from customers, but none have called to complain about a lack of connectivity. Because this traffic is IP traffic, I wanted to ask others on this list how they treat SMB traffic on their backbones? Thanks -Scott
On Tue, 14 Nov 2000, Scott Call wrote: :Because this traffic is IP traffic, I wanted to ask others on this list :how they treat SMB traffic on their backbones? Though I have never worked on a backbone or ISP that did that, it might make sense to do it, and if someone has a problem, tell them to set up a pptp connection to their destination. Hrm, if microsoft is going to start multiplexing protocols to get past firewalls (DCOM et al..) maybe ISP's should insist users only use certain other protocols through an authenticated/encrypted tunnel? ;) Tit for tat, I say. Marcus Ranum had an interesting comment/platitude a while ago which was "de-muliplex HTTP!". This was in response to how vendors (one in particular) tunnel so much over http, which causes a number of access-control/security problems that break our attempts to add some semblance of security to IP networks. Maybe some protocols are only fit for VPNs? I say do it. However, you'll probably have to make a better business case for it than "Er.."batz" told me to.." -- batz Reluctant Ninja Defective Technologies
> Because this traffic is IP traffic, I wanted to ask others on this list > how they treat SMB traffic on their backbones? We've asked all customers, and nearly all of those have had us go ahead and filter it inbound into their tailcircuits. Some we're also filtering outbound, again at the tailcircuit. A few have asked for exceptions for some home or branch offices, but that hasn't gotten unmanageable yet. Most of the ones with complicated remote-access needs use GRE. -Bill
----- Original Message ----- From: Bill Woodcock <woody@zocalo.net> To: Scott Call <scall@devolution.com> Cc: <nanog@nanog.org> Sent: Tuesday, November 14, 2000 2:32 PM Subject: Re: Operational impact of filtering SMB/NETBIOS traffic?
> Because this traffic is IP traffic, I wanted to ask others on this
list
> how they treat SMB traffic on their backbones?
We've asked all customers, and nearly all of those have had us go ahead and filter it inbound into their tailcircuits. Some we're also filtering outbound, again at the tailcircuit. A few have asked for exceptions for some home or branch offices, but that hasn't gotten unmanageable yet. Most of the ones with complicated remote-access needs use GRE.
Yes, all people really need from the IPv4 global transport is the basic, transparent, end-to-end transport of packets with IP (not TCP or UDP) headers, without disturbing the TOS field...with that, we can evolve... Jim Fleming http://www.unir.com/images/architech.gif http://www.unir.com/images/address.gif http://www.unir.com/images/headers.gif http://www.ntia.doc.gov/ntiahome/domainname/130dftmail/unir.txt http://msdn.microsoft.com/downloads/sdks/platform/tpipv6/start.asp
Yo Scott! On Tue, 14 Nov 2000, Scott Call wrote:
Due to an increasing number of intrusions into windows-based machines through unprotected shares, I've started filtering both incoming and outgoing traffic for our customers on ports 138/139.
I have had my upstream filter these ports on me before. They get an angry call right away. I use SMB to mount remote shares, do remote authentication and remote printing. Sure most people do not know how to do this, but I have taught a lot of my customers to do it. Road Warriors love it. They never want to go back to the old ways. I have worked at several ISPs that found the easiest way to reduce the customer list was to start filtering. A lot of folks do not complain, they just move on to another ISP. A good compromise is to notify your customers that you are providing the extra "service" and let them opt-out if they choose. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
On Tue, 14 Nov 2000, Gary E. Miller wrote:
I have had my upstream filter these ports on me before. They get an angry call right away. I use SMB to mount remote shares, do remote authentication and remote printing. Sure most people do not know how to do this, but I have taught a lot of my customers to do it. Road Warriors love it. They never want to go back to the old ways.
I have worked at several ISPs that found the easiest way to reduce the customer list was to start filtering. A lot of folks do not complain, they just move on to another ISP.
I think SMB attacks are a serious problem and did not have problems at the one place I worked where the ISP started arbitrarily filtering SMB - the only problem was that they gave no warning before doing it.
A good compromise is to notify your customers that you are providing the extra "service" and let them opt-out if they choose.
Agreed. -- Steve Sobol, BOFH, President 888.480.4NET 866.DSL.EXPRESS 216.619.2NET North Shore Technologies Corporation http://NorthShoreTechnologies.net JustTheNet/JustTheNet EXPRESS DSL (ISP Services) http://JustThe.net mailto:sjsobol@NorthShoreTechnologies.net Proud resident of Cleveland, OH
On Tue, 14 Nov 2000, Scott Call wrote:
Because this traffic is IP traffic, I wanted to ask others on this list how they treat SMB traffic on their backbones?
One of the things I considered doing was filtering 137-139 in our data centres to reduce risk to customers' poorly (usually through knowing no better, so no offence intended here) configured NT boxes. It does seem, however, that people do want truly unrestricted NetBIOS over IP connectivity into their boxes "So we can browse the server from the office" being a familiar cry. As a result of this, we didn't go ahead with the intended filtering. Experience has taught me that people (a) do this, and do it a lot (certainly in Europe, YMMV elsewhere); and (b) a good number of them are happy to have a server with little external filtering/firewalling/protection doing it. I find this particularly scary... -- Paul Not speaking for my employer, in case you know who they are...
It may break some things your customers use, like Exchange mail with NT domain authentication. Also, be aware that Netbios now operates on higher porrts on Win2k and possibly WinME (445/TCP) as well as the 135-139 range. Netbios can also be proxied via 80/TCP now as well, though I think that may only be outbound. People who design protocols like this should be tarred, feathered, and then shot. -- Joseph W. Shaw Sr. Network Security Specialist for Big Company not to be named because I don't speak for them here. I have public opinions, and they don't. On Tue, 14 Nov 2000, Scott Call wrote:
Due to an increasing number of intrusions into windows-based machines through unprotected shares, I've started filtering both incoming and outgoing traffic for our customers on ports 138/139.
So far this has caught a fair amount of traffic coming from customers, but none have called to complain about a lack of connectivity.
Because this traffic is IP traffic, I wanted to ask others on this list how they treat SMB traffic on their backbones?
participants (8)
-
batz -
Bill Woodcock -
Gary E. Miller -
JIM FLEMING -
Joe Shaw -
Paul Thornton -
Scott Call -
Steven J. Sobol