Funny, in the earlier thread you argue against blocking ports as a means of taking the steam out of these virii/worms. In this one, you make the point of SMB being insecure on the Internet. Sorry if I'm replying to thread A through thread B, but I feel they're connected. At one point I agreed with you about blocking ports being a bad thing and not what customers want. They want unfiltered, and full. Anything less is theft. Right? Well, I started wavering as I learned more about security, specifically, how insecure some protocols are by default. What caused me to completely cross over into the "port filtering is OK" camp was the fact that Microsoft themselves, in a "securing Windows NT" document we found a while back, recommended that due to inherent insecurities, NetBIOS be disabled on Internet machines. If the vendor says it shouldn't be connected to the Internet, I tend to agree. Obviously I won't recommend that transit providers do the same thing. But as an access and hosting provider, I block NetBIOS by default, and let my customers know. If a customer comes to me and says, "hey, I'm running Exchange and my customers need to connect to it with Outlook," I explain the risks involved, let them know they will have to be vigilant about patching, and open the ACL for their Exchange server. If I'm feeling particularly talkative, I explain the benefits of using a VPN over opening 135 and its unsafe brother and sister ports. I have yet to lose a customer due to these policies, probably because I chose to enforce it softly and flexibly. In fact, I have converted one customer, or rather the customer converted himself after not patching his server quickly enough and becoming infected with Blaster. Once he realized how vulnerable he was, he changed the methodology he used to connect his Exchange users to his server. Your home storage example serves to illustrate further. In today's plug-and-play culture, end users and even lazy administrators often overlook the security implications of some of the things they do. By filtering and explaining to my customers what and why I am filtering, I am helping to educate and protect them. This might be beyond the job description of the edge ISP, but my customers seem to be happy with it. -bob -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Sean Donelan Sent: Sunday, September 21, 2003 5:59 PM To: nanog@merit.edu Subject: Home Storage Area Network security I received a few comments about file servers not serving files by default. There are a bunch of home SAN products on the market. They are designed to make it very easy for customers to set up and use a home storage area network. I think these are very cool products, and although some geeks like building stuff from scratch, other folks like buying stuff assembled and working out of the box. But they seem very dangerous when connected directly to the open Internet without some access control turned on. Instead they "assume" there will always be a secure firewall in place, protecting the devices. But in all the discussion about how secure their products are, you rarely see an explicit requirement for these SAN devices to be installed behind a firewall. Just because you use Linux does not make SMB secure on the Internet. http://www.mirra.com/ Ease of Use: Just plug in Mirra, run the installer, and let it auto-detect your network settings. Name your Mirra, say .ok. to the recommended backup set (or select your own), then forget it. Remote access is simple to use as well. No IPs to configure, no firewalls to penetrate. Mirra does it for you. http://www.martian.com/howtouseit.html The NetDrive comes pre-configured from the factory, so you don't have to worry about reading a long manual or learning about setting up file serving software. Of course, if you do want to enable password protection for your files or use a special network configuration, the NetDrive's simple web-based configuration interface will let you. What protocols does it serve files under? The NetDrive uses the standard SMB protocol to share its files. This makes it compatible with Windows PCs, Macs running OS X, and Linux boxes.