 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Derek Atkins wrote in a message to Mike Bilow: > Since NetBEUI is inherently unable to be routed, I would assume that > it tends to be fairly secure by default. This is very different > from TCPBEUI, which obviously can cross routers. I can't really > imagine anyone running a TCP/IP LAN without a firewall these days, > and I'm not so sure that the firewall has to be quite that fascist. DA> I run a TCP/IP LAN at home and I don't have a firewall. But DA> I'm probably more the exception than the rule. I believe DA> that we can secure machines such that firewalls are no DA> longer necessary. Indeed, I believe that such security is DA> available today, if people use it. Obviously, a firewall is not especially useful for a very small LAN operated principally by one person, but securing machines directly is something of a challenge depending upon the range of operating systems available. > You're something of an expert on security, so I may as well ask: if > the firewall simply blocks all inbound traffic referencing ports > 137, 138, and 139, what risk is there to a TCPBEUI LAN? Are there > any legitimate reasons for traffic from the public referencing these > ports to cross a firewall? DA> I must admit that my personal resolver doesn't expand DA> "BEUI". I also don't know enough about the internals of DA> netbios to know if it uses any ports other than the 137-139. DA> I *suspect* that blocking those ports on the firewall (both DA> incoming *AND* outgoing) _should_ effectively block netbios, DA> but it's always possible for someone on the inside to open DA> up holes to people on the outside. NetBIOS frames can be wrapped in conventional network protocols such as IP, or they can be thrown onto an Ethernet wire with a minimum of ceremony. When using TCP/IP as a wrapper for NetBIOS, Microsoft likes to call it TCPBEUI. The default original protocol for use with NetBIOS was NetBEUI, which is pretty much just throwing the frames directly onto Ethernet with an IEEE 802.2 wrapper and protocol identifier. While holes can be opened from the inside of a firewall, they would have to be some awfully egregious wholes such as running a port reflector that moved data from an open port to a blocked port. This sort of thing would be on the order of outright sabotage, not a simple misconfiguration. As with any pseudo-network protocol based on raw IEEE 802.2, NetBEUI cannot be routed. This tends to make it inherently secure to an extent, as I said, even on platforms such as Windows 95. TCPBEUI, as far as I know, uses only ports 137, 138, and 139. I don't know if there is enough of a formal standard anywhere that requires this, but all implementations that I know about do it this way. Even rather simple security precautions, such as restricting access by IP addresses in inetd.conf, should provide a decent level of protection to an otherwise well maintained Linux machine. As you say, however, a Windows 95 peer server would be dependent on some kind of firewall for even minimally useful protection. DA> Security, of course, depends on your threat model. That's true. What kind of threats are we worried about? DA> FYI: Much of my information about SMB is from CIFS, which is DA> based on SMB. CIFS is MicroSquish's vaporware marketing to DA> battle WebNFS (which actually exists). I've heard of CIFS, but I don't really know anything about it. Is it connected with Microsoft's bizarre NT clustering technology? As far as I can tell, Microsoft seems to think that "fault tolerance" means that the collapse of one clustered machine should imply the immediate collapse of all other machines in the same cluster. > DA> N1NWH > > I didn't know you were a ham! Are you ever active on the Boston repeaters? DA> Used to be active on the MIT Repeater. Ocassionally I was on DA> .23, but that was a few years ago. I use the linked system which includes Mt. Wachusett, 448.625, quite often. I happened to pop up on 145.23 on Tuesday for the first time in months, since I was driving through the Boston area, and I ran into WZ1L, K9HI, and N1IST. I also try to catch at least one or two of the monthly MIT Fleas at the garage each year, and the season for those should be starting up in April. -- Mike, N1BEE
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
