CIFS (or equiv.) and security

Derek Martin ddm at mclinux.com
Thu May 18 16:04:27 EDT 2000


On Thu, 18 May 2000, Ron Peterson wrote:

> I'm contemplating opening my firewall to allow NetBIOS traffic through,

NONONONONO!

> so people in my office can mount Samba shares from home.  

NONONONO!

> Am I being egregiously stupid?

YESYESYESYESYES!!!  Well, not really, you're just ignorant of the issues.
Basically doing this makes your system very susceptible to attack, and
your data can easily be copied by basically anyone.

> 
> Samba supports encrypted authentication.  Is this encryption strong
> enough to ward off script kiddies and their ilk?  

Script kiddies, maybe, real hackers, no.  The encryption MS uses for these
passwords is very easily broken.  I've used -- I mean seen -- I mean heard
of programs to crack them.  :)  

> Are there other vulnerabilities, in addition to authentication, that I
> should be concerned about?

Well, if you're on mediaone, it may not be possible.  Mediaone has
supposedly implemented filtering of netbios at the CM.  Other people are
probably doing this too.  netbios is a very chatty protocol, and most
people who are concerned about the efficiency of their network won't want
it on their wires.
 
> Are there better alternatives?  Besides Oracle's IFS (I'm sure it may be
> fine technology, I just don't like Oracle).  Is a VPN the only way to
> go?  Would sure be nice to just NET USE T: \\HOST.MY.DOMAIN\SHARE.

Yeah, copy the data to a CD and put it on a local server.  Shares over the
internet are a VERY bad idea, in general.

Rereading your post, I now see that I've misunderstood you.  I thought
initially you wanted to make a share you had at your home available to
users at your office.  What you're doing sounds even worse to me.


-- 
Derek Martin
System Administrator
Mission Critical Linux
martin at MissionCriticalLinux.com 

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).



More information about the Discuss mailing list