NFS Windows/Linux

[mikebw at bilow.bilow.uu.ids.net (Mike Bilow)]

Derek Atkins wrote in a message to Mike Bilow:

> Since NetBEUI is inherently unable to be routed, I would assume that
> it tends to be fairly secure by default.  This is very different
> from TCPBEUI, which obviously can cross routers.  I can't really
> imagine anyone running a TCP/IP LAN without a firewall these days,
> and I'm not so sure that the firewall has to be quite that fascist.

 DA> I run a TCP/IP LAN at home and I don't have a firewall.  But
 DA> I'm probably more the exception than the rule.  I believe
 DA> that we can secure machines such that firewalls are no
 DA> longer necessary.  Indeed, I believe that such security is
 DA> available today, if people use it. 

Obviously, a firewall is not especially useful for a very small LAN operated
principally by one person, but securing machines directly is something of a
challenge depending upon the range of operating systems available.

> You're something of an expert on security, so I may as well ask: if
> the firewall simply blocks all inbound traffic referencing ports
> 137, 138, and 139, what risk is there to a TCPBEUI LAN?  Are there
> any legitimate reasons for traffic from the public referencing these
> ports to cross a firewall?

 DA> I must admit that my personal resolver doesn't expand
 DA> "BEUI".  I also don't know enough about the internals of
 DA> netbios to know if it uses any ports other than the 137-139.
 DA>  I *suspect* that blocking those ports on the firewall (both
 DA> incoming *AND* outgoing) _should_ effectively block netbios,
 DA> but it's always possible for someone on the inside to open
 DA> up holes to people on the outside.

NetBIOS frames can be wrapped in conventional network protocols such as IP, or
they can be thrown onto an Ethernet wire with a minimum of ceremony.  When
using TCP/IP as a wrapper for NetBIOS, Microsoft likes to call it TCPBEUI.  The
default original protocol for use with NetBIOS was NetBEUI, which is pretty
much just throwing the frames directly onto Ethernet with an IEEE 802.2 wrapper
and protocol identifier.

While holes can be opened from the inside of a firewall, they would have to be
some awfully egregious wholes such as running a port reflector that moved data
from an open port to a blocked port.  This sort of thing would be on the order
of outright sabotage, not a simple misconfiguration.

As with any pseudo-network protocol based on raw IEEE 802.2, NetBEUI cannot be
routed.  This tends to make it inherently secure to an extent, as I said, even
on platforms such as Windows 95.

TCPBEUI, as far as I know, uses only ports 137, 138, and 139.  I don't know if
there is enough of a formal standard anywhere that requires this, but all
implementations that I know about do it this way.  Even rather simple security
precautions, such as restricting access by IP addresses in inetd.conf, should
provide a decent level of protection to an otherwise well maintained Linux
machine.  As you say, however, a Windows 95 peer server would be dependent on
some kind of firewall for even minimally useful protection.

 DA> Security, of course, depends on your threat model.

That's true.  What kind of threats are we worried about?

 DA> FYI: Much of my information about SMB is from CIFS, which is
 DA> based on SMB.  CIFS is MicroSquish's vaporware marketing to
 DA> battle WebNFS (which actually exists).

I've heard of CIFS, but I don't really know anything about it.  Is it connected
with Microsoft's bizarre NT clustering technology?  As far as I can tell,
Microsoft seems to think that "fault tolerance" means that the collapse of one
clustered machine should imply the immediate collapse of all other machines in
the same cluster.

>  DA> N1NWH
> 
> I didn't know you were a ham!  Are you ever active on the Boston repeaters?

 DA> Used to be active on the MIT Repeater.  Ocassionally I was on 
 DA> .23, but that was a few years ago.

I use the linked system which includes Mt. Wachusett, 448.625, quite often.  I
happened to pop up on 145.23 on Tuesday for the first time in months, since I
was driving through the Boston area, and I ran into WZ1L, K9HI, and N1IST.  I
also try to catch at least one or two of the monthly MIT Fleas at the garage
each year, and the season for those should be starting up in April.
 
-- Mike, N1BEE