NetBEUI as main protocol
Christopher R. Hertel
crh at ubiqx.mn.org
Tue Dec 10 20:42:01 GMT 2002
On Mon, Dec 09, 2002 at 09:26:24PM -0500, John E. Malmberg wrote:
> Jason Hihn wrote:
> >I've a need for Samba to work over NetBEUI. We have a file server
> >here that only speaks that way to bar out TCP-based hackers,
> There is a popular misconception that you can use NetBeui in this way.
We use it that way here at the University.
> There is no security advantage in use NetBEUI in this manor.
> It is just as easy to block the NetBios TCP/IP ports at the router
> between your private network and the one where the hackers are.
I have hundreds of routers. Some people want those ports open, others
not. Ouch. Managmenet nightmare. I really don't want to maintain a
per-port security configuration database.
> If the hackers are on the local network, the NetBios exploits work just
> as well on NetBeui based networks as TCP/IP based networks.
Unless the crackers are script-kiddies. I note that you used the term
"NetBIOS exploits". There is a limited set of OSes that actually provide
the NetBIOS API, but those that do are fairly popular. Still, I imagine
that many of the packaged exploits would be more likely to use IP.
> You get the same level of security if you control the router. You have
> no additional security if you do not control the router. Routers can be
> configured to bridge NetBeui.
All of the routers between the attacker and the attacked would need to
bridge NetBEUI. Thus, the risk decreases with every hop.
> The only advantage that I can see to running NetBeui is that a network
> recovery disk for most PCs using MS-DOS can fit on a high density floppy.
> For small networks, NetBeui is more responsive than TCP/IP, but because
> it is a broadcast protocol, it does not scale well.
Neither does B-mode NBT, or the Browse service.
> It probably will take some sort of layer to translate the NetBios over
> NetBeui so that it looked like TCP/IP to SAMBA. I do not know how much
> work that would be.
That's an interesting approach. Hmmm...and it could work. Possibly.
I think that the problem would be the NBT layer itself.
Naming, in particular.
I'm not sure that it's a worth-while endeavor, but it is an interesting
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical