NetBEUI as main protocol

Christopher R. Hertel crh at ubiqx.mn.org
Tue Dec 10 20:42:01 GMT 2002 

On Mon, Dec 09, 2002 at 09:26:24PM -0500, John E. Malmberg wrote:
> Jason Hihn wrote:
> 
> >I've a need for Samba to work over NetBEUI. We have a file server 
> >here that only speaks that way to bar out TCP-based hackers,
> 
> There is a popular misconception that you can use NetBeui in this way.

We use it that way here at the University.

> There is no security advantage in use NetBEUI in this manor.

Hmmm?

> It is just as easy to block the NetBios TCP/IP ports at the router
> between your private network and the one where the hackers are.

I have hundreds of routers.  Some people want those ports open, others
not.  Ouch.  Managmenet nightmare.  I really don't want to maintain a 
per-port security configuration database.

> If the hackers are on the local network, the NetBios exploits work just 
> as well on NetBeui based networks as TCP/IP based networks.

Unless the crackers are script-kiddies.  I note that you used the term
"NetBIOS exploits".  There is a limited set of OSes that actually provide
the NetBIOS API, but those that do are fairly popular.  Still, I imagine 
that many of the packaged exploits would be more likely to use IP.

> You get the same level of security if you control the router.  You have 
> no additional security if you do not control the router.  Routers can be 
> configured to bridge NetBeui.

All of the routers between the attacker and the attacked would need to 
bridge NetBEUI.  Thus, the risk decreases with every hop.

> The only advantage that I can see to running NetBeui is that a network 
> recovery disk for most PCs using MS-DOS can fit on a high density floppy.
> 
> For small networks, NetBeui is more responsive than TCP/IP, but because 
> it is a broadcast protocol, it does not scale well.

Neither does B-mode NBT, or the Browse service.

:
> It probably will take some sort of layer to translate the NetBios over 
> NetBeui so that it looked like TCP/IP to SAMBA.  I do not know how much 
> work that would be.

That's an interesting approach.  Hmmm...and it could work.  Possibly.
I think that the problem would be the NBT layer itself.  
Naming, in particular.

I'm not sure that it's a worth-while endeavor, but it is an interesting
idea.

Chris -)-----

-- 
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list