How to secure nmbd transactions?

Christopher R. Hertel crh at ubiqx.mn.org
Thu Jul 7 12:41:16 MDT 2011 

Vijaya,

Short answer:  No, it's not possible to secure those messages.

Medium answer:  You could completely disable the NBT transport protocol.
That would prevent the messages in question from being sent.

Long answer:  You could, in theory, develop a protocol that would encrypt
those messages, but all participating nodes would need to implement the new
encrypted protocol or it would be fairly pointless.  I cannot imagine anyone
being willing to implement such a protocol in their products.

The only other suggestions I have are these:

1) Read my book:  http://www.ubiqx.org/cifs/
   It provides a detailed description of both the NBT transport protocol
   and the workings of the Browse Service.

2) If you really, really want to run NBT transport and really, really want
   to encrypt it, create an OpenVPN virtual private network between all
   participating nodes.  Use the tap interface, so that you have a virtual
   LAN configuration, and run all NBT and SMB traffic within the VPN.
   Note that this would require specifically binding NBT transport to the
   tap interfaces and *not* to any other interfaces.

   All participating nodes would have access to the information, but nodes
   not in the VPN would be excluded.  It will take a good deal of work to
   set this up correctly.

That'd be my best advice.

Chris -)-----

Vijaya Upadhyaya K wrote:
> Thanks for the valuable inputs, Chris.
> 
> I am trying to see if it is possible to secure nmbd’s announcement
> about Samba server’s presence (the one that appears in the Windows
> "Network Neighborhood" view) and nmbd’s  reply to name resolution
> requests.
> 
> Regards,
> Vijaya
> 
> 
> On Thu, Jul 7, 2011 at 8:30 AM, Christopher R. Hertel <crh at ubiqx.mn.org> wrote:
>> The nmbd daemon implements support for the NBT name service and portions of
>> the NBT datagram service.  It also provides support for the Browse Service.
>>
>> All of those services were designed eons ago--back in the 80's--for local
>> networks.  In addition, all of those services are being phased out by Microsoft.
>>
>> There's nothing really to secure, and attempting to design a system that
>> would provide security (one that Microsoft and other implementations are
>> unlikely to use) would seem to be a waste of time.
>>
>> What is it you are hoping to make more secure?
>>
>> Chris -)-----
>>
>> Vijaya Upadhyaya K wrote:
>>> Greetings!
>>>
>>> Samba provides mechanisms to secure both SWAT and smbd transactions.
>>> What is the mechanism to be used for securing nmbd transactions? Any
>>> info/pointers in that direction would be of great help.
>>>
>>> Regards,
>>> Vijaya
>> --
>> "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
>> Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
>> jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
>> ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
>> OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org
>>

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list