How to secure nmbd transactions?
Vijaya Upadhyaya K
kvij00 at gmail.com
Fri Jul 8 00:40:27 MDT 2011
Thanks a million, Chris!
On Fri, Jul 8, 2011 at 12:11 AM, Christopher R. Hertel <crh at ubiqx.mn.org> wrote:
> Short answer: No, it's not possible to secure those messages.
> Medium answer: You could completely disable the NBT transport protocol.
> That would prevent the messages in question from being sent.
> Long answer: You could, in theory, develop a protocol that would encrypt
> those messages, but all participating nodes would need to implement the new
> encrypted protocol or it would be fairly pointless. I cannot imagine anyone
> being willing to implement such a protocol in their products.
> The only other suggestions I have are these:
> 1) Read my book: http://www.ubiqx.org/cifs/
> It provides a detailed description of both the NBT transport protocol
> and the workings of the Browse Service.
> 2) If you really, really want to run NBT transport and really, really want
> to encrypt it, create an OpenVPN virtual private network between all
> participating nodes. Use the tap interface, so that you have a virtual
> LAN configuration, and run all NBT and SMB traffic within the VPN.
> Note that this would require specifically binding NBT transport to the
> tap interfaces and *not* to any other interfaces.
> All participating nodes would have access to the information, but nodes
> not in the VPN would be excluded. It will take a good deal of work to
> set this up correctly.
> That'd be my best advice.
> Chris -)-----
> Vijaya Upadhyaya K wrote:
>> Thanks for the valuable inputs, Chris.
>> I am trying to see if it is possible to secure nmbd’s announcement
>> about Samba server’s presence (the one that appears in the Windows
>> "Network Neighborhood" view) and nmbd’s reply to name resolution
>> On Thu, Jul 7, 2011 at 8:30 AM, Christopher R. Hertel <crh at ubiqx.mn.org> wrote:
>>> The nmbd daemon implements support for the NBT name service and portions of
>>> the NBT datagram service. It also provides support for the Browse Service.
>>> All of those services were designed eons ago--back in the 80's--for local
>>> networks. In addition, all of those services are being phased out by Microsoft.
>>> There's nothing really to secure, and attempting to design a system that
>>> would provide security (one that Microsoft and other implementations are
>>> unlikely to use) would seem to be a waste of time.
>>> What is it you are hoping to make more secure?
>>> Chris -)-----
>>> Vijaya Upadhyaya K wrote:
>>>> Samba provides mechanisms to secure both SWAT and smbd transactions.
>>>> What is the mechanism to be used for securing nmbd transactions? Any
>>>> info/pointers in that direction would be of great help.
>>> "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
>>> Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
>>> jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
>>> ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
>>> OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
> "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
> Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
> jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
> ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
> OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical