How to secure nmbd transactions?

Vijaya Upadhyaya K kvij00 at gmail.com
Fri Jul 8 00:40:27 MDT 2011


Thanks a million, Chris!

Regards,
Vijaya


On Fri, Jul 8, 2011 at 12:11 AM, Christopher R. Hertel <crh at ubiqx.mn.org> wrote:
> Vijaya,
>
> Short answer:  No, it's not possible to secure those messages.
>
> Medium answer:  You could completely disable the NBT transport protocol.
> That would prevent the messages in question from being sent.
>
> Long answer:  You could, in theory, develop a protocol that would encrypt
> those messages, but all participating nodes would need to implement the new
> encrypted protocol or it would be fairly pointless.  I cannot imagine anyone
> being willing to implement such a protocol in their products.
>
> The only other suggestions I have are these:
>
> 1) Read my book:  http://www.ubiqx.org/cifs/
>   It provides a detailed description of both the NBT transport protocol
>   and the workings of the Browse Service.
>
> 2) If you really, really want to run NBT transport and really, really want
>   to encrypt it, create an OpenVPN virtual private network between all
>   participating nodes.  Use the tap interface, so that you have a virtual
>   LAN configuration, and run all NBT and SMB traffic within the VPN.
>   Note that this would require specifically binding NBT transport to the
>   tap interfaces and *not* to any other interfaces.
>
>   All participating nodes would have access to the information, but nodes
>   not in the VPN would be excluded.  It will take a good deal of work to
>   set this up correctly.
>
> That'd be my best advice.
>
> Chris -)-----
>
> Vijaya Upadhyaya K wrote:
>> Thanks for the valuable inputs, Chris.
>>
>> I am trying to see if it is possible to secure nmbd’s announcement
>> about Samba server’s presence (the one that appears in the Windows
>> "Network Neighborhood" view) and nmbd’s  reply to name resolution
>> requests.
>>
>> Regards,
>> Vijaya
>>
>>
>> On Thu, Jul 7, 2011 at 8:30 AM, Christopher R. Hertel <crh at ubiqx.mn.org> wrote:
>>> The nmbd daemon implements support for the NBT name service and portions of
>>> the NBT datagram service.  It also provides support for the Browse Service.
>>>
>>> All of those services were designed eons ago--back in the 80's--for local
>>> networks.  In addition, all of those services are being phased out by Microsoft.
>>>
>>> There's nothing really to secure, and attempting to design a system that
>>> would provide security (one that Microsoft and other implementations are
>>> unlikely to use) would seem to be a waste of time.
>>>
>>> What is it you are hoping to make more secure?
>>>
>>> Chris -)-----
>>>
>>> Vijaya Upadhyaya K wrote:
>>>> Greetings!
>>>>
>>>> Samba provides mechanisms to secure both SWAT and smbd transactions.
>>>> What is the mechanism to be used for securing nmbd transactions? Any
>>>> info/pointers in that direction would be of great help.
>>>>
>>>> Regards,
>>>> Vijaya
>>> --
>>> "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
>>> Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
>>> jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
>>> ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
>>> OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org
>>>
>
> --
> "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
> Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
> jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
> ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
> OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org
>


More information about the samba-technical mailing list