[Samba] Firewall piercing - The Specified network name is no longer available.

[JLB]

On Wed, 9 Feb 2005, [ISO-8859-1] Jörn Nettingsmeier wrote:

> > The chance of any random joker stumbling upon a dynamically allocated IP
> > and h4x0ring into a password-protected share on a SPARC64 machine running
> > OpenBSD with a recent version of Samba is ....
> >
> > ....slim.
>
> maybe, but this is such an abysmal solution that you should just forget
> about it. how can somebody both geeky and security-concious enough to
> run openbsd on a 64bit sparc even consider letting smb traffic out on
> the internet ????

Because I don't keep anything private on the share I'd be allowing out?
Because I won't be flinging around private files even if I did have the
private files there (and the filenames themselves contain nothing
incriminating, even among my personal stuff)?
Because the chance of someone sitting there with a packet sniffer between
Joe Windows-using Client and my home box, watching for my personal shite
is VERY slim?
Because, as noted earlier, the chance of someone 0wning my SPARC64/OpenBSD
box, with its recent version of Samba, REGARDLESS of how many SMB ports I
open, is quite slim?

Because the convenience I would gain (i.e. being able to access
work-related files, MP3s, etc. without circumventing or bending ANY
corporate "thou shalt not install anything" poolicies) would outweigh any
miniscule risks?

>
> >>Spend a little time and set up a vpn endpoint on your box and just
> >>forward the necessary ports over, i think openvpn is 5000.  You'll be
> >>much happier, sane, and protected as such.
> >
> >
> > And I will make use of this on client machines with strict "Thou Shalt Not
> > Install any Unauthorized Software" policies... how?
>
> wait. you have such a restrictive security policy (which you are
> obviously willing to respect), and at the same time you want to bypass
> the most basic security precautions by tunnelling the living shit out of
> the firewall and having unprotected smb over the internet?
> sorry, but this does not make sense at all.

You're confusing the sides of the firewall.
The restrictive security policies are on the side of the clients I work
for. THEIR firewalls are often quite restrictive.

The other side of the equation is my box at home, which has no such
policy.

>
> > I've already set up zero-install Web-based telnet, zero-install Web-based
> > MP3 players... I even concocted a zero-install CygWin workalike and
> > keep it on my keychain USB drive...
>
> just keep putty and winscp on your keychain as well.

Why do that, and leave suspicious entries in the run history, when you can
do it right in the browser?

>
> > now I need a zero-install way to
> > access my files via Windows machines. And that means SMB. NOT OpenVPN,
> > OpenSSH, OpenVMS or any other "Open".
>
> talk to the guy who enforces the security policy at your site. this
> should be worked out in a sane fashion, and your network admin will
> benefit as well by not having to cope rogue tunnels and other weird stuff.

I temp. I'm often at a client for one or two days. Not enough time to gain
a rapport with the network person (who is often an idiot MCSE-type), much
less to actually get him/her to work around the policy.

>
> i mean, you are a sysadmin too. if you say "no" to something on your
> networks, you want that to mean "no", don't you?
>

I don't generally say "no", except where it's something possibly
incriminating.

> i have a policy here that people can use tunnels if they must, but i
> require *notification* and want to give the users a quick run-down on
> what not to do (anybody seen those funny ssh tunnels on port 25 with the
> open-to-the-world switch on ? great fun indeed. "oh, i thought it's ok
> since everything is encrypted, right?")
>
>
>
>

--
J. L. Blank, Systems Administrator, twu.net