SMB Ports?
Ken Barber
pundit at teleport.com
Wed Oct 23 17:59:55 GMT 2002
On Wednesday 23 October 2002 03:45, Thorsten Brabetz wrote:
> Well, I have to say that I felt a bit uneasy about opening up port 139
> myself. I will check whether I can find out how to activate ssl support,
Sir,
As an MCSE with a security certification from the SANS institute, I would
NEVER allow SMB/CIFS traffic through a firewall, whether it's a Samba server
or a Windows server in question. As soon as you do, it's not a firewall any
more, it's just a plain ol' router.
If you have Windows boxes on two sides of a firewall that need to
transparently share files or printers with each other (or belong to the same
NT domain), your choices are limited and somewhat expensive. SMB/CIFS is a
primitive set of protocols and doesn't work with SSL or Kerberos.
You can share files via HTTP, which will work with SSL but it isn't
transparent (users will have to manually download and upload each time) and
the NT domain stuff won't work at all.
You can set up a Citrix terminal server, which SSL-encrypts all of the
traffic. Citrix isn't cheap but it's a very good product.
Or you can use Virtual Private Networking (VPN) to create a "tunnel" to one or
more computers outside the firewall. Each tunnel requires two "gateway"
computers; one at each end of the tunnel. There are free VPN
implemenatations out there using the IPSec protocol and there are expensive
proprietary solutions also. Do NOT use Microsoft's VPN products; they are
ridiculously insecure (to the point where you might as well not even have a
firewall)!
You can build VPN gateways using Linux (or, preferably, OpenBSD) fairly
inexpensively. They do not require a fast processor so you can use old PCs
from the boneyard. If you're using Linux, the product is known as FREES/WAN
and because of US laws you have to recompile the kernel yourself if you're
using an American distribution of Linux.
OpenBSD is developed completely outside of the US and comes with IPSec built
in.
This has been a long letter but I hope I've helped. I was the network
administrator in an academic environment (as you are) once upon a time. I
really, really enjoyed the challenge and I'd go back to that environment in a
heartbeat if I could find a school that had an opening.
Ken Barber
More information about the smb-clients
mailing list