SMB Ports?

Ken Barber pundit at teleport.com
Wed Oct 23 17:59:55 GMT 2002 

On Wednesday 23 October 2002 03:45, Thorsten Brabetz wrote:

>    Well, I have to say that I felt a bit uneasy about opening up port 139
> myself. I will check whether I can find out how to activate ssl support,

Sir,

As an MCSE with a security certification from the SANS institute, I would 
NEVER allow SMB/CIFS traffic through a firewall, whether it's a Samba server 
or a Windows server in question.  As soon as you do, it's not a firewall any 
more, it's just a plain ol' router.

If you have Windows boxes on two sides of a firewall that need to 
transparently share files or printers with each other (or belong to the same 
NT domain), your choices are limited and somewhat expensive.  SMB/CIFS is a 
primitive set of protocols and doesn't work with SSL or Kerberos.

You can share files via HTTP, which will work with SSL but it isn't 
transparent (users will have to manually download and upload each time) and 
the NT domain stuff won't work at all.

You can set up a Citrix terminal server, which SSL-encrypts all of the 
traffic.  Citrix isn't cheap but it's a very good product.

Or you can use Virtual Private Networking (VPN) to create a "tunnel" to one or 
more computers outside the firewall.  Each tunnel requires two "gateway" 
computers; one at each end of the tunnel.  There are free VPN 
implemenatations out there using the IPSec protocol and there are expensive 
proprietary solutions also.  Do NOT use Microsoft's VPN products; they are 
ridiculously insecure (to the point where you might as well not even have a 
firewall)!

You can build VPN gateways using Linux (or, preferably, OpenBSD) fairly 
inexpensively.  They do not require a fast processor so you can use old PCs 
from the boneyard.  If you're using Linux, the product is known as FREES/WAN 
and because of US laws you have to recompile the kernel yourself if you're 
using an American distribution of Linux.

OpenBSD is developed completely outside of the US and comes with IPSec built 
in.

This has been a long letter but I hope I've helped.  I was the network 
administrator in an academic environment (as you are) once upon a time.  I 
really, really enjoyed the challenge and I'd go back to that environment in a 
heartbeat if I could find a school that had an opening.

Ken Barber

More information about the smb-clients mailing list