Allen, Michael B (RSCH)
Michael_B_Allen at ml.com
Wed Oct 23 21:51:15 GMT 2002
> -----Original Message-----
> From: Ken Barber [SMTP:pundit at teleport.com]
> Sent: Wednesday, October 23, 2002 2:00 PM
> To: Thorsten Brabetz; smb clients
> Subject: Re: SMB Ports?
> On Wednesday 23 October 2002 03:45, Thorsten Brabetz wrote:
> > Well, I have to say that I felt a bit uneasy about opening up port 139
> > myself. I will check whether I can find out how to activate ssl support,
> As an MCSE with a security certification from the SANS institute, I would
> NEVER allow SMB/CIFS traffic through a firewall, whether it's a Samba server
> or a Windows server in question. As soon as you do, it's not a firewall any
> more, it's just a plain ol' router.
> If you have Windows boxes on two sides of a firewall that need to
> transparently share files or printers with each other (or belong to the same
> NT domain), your choices are limited and somewhat expensive. SMB/CIFS is a
> primitive set of protocols and doesn't work with SSL or Kerberos.
> You can share files via HTTP, which will work with SSL but it isn't
> transparent (users will have to manually download and upload each time) and
> the NT domain stuff won't work at all.
> You can set up a Citrix terminal server, which SSL-encrypts all of the
> traffic. Citrix isn't cheap but it's a very good product.
> Or you can use Virtual Private Networking (VPN) to create a "tunnel" to one or
> more computers outside the firewall. Each tunnel requires two "gateway"
> computers; one at each end of the tunnel. There are free VPN
> implemenatations out there using the IPSec protocol and there are expensive
> proprietary solutions also. Do NOT use Microsoft's VPN products; they are
> ridiculously insecure (to the point where you might as well not even have a
> You can build VPN gateways using Linux (or, preferably, OpenBSD) fairly
> inexpensively. They do not require a fast processor so you can use old PCs
> from the boneyard. If you're using Linux, the product is known as FREES/WAN
> and because of US laws you have to recompile the kernel yourself if you're
> using an American distribution of Linux.
> OpenBSD is developed completely outside of the US and comes with IPSec built
> This has been a long letter but I hope I've helped. I was the network
> administrator in an academic environment (as you are) once upon a time. I
> really, really enjoyed the challenge and I'd go back to that environment in a
> heartbeat if I could find a school that had an opening.
> Ken Barber
More information about the smb-clients