SMB Ports?

Allen, Michael B (RSCH) Michael_B_Allen at
Wed Oct 23 21:51:15 GMT 2002

Interesting stuff.

> -----Original Message-----
> From:	Ken Barber [SMTP:pundit at]
> Sent:	Wednesday, October 23, 2002 2:00 PM
> To:	Thorsten Brabetz; smb clients
> Subject:	Re: SMB Ports?
> On Wednesday 23 October 2002 03:45, Thorsten Brabetz wrote:
> >    Well, I have to say that I felt a bit uneasy about opening up port 139
> > myself. I will check whether I can find out how to activate ssl support,
> Sir,
> As an MCSE with a security certification from the SANS institute, I would 
> NEVER allow SMB/CIFS traffic through a firewall, whether it's a Samba server 
> or a Windows server in question.  As soon as you do, it's not a firewall any 
> more, it's just a plain ol' router.
> If you have Windows boxes on two sides of a firewall that need to 
> transparently share files or printers with each other (or belong to the same 
> NT domain), your choices are limited and somewhat expensive.  SMB/CIFS is a 
> primitive set of protocols and doesn't work with SSL or Kerberos.
> You can share files via HTTP, which will work with SSL but it isn't 
> transparent (users will have to manually download and upload each time) and 
> the NT domain stuff won't work at all.
> You can set up a Citrix terminal server, which SSL-encrypts all of the 
> traffic.  Citrix isn't cheap but it's a very good product.
> Or you can use Virtual Private Networking (VPN) to create a "tunnel" to one or 
> more computers outside the firewall.  Each tunnel requires two "gateway" 
> computers; one at each end of the tunnel.  There are free VPN 
> implemenatations out there using the IPSec protocol and there are expensive 
> proprietary solutions also.  Do NOT use Microsoft's VPN products; they are 
> ridiculously insecure (to the point where you might as well not even have a 
> firewall)!
> You can build VPN gateways using Linux (or, preferably, OpenBSD) fairly 
> inexpensively.  They do not require a fast processor so you can use old PCs 
> from the boneyard.  If you're using Linux, the product is known as FREES/WAN 
> and because of US laws you have to recompile the kernel yourself if you're 
> using an American distribution of Linux.
> OpenBSD is developed completely outside of the US and comes with IPSec built 
> in.
> This has been a long letter but I hope I've helped.  I was the network 
> administrator in an academic environment (as you are) once upon a time.  I 
> really, really enjoyed the challenge and I'd go back to that environment in a 
> heartbeat if I could find a school that had an opening.
> Ken Barber

More information about the smb-clients mailing list