Firewall Wizards mailing list archives
re: Re: NT WAN
From: MHurlburt () nea org
Date: Wed, 28 Jul 1999 7:47:31 EDT
I recently had the opportunity to 'evaluate' a certain LAN/WAN configuration which consisted of several NT domains participating in various transitive/non-transitive trust relationships (MS definition of trust) via the public internet, thus creating the WAN you describe below. This was 'allowed' thru the said firewall(s) by allowing TCP/139. Although no 'browsing' of Netbios tables can be done over 139 (this requires 137) suffice it to say that one can grab a session from the open internet on a box 'inside' provided you have a range of IP this can easily be scripted; many persons do it daily. Once you have obtained root equivalent on a system inside it is very easy to get installed toolz which let you get root on more (and on other domains this box 'trusts' as well. A friend of mine recently dubbed this a 'bank shot' :). MS makes it very easy (let me rephrase this : the default NT configuration, and lack of administrative corrections to this) makes it very easy to obtain a large amount of information on NT services, accounts, etc, via null sessions over 139. It is my opinion that one would be asking for a severe amount of trouble if one were to allow any of the infamous 135-139 MS ports thru one's firewall, unless of course your WAN links were in fact private themselves. -Michael | At 03:46 PM 7/26/99 -0700, Neil Ratzlaff wrote: | >I am looking for some strong reasons to refuse to allow | an NT WAN through | >the firewall. | > | >There is a department here that wants to set up a wide | area network of | >several NT machines scattered over several states. All | they have said they | >want is to share files and printing. One of the local | hosts would be | >behind the firewall, and they wanted to know how to get | through the | >firewall, so I got called in. I manage the firewall, but | I don't do policy | >of any kind. I assume they would at least use PPTP, but | I read recently | >that although M$ improved it, it still is not very | secure. | > | >I have the feeling this is a terrible idea. They want to | have clients go | >both ways through the firewall, and I assume these | clients are Windows 95, | >98, and NT. Can anyone point me to places that list or | describe the risks | >in simple English? Or maybe it is not as dangerous as I | think it is, and | >this would be useful information, too. I suspect that | even if this were | >all outside the firewall, it would still be a terrible | idea, but I don't | >know enough about NT to be sure, or to provide reasons. | > | >Is there some paper somewhere that I can point to that | shows why this is a | >bad idea? Perhaps vulnerabilities that can't be | patched? I appreciate | >any help anyone can provide. | > | >Neil | > | | This email, it's files or previous e-mail attached to it, may contain confidential information being legally privileged. Please disregard the contents if you are not the intended recepient. ****************************************************************** Only the individual sender is responsible for the content of this message, and the message does not necessarily reflect the position or policy of the National Education Association or its affiliates.
Current thread:
- NT WAN Neil Ratzlaff (Jul 27)
- Re: NT WAN mritenburg (Jul 27)
- Re: NT WAN Kevin T. Shivers (Jul 27)
- <Possible follow-ups>
- re: Re: NT WAN MHurlburt (Jul 29)