RE: Operational impact of filtering SMB/NETBIOS traffic?

[Roeland Meyer <rmeyer () mhsc com>]

The scenario that you miss is Win2K lap-tops and workstations with Unix
servers. Our policies are unix-unix = local-only NFS, and win-unix = Samba.
This is mainly because of known flaws with NFS over internet security, but
also because of the expense and difficulty of getting win-anything to do
NFS.

> -----Original Message-----
> From: Jim Mercer [mailto:jim () reptiles org]
> Sent: Sunday, November 19, 2000 9:29 AM

> as far as samba working better than NFS, that is a religious argument.

No it isn't, NFS has known exploits. I've had a server owned three times in
the past four years, twice via BIND and once via NFS. None via Samba.

> if you are using SMB to share files between unix systems, 
> then i have a bit
> of trouble with that last line of the above.

see: above

> personally, i can't think of any applications where i would 
> attempt to do
> any kinda filesystem sharing across the internet.

How about collaboration servers?

> i suspect the widespread use of SMB on the internet is again, 
> because of the
> brain-dead applications produced by a braindead company and software
> produced by lazy programmers working in the braindead company's API's.
>
> why does the application need a "share"?  can it not just 
> negotiate the
> information needed without mounting the entire office over a 
> 33.6K connection?

You ARE joking, right? I haven't seen a 33.6K connection in years. A part of
every deal is LAN access that usually shares, at the least, a T1. Also, you
are ignorant of the way Win PDCs operate. I DHCP connect to the local LAN
and log into my home PDC, from the clients site. Otherwise, the client has
to give me access to their PDC and their PDC winds up owning my lap-top and
I have to re-configure this for every client (sometime three per day).
Everytime my profile gets blown away. At the end of the day, my lap-top
would be a useless piece of junk and I would have to re-install the
OS...not!

> > > geez, if the filter was there, are you saying that people who 
> > > _need_ SMB shares are too brain-dead to come up with a straight
> > > forward way to make it get around the filter?
> >
> > There is no straight-forward way around a filter, by definition the
> > straight-forward way is to not have the filter!
>
> no, the brain-dead easy way around the filter is to have no 
> filter at all.
>
> i'm not an SMB user (outside a few LAN's where we explicitly 
> drop it all
> on the floor before it gets out of the network).

You just told me that you are not in marketing/management, you don't do
docs, you don't collaborate on docs, and/or you never leave your corporate
site to do any of the above.

> could you not use an IPSec tunnel from one LAN to another, 
> then run SMB
> over that tunnel?
>
> is it not possible to use ssh port forwarding to move the 
> packets through
> a secure tunnel that way?

When I can, that's what I do, via F-Secure port forwarding. However, many
shops explicitly block port 22. This kills IPsec as well.