Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Shared drives through a firewall

from [mcclenbw] Network Security [Permanent Link]
Subject: RE: Shared drives through a firewall
Date: Thu, 22 Mar 2007 15:15:49 -0400 
True SSH and WebDAV are better options, but that's changing the topic.
I'm guess since it's an "untrusted server" that someone else is
administering it.  So using a different protocol probably isn't an
option.

As far as being less likely to draw attention from attackers than
opening up SMB ports, the key here is to only open SMB ports to allow
communication between the server and client.  Don't just open SMB ports
to the world because you need to communicate with one IP address on the
other side of your firewall.  That's as silly as opening all ports on a
server, just because you need one open.




-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of James (njan) Eaton-
Lee
Sent: Thursday, March 22, 2007 1:15 PM
To: Jim Harrison
Cc: aeheald@gmail.com; focus-ms@securityfocus.com
Subject: Re: Shared drives through a firewall


Jim Harrison wrote:

You might consider using FTPS or SSH connections; they're relatively
secure, depending on the server/client package you select.


Webdav is under-promoted in these scenarios - it's built on top of a
well-understood and easily securable protocol (http), and it has great
crossplatform support. Webdav allows access either via a webdav client
that supports writing (windows explorer and gnome/nautilus both do
this,
and OSX/KDE/$desktopofchoice probably do too) or a standard http

client

(ie, lynx, firefox). It supports well-understood mechanisms to encrypt
traffic (TLS/SSL) and authenticate users (http basic auth).

It has good application layer support from a wide variety of reverse
proxy/firewall products (including ISA) designed for protecting web
traffic if you choose to expose it externally.

It's also fairly difficult to distinguish from a regular webserver, so
it's far less likely to draw attention from attackers than opening up
SMB ports, particularly if you had a webserver running anyway.

There's also been webdav support in IIS and in Apache for quite some
time...

  - James.

--
   James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

   "The universe is run by the complex interweaving of three
   elements: Energy, matter, and enlightened self-interest." - G'Kar

  https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Shared drives through a firewall, aeheald
Next by Date:  Re: Shared drives through a firewall, gjgowey
Previous by Thread:  Re: Shared drives through a firewall, James (njan) Eaton-Lee
Next by Thread:  Re: Shared drives through a firewall, James (njan) Eaton-Lee
Indexes:  [Date] [Thread] [Top] [All Lists]