Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Shared drives through a firewall

from [James (njan) Eaton-Lee] Network Security [Permanent Link]
Subject: Re: Shared drives through a firewall
Date: Thu, 22 Mar 2007 20:14:35 +0000
mcclenbw@oneonta.edu wrote: 
True SSH and WebDAV are better options, but that's changing the topic.
I'm guess since it's an "untrusted server" that someone else is
administering it.  So using a different protocol probably isn't an
option.

Maybe.. sometimes the best solution to an awkward problem is to rewrite the problem. The OP did ask for "ammunition", too - an easy, securer alternative way of transferring files certainly seems like anti-SMB-over-the-internet ammunition to me! :)

I've had success in rewriting the problem such that I could deploy webdav on a number of occasions in the past where SMB or FTP were being considered for file transfer.

It sells quite well in this respect based on the fact that it has great client support (better than SCP/SFTP) and in both the linux and windows worlds very rarely requires any extra software for anyone who already has any web infrastructure in place. At worst, the extra software is an apache module..

As far as being less likely to draw attention from attackers than
opening up SMB ports, the key here is to only open SMB ports to allow
communication between the server and client.  Don't just open SMB ports
to the world because you need to communicate with one IP address on the
other side of your firewall.  That's as silly as opening all ports on a
server, just because you need one open.

Agreed - but in most scenarios, opening up SMB, even to quasi-trusted partners or clients over a WAN isn't ideal either way; too many holes that go too deep for my liking, and they're holes that (unlike HTTP(s)/Webdav) generally can't be partially mitigated with application-layer filtering.

The addition of IP / IP Range filtering makes this scenario less awful, but not unawful, imo. :)

 - James.

--
  James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

  "The universe is run by the complex interweaving of three
  elements: Energy, matter, and enlightened self-interest." - G'Kar

 https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Shared drives through a firewall, James (njan) Eaton-Lee
Next by Date:  Administrivia: New List Moderators, pjungles
Previous by Thread:  RE: Shared drives through a firewall, mcclenbw
Next by Thread:  Re: Shared drives through a firewall, Mailing Sécurité Focus
Indexes:  [Date] [Thread] [Top] [All Lists]