[32387] in North American Network Operators' Group
RE: Operational impact of filtering SMB/NETBIOS traffic?
daemon@ATHENA.MIT.EDU (Mathew Butler)
Mon Nov 20 18:44:24 2000
Message-ID: <F062E72E4BA2D4119F1700B0D03D205F39D4@MAIL>
From: Mathew Butler <mbutler@tonbu.com>
To: 'Adam Rothschild' <asr@latency.net>, nanog@merit.edu
Date: Mon, 20 Nov 2000 15:37:15 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0534A.D091DF40"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0534A.D091DF40
Content-Type: text/plain;
charset="iso-8859-1"
Are you going to provide consulting services -- for free -- when what the
customer wants to do is not allowed because of your network filtering
choices?
-Mat
-----Original Message-----
From: Adam Rothschild [mailto:asr@latency.net]
Sent: Monday, November 20, 2000 8:06 AM
To: nanog@merit.edu
Subject: Re: Operational impact of filtering SMB/NETBIOS traffic?
On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland Meyer wrote:
> You'd have LOTs of complaint from me and many of my clients. Many of
> us log into our external gateway PDCs from foriegn locations. We
> have shares because we want shares.
Yikes. Isn't that what secure road-warrior VPNs are for?
> You are considering killing off a whole bunch of legitimate use
> because some are too brain-dead to not have unintentional shares on
> the internet?
Intentional or not, sniffing SMB passwords and share info doesn't
require much skill.
> We use SMB/Samba INSTEAD of NFS because we believe SMB to be more
> secure.
That's like saying the electrical chair may be far more appealing to
some than lethal injection. NFS and SMB are both insecure and
inefficient mechanisms for file transfer over the public Internet.
SMB may be the lesser of the two evils, but it's really irrelevant.
Why not use ssh/sftp, or for the Unix impaired, some https-based file
transfer interface, instead?
On Sun, Nov 19, 2000 at 09:06:06AM -0800, Roeland Meyer wrote:
> [...] in addition, you block the NetBIOS ports then you block
> application-level access for 80% of internet users.
Howso? Sounds like you'd be promoting responsible usage instead.
-adam
------_=_NextPart_001_01C0534A.D091DF40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Operational impact of filtering SMB/NETBIOS traffic?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Are you going to provide consulting services -- for =
free -- when what the customer wants to do is not allowed because of =
your network filtering choices?</FONT></P>
<P><FONT SIZE=3D2>-Mat</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Adam Rothschild [<A =
HREF=3D"mailto:asr@latency.net">mailto:asr@latency.net</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Monday, November 20, 2000 8:06 AM</FONT>
<BR><FONT SIZE=3D2>To: nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Subject: Re: Operational impact of filtering =
SMB/NETBIOS traffic?</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>On Sat, Nov 18, 2000 at 08:19:12PM -0800, Roeland =
Meyer wrote:</FONT>
<BR><FONT SIZE=3D2>> You'd have LOTs of complaint from me and many =
of my clients. Many of</FONT>
<BR><FONT SIZE=3D2>> us log into our external gateway PDCs from =
foriegn locations. We</FONT>
<BR><FONT SIZE=3D2>> have shares because we want shares.</FONT>
</P>
<P><FONT SIZE=3D2>Yikes. Isn't that what secure road-warrior VPNs =
are for?</FONT>
</P>
<P><FONT SIZE=3D2>> You are considering killing off a whole bunch of =
legitimate use</FONT>
<BR><FONT SIZE=3D2>> because some are too brain-dead to not have =
unintentional shares on</FONT>
<BR><FONT SIZE=3D2>> the internet?</FONT>
</P>
<P><FONT SIZE=3D2>Intentional or not, sniffing SMB passwords and share =
info doesn't</FONT>
<BR><FONT SIZE=3D2>require much skill.</FONT>
</P>
<P><FONT SIZE=3D2>> We use SMB/Samba INSTEAD of NFS because we =
believe SMB to be more</FONT>
<BR><FONT SIZE=3D2>> secure.</FONT>
</P>
<P><FONT SIZE=3D2>That's like saying the electrical chair may be far =
more appealing to</FONT>
<BR><FONT SIZE=3D2>some than lethal injection. NFS and SMB are =
both insecure and</FONT>
<BR><FONT SIZE=3D2>inefficient mechanisms for file transfer over the =
public Internet.</FONT>
<BR><FONT SIZE=3D2>SMB may be the lesser of the two evils, but it's =
really irrelevant.</FONT>
<BR><FONT SIZE=3D2>Why not use ssh/sftp, or for the Unix impaired, some =
https-based file</FONT>
<BR><FONT SIZE=3D2>transfer interface, instead?</FONT>
</P>
<P><FONT SIZE=3D2>On Sun, Nov 19, 2000 at 09:06:06AM -0800, Roeland =
Meyer wrote:</FONT>
<BR><FONT SIZE=3D2>> [...] in addition, you block the NetBIOS ports =
then you block</FONT>
<BR><FONT SIZE=3D2>> application-level access for 80% of internet =
users.</FONT>
</P>
<P><FONT SIZE=3D2>Howso? Sounds like you'd be promoting =
responsible usage instead.</FONT>
</P>
<P><FONT SIZE=3D2>-adam</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0534A.D091DF40--
