Bruce Keller writes:
> Hello all,
> I apologize if this is taking a left turn, but in reading the ongoing
> dialogue regarding NFS across the NET I have a question. I had been
> thinking about mounting an NFS partion across the NET in order to access
> the database for a low support function( temporary at that ) my concerns
> were the same Simions....I also have the option of mapping to a WIN95
> drive to accomplish the same thing. Now the questions: Seeing as how
> Netbeui is not routeable how do you route across TCP/IP and how much can
> you secure it beyond the password protection activated when you share
> the drive.
This is not too bad a forum for the security implications, and the technical detail
of Microsoft's file system protocol is easy enough to slip in.
The file system protocol from Microsoft (reference Windows95) is called SMB
(server message block) and can be encapsulated in TCP/IP.
Notice that this is much more easily controlled because it uses TCP rather than UDP.
Where you want to provide trust, you open TCP port 137 and 139 for NetBIOS/TCP.
Remember that you must be concerned about a bad-guy spoofing the addresses you trust.
Microsoft would have you believe that the security measures of SMB are sufficiently strong.
I prefer to be very cautious about source code that has not been seen, and commented on,r
by people like Bellovin, Chapmin and Cheswick. (not pretending to read much code these days)
Microsoft makes a big deal about clear-text passwords being insecure with FTP,
which I think is handled reasonably with one-time passwords.
So, I think security is better with FTP, then SMB, then NFS.
Convenience is entirely another matter.
The big problem IMHO is that the NFS vulnerability interferes with
selective trust of specific UDP ports because it uses ports indiscriminantly.
|
|
