CIFS (or equiv.) and security
Jeffry Smith
smith at
Thu May 18 14:35:15 EDT 2000
Regardless of the type of authentication, remember that the actual
SAMBA reads / writes are UNENCRYPTED! Better to do the SAMBA over
SSH or some sort of VPN solution.
BTW: How secure is that Windows box behind your server? Remember,
the chain of security is only as strong as its weakest link. So, that
may be the only box you're exposing, but once it's broken, your
network is compromised. That's the reason for DMZs for stuff exposed
to the internet.
On Thu, 18 May 2000, Ron Peterson wrote:
> I'm contemplating opening my firewall to allow NetBIOS traffic through,
> so people in my office can mount Samba shares from home. If I do this,
> I thought I'd just port forward (I realize this only lets me expose one
> machine, but that's o.k.) to my fileserver behind my masquerading
> server.
> Am I being egregiously stupid?
> Samba supports encrypted authentication. Is this encryption strong
> enough to ward off script kiddies and their ilk? Are there other
> vulnerabilities, in addition to authentication, that I should be
> concerned about?
> Are there better alternatives? Besides Oracle's IFS (I'm sure it may be
> fine technology, I just don't like Oracle). Is a VPN the only way to
> go? Would sure be nice to just NET USE T: \\HOST.MY.DOMAIN\SHARE.
> Right now, I allow people read-only access via a browser by setting up a
> secure Apache host that points to where our office files are. Basically
> run Apache's insecure authentication over https. But it would be nice
> to allow full access, especially to people w/ cable modems or DSL.
> I just use ftp/ssh myself, but that's a bit much for most people here.
Get them on Linux?
Jeffry Smith Technical Sales Consultant Mission Critical Linux
smith at phone:978.446.9166,x271 fax:978.446.9470
Thought for today: Economics is extremely useful as a form of employment for economists.
-- John Kenneth Galbraith
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at (Subject line is ignored).
More information about the Discuss
mailing list