CIFS (or equiv.) and security

[Ron Peterson]

Jeffry Smith wrote:
> 
> Regardless of the type of authentication, remember that the actual
> SAMBA reads  / writes are UNENCRYPTED!  Better to do the SAMBA over
> SSH or some sort of VPN solution.

I'm not too concerned about anyone reading the file traffic.  There
aren't any password lists or anything like that flying around.  A bunch
of architectural CAD files, mostly.  I have to think there can't be too
many people out there trying to spy on our exterior wall details.

There seem to be three possible weaknesses here: (1) eavesdropping in on
the login (although no-one has a shell account), (2) reading
(unencrypted) file traffic, and (3) something I haven't thought of.

Like I say, (2) doesn't bother me much.  But (1) and (3) do.  I'm just
not knowledgeable enough about security matters to have a worthy opinion
about the risks involved.

> BTW:  How secure is that Windows box behind your server?  Remember,
> the chain of security is only as strong as its weakest link.  So, that
> may be the only box you're exposing, but once it's broken, your
> network is compromised.  That's the reason for DMZs for stuff exposed
> to the internet.

Good point.  Most of my effort's been on the firewall server.  I don't
*think* I'm running any services besides those I need though.

-Ron-
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).