On Mon, Dec 09, 2002 at 09:26:24PM -0500, John E. Malmberg wrote: > Jason Hihn wrote: > > >I've a need for Samba to work over NetBEUI. We have a file server > >here that only speaks that way to bar out TCP-based hackers, > > There is a popular misconception that you can use NetBeui in this way.
We use it that way here at the University. > There is no security advantage in use NetBEUI in this manor. Hmmm? > It is just as easy to block the NetBios TCP/IP ports at the router > between your private network and the one where the hackers are. I have hundreds of routers. Some people want those ports open, others not. Ouch. Managmenet nightmare. I really don't want to maintain a per-port security configuration database. > If the hackers are on the local network, the NetBios exploits work just > as well on NetBeui based networks as TCP/IP based networks. Unless the crackers are script-kiddies. I note that you used the term "NetBIOS exploits". There is a limited set of OSes that actually provide the NetBIOS API, but those that do are fairly popular. Still, I imagine that many of the packaged exploits would be more likely to use IP. > You get the same level of security if you control the router. You have > no additional security if you do not control the router. Routers can be > configured to bridge NetBeui. All of the routers between the attacker and the attacked would need to bridge NetBEUI. Thus, the risk decreases with every hop. > The only advantage that I can see to running NetBeui is that a network > recovery disk for most PCs using MS-DOS can fit on a high density floppy. > > For small networks, NetBeui is more responsive than TCP/IP, but because > it is a broadcast protocol, it does not scale well. Neither does B-mode NBT, or the Browse service. : > It probably will take some sort of layer to translate the NetBios over > NetBeui so that it looked like TCP/IP to SAMBA. I do not know how much > work that would be. That's an interesting approach. Hmmm...and it could work. Possibly. I think that the problem would be the NBT layer itself. Naming, in particular. I'm not sure that it's a worth-while endeavor, but it is an interesting idea. Chris -)----- -- Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)----- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/ -)----- [EMAIL PROTECTED]
