On Mon, 3 May 2004, Kevin Flanagan wrote:
> If all systems are Windows 2000 pro, or XP pro, the NT domain model can
> be a bit more secure, but with SAMBA, it's not a lot more so.
I know that earlier this morning I sung praise of Linux LVM, but it is
only fair at this point that I mention a strength of OpenBSD for this
particular application.
pf now has OS fingerprinting built into the rules. So assuming you have a
default of something like (in pseudocode) "block all inbound", you could
then add a rule like "pass in all inbound protocol tcp port 139 where
source OS is { Windows 2000, Windows XP }" and another that says something
like "pass in all inbound protocol udp port { 137, 138 } where source OS
is { Windows 2000, Windows XP }".
So this way all the Win9x clients never even see Samba. This also kills
*NIX clients running smbclient so beware.
Sure there are also controls in Samba as well but I like the belt &
suspenders approach, and try to block unwanted traffic as early as
possible.
> HP has some decent entry level servers, but they would cost $2-3K well
> equipped. Something like a SNAP server will be easy, but not redundant,
> and backups have to take place over the network to a device that you
> don't have now.
Honestly for a file server that is expected to grow, I would put almost
zero storage on the server (enough for the OS) and hook it up to a SAN.
But for only a few hundred gigs it's not worth it. If this thing were
going to scale any more than that, SAN starts to make more sense.
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
