|
Focus on Microsoft
Shared drives through a firewall Mar 22 2007 02:01AM aeheald gmail com (4 replies) Re: Shared drives through a firewall Apr 17 2007 08:53AM Nicolas RUFF (nicolas ruff gmail com) (1 replies) Re: Shared drives through a firewall Mar 22 2007 01:44PM Mailing Sécurité Focus (mailingsecurite maisonlaprise com) RE: Shared drives through a firewall Mar 22 2007 01:41PM Jim Harrison (Jim isatools org) (1 replies) Re: Shared drives through a firewall Mar 22 2007 05:14PM James (njan) Eaton-Lee (james mailing gmail com) (1 replies) |
|
|
Privacy Statement |
I'm guess since it's an "untrusted server" that someone else is
administering it. So using a different protocol probably isn't an
option.
As far as being less likely to draw attention from attackers than
opening up SMB ports, the key here is to only open SMB ports to allow
communication between the server and client. Don't just open SMB ports
to the world because you need to communicate with one IP address on the
other side of your firewall. That's as silly as opening all ports on a
server, just because you need one open.
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of James (njan) Eaton-
> Lee
> Sent: Thursday, March 22, 2007 1:15 PM
> To: Jim Harrison
> Cc: aeheald (at) gmail (dot) com [email concealed]; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Re: Shared drives through a firewall
>
>
> Jim Harrison wrote:
> > You might consider using FTPS or SSH connections; they're relatively
> > secure, depending on the server/client package you select.
>
> Webdav is under-promoted in these scenarios - it's built on top of a
> well-understood and easily securable protocol (http), and it has great
> crossplatform support. Webdav allows access either via a webdav client
> that supports writing (windows explorer and gnome/nautilus both do
> this,
> and OSX/KDE/$desktopofchoice probably do too) or a standard http
client
> (ie, lynx, firefox). It supports well-understood mechanisms to encrypt
> traffic (TLS/SSL) and authenticate users (http basic auth).
>
> It has good application layer support from a wide variety of reverse
> proxy/firewall products (including ISA) designed for protecting web
> traffic if you choose to expose it externally.
>
> It's also fairly difficult to distinguish from a regular webserver, so
> it's far less likely to draw attention from attackers than opening up
> SMB ports, particularly if you had a webserver running anyway.
>
> There's also been webdav support in IIS and in Apache for quite some
> time...
>
> - James.
>
> --
> James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org
>
> "The universe is run by the complex interweaving of three
> elements: Energy, matter, and enlightened self-interest." - G'Kar
>
> https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
> --
[ reply ]