RE: Shared drives through a firewall

True SSH and WebDAV are better options, but that's changing the topic.
I'm guess since it's an "untrusted server" that someone else is
administering it. So using a different protocol probably isn't an
option.

As far as being less likely to draw attention from attackers than
opening up SMB ports, the key here is to only open SMB ports to allow
communication between the server and client. Don't just open SMB ports
to the world because you need to communicate with one IP address on the
other side of your firewall. That's as silly as opening all ports on a
server, just because you need one open.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of James (njan) Eaton-
Lee
Sent: Thursday, March 22, 2007 1:15 PM
To: Jim Harrison
Cc: aeheald@xxxxxxxxx; focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Shared drives through a firewall


Jim Harrison wrote:
You might consider using FTPS or SSH connections; they're relatively
secure, depending on the server/client package you select.

Webdav is under-promoted in these scenarios - it's built on top of a
well-understood and easily securable protocol (http), and it has great
crossplatform support. Webdav allows access either via a webdav client
that supports writing (windows explorer and gnome/nautilus both do
this,
and OSX/KDE/$desktopofchoice probably do too) or a standard http
client
(ie, lynx, firefox). It supports well-understood mechanisms to encrypt
traffic (TLS/SSL) and authenticate users (http basic auth).

It has good application layer support from a wide variety of reverse
proxy/firewall products (including ISA) designed for protecting web
traffic if you choose to expose it externally.

It's also fairly difficult to distinguish from a regular webserver, so
it's far less likely to draw attention from attackers than opening up
SMB ports, particularly if you had a webserver running anyway.

There's also been webdav support in IIS and in Apache for quite some
time...

- James.

--
James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

"The universe is run by the complex interweaving of three
elements: Energy, matter, and enlightened self-interest." - G'Kar

https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--

Relevant Pages

  • [NT] Vulnerability in WebDAV XML Message Handler DoS (MS04-030)
    ... Get your security news from a reliable source. ... send a specially crafted WebDAV request to a server that is running IIS ... Mitigating Factors for WebDAV Vulnerability ...
    (Securiteam)
  • Re: WebDAV disabled!
    ... but the Web Service Extension named WebDAV is nothing to do with OWA - ... that extension enables WebDAV on the entire server, ... Look at the properties of the Microsoft Exchange Server ...
    (microsoft.public.exchange.admin)
  • Re: URLScan Logs
    ... I'm not a webdav expert, ... > Front Page server extensions are not configured for the> site. ... I have been experimenting with locking down this> IIS server and have the latest patches on it and have> followed many of the procedures outlined in several guides> including "From Blueprint to Fortress: A Guide to> Securing IIS 5.0". ... > contains disallowed header 'translate:' Request will be> rejected. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Webdav Authentication
    ... credentials with your app server. ... I'm curious what you would be trying to do with WebDAV where you WOULDN'T ... | We have an application that communicates with Exchange via webdav. ... | having to store the credentials on our appserver. ...
    (microsoft.public.exchange.development)
  • Re: WebDAV disabled!
    ... I think you'll find that WebDAV is Prohibited by default. ... WebDAV service extension is enabled in Exchange Server 2003, ... The Extension named Microsoft Exchange Server is the one that enables ...
    (microsoft.public.exchange.admin)