Re: Shared drives through a firewall



mcclenbw@xxxxxxxxxxx wrote:
True SSH and WebDAV are better options, but that's changing the topic.
I'm guess since it's an "untrusted server" that someone else is
administering it. So using a different protocol probably isn't an
option.

Maybe.. sometimes the best solution to an awkward problem is to rewrite the problem. The OP did ask for "ammunition", too - an easy, securer alternative way of transferring files certainly seems like anti-SMB-over-the-internet ammunition to me! :)

I've had success in rewriting the problem such that I could deploy webdav on a number of occasions in the past where SMB or FTP were being considered for file transfer.

It sells quite well in this respect based on the fact that it has great client support (better than SCP/SFTP) and in both the linux and windows worlds very rarely requires any extra software for anyone who already has any web infrastructure in place. At worst, the extra software is an apache module..

As far as being less likely to draw attention from attackers than
opening up SMB ports, the key here is to only open SMB ports to allow
communication between the server and client. Don't just open SMB ports
to the world because you need to communicate with one IP address on the
other side of your firewall. That's as silly as opening all ports on a
server, just because you need one open.

Agreed - but in most scenarios, opening up SMB, even to quasi-trusted partners or clients over a WAN isn't ideal either way; too many holes that go too deep for my liking, and they're holes that (unlike HTTP(s)/Webdav) generally can't be partially mitigated with application-layer filtering.

The addition of IP / IP Range filtering makes this scenario less awful, but not unawful, imo. :)

- James.

--
James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

"The universe is run by the complex interweaving of three
elements: Energy, matter, and enlightened self-interest." - G'Kar

https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature



Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • Re: More Get-IPlayer Questions
    ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
    (uk.comp.os.linux)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
    (comp.object)