> -----Original Message-----
> From: Jim Eckford [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 23 December 1999 7:27 AM
> To: [EMAIL PROTECTED]
> Subject: Re: NT Drivesharing and firewalls.
>
>
> Tim,
> Windows uses NetBIOS to do it's file and printer sharing, as
> well as remote
> administration, so be careful when allowing it through a firewall.
How can you "be careful"? It's either allowed or it's not! By allowing
NetBIOS you open yourself up to a slew of attacks. IMO, there is just NO
justification for allowing NetBIOS traffic into a trusted network from an
untrusted one.
> I believe you will need to use a NAT device that is "NetBIOS
> aware", because
> the source IP address is contained in the packet payload, so
> NAT causes the
> address to mismatch. However, I have never tried it.
I have. You're dead right - it won't work through naive NAT. You'll need to
check with your vendor (or try it) to see if the NAT supports NetBIOS. Each
NAT implementation is different.
> The
> ports that NetBIOS
> uses are:
>
> TCP 137 for the name service
> TCP 138 for the datagram service.
> TCP 139 for the session service.
>
> The UDP versions of these ports are also listed as used by
> NetBIOS, but I'm not
> sure if they are actually used.
UDP is actually used more than TCP.
>
> Good Luck
>
> Jim Eckford
>
> Tim Uckun wrote:
>
> > I need to mount a drive from a NT machine inside a NATed
> firewall to an NT
> > machine outside the network. Does anybody have a pointer on
> dealing with NT
> > specific problems when dealing with firewall. Anybody know
> which ports an
> > NT machine uses for PDC/BDC traffic or drive sharig?
You were probably expecting this, but, this is a BAD idea. The NetBIOS ports
are single most vulnerable part of an NT server (with the exception of IIS
;). Add to this the fact that large chunks of the NetBIOS rigmarole uses UDP
which prevents doing good session tracking and you've got yourself a recipe
for disaster.
Basically, if you are prepared to mount a drive on this machine then you
impicitly trust it to such an extent that you may as well pull it through
to the trusted side of the firewall.
If it's a remote host or if it's more than one machine, use VPN stuff. This
is functionally equivalent to pulling it through to the trusted side, as
above.
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
