Solved

Netbios file sharing over Internet: is it safe?  . . .

Posted on 2013-06-10
7
477 Views
Last Modified: 2013-06-13
Background:
-------------------
Our windows 2008 FTP server is in our PIX powered DMZ.

We've open ports so the FTP server can chat with our internal domain controllers so field users can use their domain\userid to log into the FTP server.  Years ago, we used local userid/passwords on the ftp server but found it to be a hassle from a two-accounts redundancy and  disaster recovery perspective.  Our FTP server in the DMZ is backed up daily, and we also take hourly snapshots using REPLAY (backup/restore tool)

Proposal:
--------------
We are entertaining opening up the incoming newbios ports to the DMZ so our field laptop users can map a drive to our already existing ftp server.  The objectives are :

not have local data on the laptops - the users would open the files from the X: which would actually be on our dmz server,

so their data is backed up, and

so their data is easily share-able with other laptop folks in the same department (using the ntfs security permissions on the file server).

Right now, we're interesting in cobbling together some kind of free solution, so not really able to consider something like sharepoint.

Question:
---------------
1. What are the incremental risks or issues of opening up incoming netbios ports to the dmz?

2. Is there a better way to fulfill the objectives stated above?


Notes:
--------
Most of our laptop folks have dsl or cable modem.  A few access the internet via a slow mobile broadband card modem, but we are trying to upgrade bandwidth subject to availability.


Thanks for any thoughts,
Mike
0
Comment
Question by:mike2401
7 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 300 total points
ID: 39235992
I think that opening up 'netbios ports' to the internet is an invitation to disaster.  On the other hand, it may not even work because 'netbios ports' are often blocked by ISPs.
0
 
LVL 7

Assisted Solution

by:dec0mpile
dec0mpile earned 150 total points
ID: 39236062
FTP is always a security risk because it transmits login information (including passwords) in plain/text.

You should at the very least consider using SFTP (encrypted) connection.
http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

I've found third party programs are generally more secure then Windows.
This is good product: http://www.globalscape.com/mft/

That all being said if the data is sensitive I recommend that you do not run a public FTP or SFTP server. The only way to provide security for sensitive data is to keep it on the internal network and make the users VPN into your network before accessing the files.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 50 total points
ID: 39238651
Look into SMB (Server Message Block) over IP Sec Tunnel or SSL... The ports associated with NetBIOS are often blocked by ISP's, because of the vulnerability to you.

Sonic Wall provides a means to provide SMB over a secured Tunnel connection.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:mike2401
ID: 39238727
I believe our lan admin just tried SMB alone (no netbios) and it did not work.  

We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

Thx

Mike
0
 
LVL 7

Expert Comment

by:dec0mpile
ID: 39238791
We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

The VPN option is something to consider only if the data you are hosting is sensitive.

If that in not the case then just setup a simple SFTP server by running SSH server and windows or third party software and opening the ports on your firewall.

http://www.freesshd.com/?ctt=overview
https://wiki.filezilla-project.org/FileZilla_FTP_Server
0
 

Author Comment

by:mike2401
ID: 39245423
Thank you everyone, we've abandoned our vision of mapping drives across the internet (not within a vpn)

Mike
0
 

Author Closing Comment

by:mike2401
ID: 39245430
Thanks everyone!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In-place Upgrading Dirsync to Azure AD Connect
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question