Solved

Netbios file sharing over Internet: is it safe?  . . .

Posted on 2013-06-10
7
473 Views
Last Modified: 2013-06-13
Background:
-------------------
Our windows 2008 FTP server is in our PIX powered DMZ.

We've open ports so the FTP server can chat with our internal domain controllers so field users can use their domain\userid to log into the FTP server.  Years ago, we used local userid/passwords on the ftp server but found it to be a hassle from a two-accounts redundancy and  disaster recovery perspective.  Our FTP server in the DMZ is backed up daily, and we also take hourly snapshots using REPLAY (backup/restore tool)

Proposal:
--------------
We are entertaining opening up the incoming newbios ports to the DMZ so our field laptop users can map a drive to our already existing ftp server.  The objectives are :

not have local data on the laptops - the users would open the files from the X: which would actually be on our dmz server,

so their data is backed up, and

so their data is easily share-able with other laptop folks in the same department (using the ntfs security permissions on the file server).

Right now, we're interesting in cobbling together some kind of free solution, so not really able to consider something like sharepoint.

Question:
---------------
1. What are the incremental risks or issues of opening up incoming netbios ports to the dmz?

2. Is there a better way to fulfill the objectives stated above?


Notes:
--------
Most of our laptop folks have dsl or cable modem.  A few access the internet via a slow mobile broadband card modem, but we are trying to upgrade bandwidth subject to availability.


Thanks for any thoughts,
Mike
0
Comment
Question by:mike2401
7 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 300 total points
ID: 39235992
I think that opening up 'netbios ports' to the internet is an invitation to disaster.  On the other hand, it may not even work because 'netbios ports' are often blocked by ISPs.
0
 
LVL 7

Assisted Solution

by:dec0mpile
dec0mpile earned 150 total points
ID: 39236062
FTP is always a security risk because it transmits login information (including passwords) in plain/text.

You should at the very least consider using SFTP (encrypted) connection.
http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

I've found third party programs are generally more secure then Windows.
This is good product: http://www.globalscape.com/mft/

That all being said if the data is sensitive I recommend that you do not run a public FTP or SFTP server. The only way to provide security for sensitive data is to keep it on the internal network and make the users VPN into your network before accessing the files.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 50 total points
ID: 39238651
Look into SMB (Server Message Block) over IP Sec Tunnel or SSL... The ports associated with NetBIOS are often blocked by ISP's, because of the vulnerability to you.

Sonic Wall provides a means to provide SMB over a secured Tunnel connection.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:mike2401
ID: 39238727
I believe our lan admin just tried SMB alone (no netbios) and it did not work.  

We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

Thx

Mike
0
 
LVL 7

Expert Comment

by:dec0mpile
ID: 39238791
We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

The VPN option is something to consider only if the data you are hosting is sensitive.

If that in not the case then just setup a simple SFTP server by running SSH server and windows or third party software and opening the ports on your firewall.

http://www.freesshd.com/?ctt=overview
https://wiki.filezilla-project.org/FileZilla_FTP_Server
0
 

Author Comment

by:mike2401
ID: 39245423
Thank you everyone, we've abandoned our vision of mapping drives across the internet (not within a vpn)

Mike
0
 

Author Closing Comment

by:mike2401
ID: 39245430
Thanks everyone!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question