Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Netbios file sharing over Internet: is it safe?  . . .

Posted on 2013-06-10
7
Medium Priority
?
489 Views
Last Modified: 2013-06-13
Background:
-------------------
Our windows 2008 FTP server is in our PIX powered DMZ.

We've open ports so the FTP server can chat with our internal domain controllers so field users can use their domain\userid to log into the FTP server.  Years ago, we used local userid/passwords on the ftp server but found it to be a hassle from a two-accounts redundancy and  disaster recovery perspective.  Our FTP server in the DMZ is backed up daily, and we also take hourly snapshots using REPLAY (backup/restore tool)

Proposal:
--------------
We are entertaining opening up the incoming newbios ports to the DMZ so our field laptop users can map a drive to our already existing ftp server.  The objectives are :

not have local data on the laptops - the users would open the files from the X: which would actually be on our dmz server,

so their data is backed up, and

so their data is easily share-able with other laptop folks in the same department (using the ntfs security permissions on the file server).

Right now, we're interesting in cobbling together some kind of free solution, so not really able to consider something like sharepoint.

Question:
---------------
1. What are the incremental risks or issues of opening up incoming netbios ports to the dmz?

2. Is there a better way to fulfill the objectives stated above?


Notes:
--------
Most of our laptop folks have dsl or cable modem.  A few access the internet via a slow mobile broadband card modem, but we are trying to upgrade bandwidth subject to availability.


Thanks for any thoughts,
Mike
0
Comment
Question by:mike2401
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1200 total points
ID: 39235992
I think that opening up 'netbios ports' to the internet is an invitation to disaster.  On the other hand, it may not even work because 'netbios ports' are often blocked by ISPs.
0
 
LVL 7

Assisted Solution

by:dec0mpile
dec0mpile earned 600 total points
ID: 39236062
FTP is always a security risk because it transmits login information (including passwords) in plain/text.

You should at the very least consider using SFTP (encrypted) connection.
http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

I've found third party programs are generally more secure then Windows.
This is good product: http://www.globalscape.com/mft/

That all being said if the data is sensitive I recommend that you do not run a public FTP or SFTP server. The only way to provide security for sensitive data is to keep it on the internal network and make the users VPN into your network before accessing the files.
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 200 total points
ID: 39238651
Look into SMB (Server Message Block) over IP Sec Tunnel or SSL... The ports associated with NetBIOS are often blocked by ISP's, because of the vulnerability to you.

Sonic Wall provides a means to provide SMB over a secured Tunnel connection.
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 

Author Comment

by:mike2401
ID: 39238727
I believe our lan admin just tried SMB alone (no netbios) and it did not work.  

We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

Thx

Mike
0
 
LVL 7

Expert Comment

by:dec0mpile
ID: 39238791
We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

The VPN option is something to consider only if the data you are hosting is sensitive.

If that in not the case then just setup a simple SFTP server by running SSH server and windows or third party software and opening the ports on your firewall.

http://www.freesshd.com/?ctt=overview
https://wiki.filezilla-project.org/FileZilla_FTP_Server
0
 

Author Comment

by:mike2401
ID: 39245423
Thank you everyone, we've abandoned our vision of mapping drives across the internet (not within a vpn)

Mike
0
 

Author Closing Comment

by:mike2401
ID: 39245430
Thanks everyone!
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question