Solved

Netbios file sharing over Internet: is it safe?  . . .

Posted on 2013-06-10
7
464 Views
Last Modified: 2013-06-13
Background:
-------------------
Our windows 2008 FTP server is in our PIX powered DMZ.

We've open ports so the FTP server can chat with our internal domain controllers so field users can use their domain\userid to log into the FTP server.  Years ago, we used local userid/passwords on the ftp server but found it to be a hassle from a two-accounts redundancy and  disaster recovery perspective.  Our FTP server in the DMZ is backed up daily, and we also take hourly snapshots using REPLAY (backup/restore tool)

Proposal:
--------------
We are entertaining opening up the incoming newbios ports to the DMZ so our field laptop users can map a drive to our already existing ftp server.  The objectives are :

not have local data on the laptops - the users would open the files from the X: which would actually be on our dmz server,

so their data is backed up, and

so their data is easily share-able with other laptop folks in the same department (using the ntfs security permissions on the file server).

Right now, we're interesting in cobbling together some kind of free solution, so not really able to consider something like sharepoint.

Question:
---------------
1. What are the incremental risks or issues of opening up incoming netbios ports to the dmz?

2. Is there a better way to fulfill the objectives stated above?


Notes:
--------
Most of our laptop folks have dsl or cable modem.  A few access the internet via a slow mobile broadband card modem, but we are trying to upgrade bandwidth subject to availability.


Thanks for any thoughts,
Mike
0
Comment
Question by:mike2401
7 Comments
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 300 total points
Comment Utility
I think that opening up 'netbios ports' to the internet is an invitation to disaster.  On the other hand, it may not even work because 'netbios ports' are often blocked by ISPs.
0
 
LVL 7

Assisted Solution

by:dec0mpile
dec0mpile earned 150 total points
Comment Utility
FTP is always a security risk because it transmits login information (including passwords) in plain/text.

You should at the very least consider using SFTP (encrypted) connection.
http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

I've found third party programs are generally more secure then Windows.
This is good product: http://www.globalscape.com/mft/

That all being said if the data is sensitive I recommend that you do not run a public FTP or SFTP server. The only way to provide security for sensitive data is to keep it on the internal network and make the users VPN into your network before accessing the files.
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 50 total points
Comment Utility
Look into SMB (Server Message Block) over IP Sec Tunnel or SSL... The ports associated with NetBIOS are often blocked by ISP's, because of the vulnerability to you.

Sonic Wall provides a means to provide SMB over a secured Tunnel connection.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:mike2401
Comment Utility
I believe our lan admin just tried SMB alone (no netbios) and it did not work.  

We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

Thx

Mike
0
 
LVL 7

Expert Comment

by:dec0mpile
Comment Utility
We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

The VPN option is something to consider only if the data you are hosting is sensitive.

If that in not the case then just setup a simple SFTP server by running SSH server and windows or third party software and opening the ports on your firewall.

http://www.freesshd.com/?ctt=overview
https://wiki.filezilla-project.org/FileZilla_FTP_Server
0
 

Author Comment

by:mike2401
Comment Utility
Thank you everyone, we've abandoned our vision of mapping drives across the internet (not within a vpn)

Mike
0
 

Author Closing Comment

by:mike2401
Comment Utility
Thanks everyone!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now