Solved

Netbios file sharing over Internet: is it safe?  . . .

Posted on 2013-06-10
7
486 Views
Last Modified: 2013-06-13
Background:
-------------------
Our windows 2008 FTP server is in our PIX powered DMZ.

We've open ports so the FTP server can chat with our internal domain controllers so field users can use their domain\userid to log into the FTP server.  Years ago, we used local userid/passwords on the ftp server but found it to be a hassle from a two-accounts redundancy and  disaster recovery perspective.  Our FTP server in the DMZ is backed up daily, and we also take hourly snapshots using REPLAY (backup/restore tool)

Proposal:
--------------
We are entertaining opening up the incoming newbios ports to the DMZ so our field laptop users can map a drive to our already existing ftp server.  The objectives are :

not have local data on the laptops - the users would open the files from the X: which would actually be on our dmz server,

so their data is backed up, and

so their data is easily share-able with other laptop folks in the same department (using the ntfs security permissions on the file server).

Right now, we're interesting in cobbling together some kind of free solution, so not really able to consider something like sharepoint.

Question:
---------------
1. What are the incremental risks or issues of opening up incoming netbios ports to the dmz?

2. Is there a better way to fulfill the objectives stated above?


Notes:
--------
Most of our laptop folks have dsl or cable modem.  A few access the internet via a slow mobile broadband card modem, but we are trying to upgrade bandwidth subject to availability.


Thanks for any thoughts,
Mike
0
Comment
Question by:mike2401
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 300 total points
ID: 39235992
I think that opening up 'netbios ports' to the internet is an invitation to disaster.  On the other hand, it may not even work because 'netbios ports' are often blocked by ISPs.
0
 
LVL 7

Assisted Solution

by:dec0mpile
dec0mpile earned 150 total points
ID: 39236062
FTP is always a security risk because it transmits login information (including passwords) in plain/text.

You should at the very least consider using SFTP (encrypted) connection.
http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

I've found third party programs are generally more secure then Windows.
This is good product: http://www.globalscape.com/mft/

That all being said if the data is sensitive I recommend that you do not run a public FTP or SFTP server. The only way to provide security for sensitive data is to keep it on the internal network and make the users VPN into your network before accessing the files.
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 50 total points
ID: 39238651
Look into SMB (Server Message Block) over IP Sec Tunnel or SSL... The ports associated with NetBIOS are often blocked by ISP's, because of the vulnerability to you.

Sonic Wall provides a means to provide SMB over a secured Tunnel connection.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:mike2401
ID: 39238727
I believe our lan admin just tried SMB alone (no netbios) and it did not work.  

We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

Thx

Mike
0
 
LVL 7

Expert Comment

by:dec0mpile
ID: 39238791
We're not going to do a VPN just for FTP.  That seems like total over-kill and a support nightmare.

The VPN option is something to consider only if the data you are hosting is sensitive.

If that in not the case then just setup a simple SFTP server by running SSH server and windows or third party software and opening the ports on your firewall.

http://www.freesshd.com/?ctt=overview
https://wiki.filezilla-project.org/FileZilla_FTP_Server
0
 

Author Comment

by:mike2401
ID: 39245423
Thank you everyone, we've abandoned our vision of mapping drives across the internet (not within a vpn)

Mike
0
 

Author Closing Comment

by:mike2401
ID: 39245430
Thanks everyone!
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question