How do you secure it so that it's broadcast traffic serves the LAN only? Do you make filters on your router? If so, how do you do it for home router which as less functionality than an enterprise one?
Also; even if you change ports for the services, your still have the same problem at the beginning. Netbios and SMB may not be important to Windows anymore but the protocols do serve an important role in "bridging" *NIX type OS's to co-operate and share files. SO what alternatives do you recommend over the network ( secure ones too? )?
Discussion on:
View:
Show:
As I read the story, he was discussing disabling those capabilities on a web server which is exposed to the public and not on the internal side of the LAN. Here, we use a three segment setup on our firewall so that we have an internal (trusted?), external (aka the rest of you zombies) and DMZ (sorta trusted but keep them away from the rest of us).
The servers in the DMZ do not have the MS Client or File and Print Sharing installed.
We mandate using secureFTP if you want to move files to/from the public servers. We do not allow printing from any of them, so removing file and print is not going to be an issue.
As for your home router, unless you deliberately put a machine in it's DMZ or equivalent or set up port forwarding to sent ports 137-139 or 445 to an internal system, those packets are going to the bit bucket.
The servers in the DMZ do not have the MS Client or File and Print Sharing installed.
We mandate using secureFTP if you want to move files to/from the public servers. We do not allow printing from any of them, so removing file and print is not going to be an issue.
As for your home router, unless you deliberately put a machine in it's DMZ or equivalent or set up port forwarding to sent ports 137-139 or 445 to an internal system, those packets are going to the bit bucket.
I was wondering what happens to the broadcast traffic smb generates on the LAN and it's interception on the Web. Thank you for the clarfication. Very concise!
If a web server is compromised (let us say to the point of the hacker being able to run admin level commands - aka remote code execution or remote execution), SMB is the least you should worry about.
Disabling SMB would only slow the inevitable.
My advice to companies with their own hosted webservers is thus:
1. All webservers exposed to the internet must be installed along side with a firewall and an Intrusion Detection System (IDS). The firewalls has to be configured for DMZ (with webservers and other exposed servers placed in the DMV). The firewall must also be configured for robust port filtration, denial of service attack mitigation, and other pertinent security settings.
2. For smaller businesses where this technology cost is an issue, please have your services hosted by big hosting company that would guarantee to an extend your security.
It is a fair assumption to make that all computers/devices connected to the net can be compromised. When compromised, it is an important security concept for mitigation of the severity of the compromised system. Port Filtration though not enough to adequately secure a server, it greatly prevent compromised outward traffic (for example blocking out inward or outward SMB ports/data on the external port of your firewall or router, would completely filter SMB traffic from your webserver even if SMB is turned on on the web server - A hacker will have to configure compromised server to route outward traffic through an alternate port. If this is the case, and IDS system would pick up the compromised traffic and alert the network admin, since SMB data has their unique characteristic).
Small businesses should at least configure a basic firewall on the webserver (in case they do not have a dedicated firewall system), and should not enable SMB traffic out of their LAN. For example, Windows Server 2003 and its successor Windows Server 2008 have these basic firewall functionality. I am sure Linus and the various NIX systems have the same or similar firewall functionalities.
Disabling SMB would only slow the inevitable.
My advice to companies with their own hosted webservers is thus:
1. All webservers exposed to the internet must be installed along side with a firewall and an Intrusion Detection System (IDS). The firewalls has to be configured for DMZ (with webservers and other exposed servers placed in the DMV). The firewall must also be configured for robust port filtration, denial of service attack mitigation, and other pertinent security settings.
2. For smaller businesses where this technology cost is an issue, please have your services hosted by big hosting company that would guarantee to an extend your security.
It is a fair assumption to make that all computers/devices connected to the net can be compromised. When compromised, it is an important security concept for mitigation of the severity of the compromised system. Port Filtration though not enough to adequately secure a server, it greatly prevent compromised outward traffic (for example blocking out inward or outward SMB ports/data on the external port of your firewall or router, would completely filter SMB traffic from your webserver even if SMB is turned on on the web server - A hacker will have to configure compromised server to route outward traffic through an alternate port. If this is the case, and IDS system would pick up the compromised traffic and alert the network admin, since SMB data has their unique characteristic).
Small businesses should at least configure a basic firewall on the webserver (in case they do not have a dedicated firewall system), and should not enable SMB traffic out of their LAN. For example, Windows Server 2003 and its successor Windows Server 2008 have these basic firewall functionality. I am sure Linus and the various NIX systems have the same or similar firewall functionalities.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
