Re: Why not use NETBEUI on Windows XP ??
ehgoodrich_at_hotmail.com
Date: 11/28/04
- Next message: Steven L Umbach: "Re: Usage of certificates with different DN"
- Previous message: Jetro: "Re: How to Install TCP/IP"
- In reply to: Jeff Cochran: "Re: Why not use NETBEUI on Windows XP ??"
- Next in thread: Steven L Umbach: "Re: Why not use NETBEUI on Windows XP ??"
- Reply: Steven L Umbach: "Re: Why not use NETBEUI on Windows XP ??"
- Reply: Jeff Cochran: "Re: Why not use NETBEUI on Windows XP ??"
- Messages sorted by: [ date ] [ thread ]
Date: 28 Nov 2004 08:35:18 -0800
Thanx for all the comments I received on this issue. I was quite
surprised at the high quality of all the responses I got.
I still have a few questions:
jeff.nospam@zina.com (Jeff Cochran) wrote in message news:<41ad5226.37836636@msnews.microsoft.com>...
> On 27 Nov 2004 10:52:18 -0800, ehgoodrich@hotmail.com wrote:
>
> >I've been googling for several hours now on this subject and can't
> >find a thread that answers all my concerns in this area. NETBEUI
> >seems to be a good solution for small office or home networks that
> >want to share files/printers internally in addition to sharing an
> >internet connection. Here are the pros and cons as I see them.
> >
> >PRO:
> >
> >It seems to me that NETBEUI offers an additional level of security for
> >small networks connected to the internet, even those using a hardware
> >router/firewall. Most people seem to agree that a protocol other than
> >TCP/IP is recommended when all your computers have a separate external
> >IP address (no NAT translation).
>
> Okay, that's just dumb. You already have a full TCP/IP network if
> each has their own IP address, NetBEUI offers no protection or
> security. NetBEUI isn't routable, which is where this idea is coming
> from, but NetBEUI has to be the *only* protocol on the systems, not
> TCP/IP.
I neglected to mention that I would (of course) unbind TCP/IP from the
Microsoft Networking components on my network. Does this help my
scenario in your opinion? If no, Why not?
>
> >However, even if you do have a NAT
> >firewall, it seems to me that someone could format packets designed to
> >access your internal IP addresses. If they were successful, and you
> >are using TCP/IP for Microsoft Networking, they now have access to all
> >your network resources. However, if you are using NETBEUI (or some
> >other protocol) for Microsoft Networking, they have some additional
> >work to do in order to get to those same resources.
>
> True. Unless you use both.
But I'm not using both internally. See above.
>
> >In addition, if you start messing with your firewall (opening ports,
> >etc. as many gamers, VPN users, etc. must do), it is difficult to know
> >exactly what security holes you have opened up. Again, if you're
> >using NETBEUI for internal file/printer sharing, it's simple: your
> >network resources are protected because Microsoft Networking is not
> >bound to TCP/IP.
>
> Only if you remove the bindings or don't use TCP/IP on internal
> systms.
>
> >(NOTE: I realize that if you open up a big enough
> >hole in your firewall, someone could get onto one of your machines and
> >reconfigure MS Networking to do whatever they wanted. However, I
> >think most would agree this is more difficult than just getting past
> >the firewall.)
>
> I wouldn't, but it's not an actual issue. When you're compromised,
> you're compromised.
I think we're all compromised to some extent. Like physical security,
if someone wants to bad enough, they WILL find a way into your system.
I'm just trying to put more locks on the door.
>
> >I also use a software firewall (NIS 2004) on my computers, especially
> >my laptop that is frequently connected directly to the internet away
> >from the house without any hardware router/firewall. In that program
> >(and most other simple software firewalls), I have to put my local
> >Microsoft Networked computers in a "Trusted Zone" to allow
> >file/printer sharing over TCP/IP. I'm not sure (and have never gotten
> >exact information from Symantec) what this does, but I have to assume
> >the worst: there are NO firewall limitations AT ALL on communications
> >between computers in the "Trusted Zone".
>
> What is most disturbing is that you have configured the system
> security without knowing what it does. The admin is far more often
> the culprit than any software issue in any security breach.
I have tried to find out what adding computers to the "Trusted Zone"
in Symantec's Norton Internet Security 2004 means, but have been
unable to locate that information. As I said, I believe (from reading
and testing) that it means "disable the firewall for any
communications between me and any computer in the Trusted Zone".
>
> >This does not seem
> >acceptable to me, since it is easy to invision a scenario whereby my
> >daughter takes her laptop to school and picks up some malicious code
> >and returns to my network, or a friend comes over with his infected
> >wireless laptop and connects to my network to print something. In
> >either case, if all computers in my local subnet are in my "Trusted
> >Zone", the malicious code can spread throughout the network with no
> >restrictions.
>
> Not even close to a valid assumption. Malicious code is simply code.
> It doesn't actually "spread". That requires a mechanism of some sort,
> such as a trojan, active virus, activated email link, or the code
> being run. And firewalls don't block that.
If the malicious code executes on an infected machine and tries to
replicate itself over my network via TCP/IP NETBIOS ports, it will
fail if TCP/IP is not bound to MS Networking. Is that not correct?
>
> >HOWEVER, if I use NETBEUI for internal file/print
> >sharing, I don't have to put ANYONE in the "Trusted Zone", and the
> >same scenario would result in my NIS firewall (hopefully) raising a
> >flag when the malicious code attempts to spread itself inside my home
> >network.
>
> You don't have to put anyone in any "trusted zone" and never should
> unless you actually trust that system.
OK, here's where I started worrying about all this:
Inside my home, I believe I am fairly secure behind a NAT
router/firewall, with strong admin passwords, users logged on to
non-admin accounts and an additional software firewall and antivirus
program on ALL machines (NIS 2004).
However, I am a VERY mobile user: two of the three machines on my
network are laptops and one of those spends more time connected away
from home than behind the hardware router. That one is made more
secure by not even installing File and Print sharing for MS Networks.
When I am connecting to the Internet outside my hardware firewall, I
am obviously relying heavily on NIS to protect me from the bad guys...
But here's the two scenarios I am most concerned with:
1. I want to be able to allow friends who come inside my house to
connect to my network, primarily to share my internet connection, but
also to use my printers if necessary and perhaps share files.
Obviously the internet connection does not require F&PS, but the
others do. Is there a way I can allow this safely?
2. More importantly, I want to be able to take my laptop to friend's
houses and do the same things. Even if I don't have F&PS installed on
my laptop (because I don't want to share MY stuff with them, just the
converse!), I do need Client for MS Networks installed and bound to
SOME protocol in order to access their files/printers. In addition,
if that protocol is TCP/IP, then I HAVE to either disable Norton's
firewall, OR put their machine in the "Trusted Zone" as I mentioned
before. Otherwise, NIS will prevent me from accessing any of their
shared resources. (I don't understand why I need to "trust" them if I
just want to use THEIR resources, but that's what Norton appears to
require. If anyone knows of another way to achieve this with NIS,
PLEASE LET ME KNOW!!!) However, if I bind NETBEUI (and ONLY NETBEUI)
to Client for MS Networks, then Norton ignores my MS Network traffic,
and I can keep it enabled monitoring the TCP/IP traffic to and from my
machine.
Can you tell me a way to do this WITHOUT using NETBEUI and still
maintaining my software firewall?? Please don't tell me to get better
software. NIS may not be the best solution, but most other products
behave in the same way from what I have seen. Even the XP firewall
(obviously not the best example) must be disabled in order to use
F&PS.
>
> >CON:
>
> >Microsoft no longer "supports" NETBEUI... SO WHAT??!! Microsoft
> >support has never been that great anyway for home users and
> >furthermore, WHAT's to support? Whenever I have used NETBEUI in the
> >past (since ~ 1996, when I began moving away from IPX/SPX), it has
> >worked. (read "it has worked period"). It's trivial to install
> >NETBEUI on XP from the Install Disk (or as someone pointed out, you
> >can use the NETBEUI files from a W2K installation).
> >
> >So, please tell me why I shouldn't use NETBEUI to reduce my security
> >concerns in this day when security is the single biggest problem
> >computer users face??
>
> Because you've drawn the conclusion that NetBEUI is a secure protocol,
> and that NetBEUI will protect your network by virtue of being on it.
> Any worm that travels by Windows networking will travel via any
> protocol you have on the system. NetBEUI is a non-secure protocol.
>
> >Please be specific: I've already seen too many general answers like:
> >
> >"too many protocols slows down your network" (I only want to use two)
> >"NETBEUI is not supported" (see above)
> >"NETBEUI causes problems, especially with XP" (Please give specific
> >example)
>
> NetBEUI is chatty and causes additional overhead on the network.
> NetBEUI in addition to another protocol can disguise networking
> problems making troubleshooting harder. NetBEUI is inherently
> insecure because you cannot block or modify any protion of it, it's
> either on or off.
>
> And mostly. NetBEUI is only a security assett when used correctly, as
> the only protocol on an internal network which only faces threats from
> an outside network, running through a router that can translate
> between NetBEUI and TCP/IP.
>
> Jeff
Thanx again, Jeff (and Lanwench and Steve) for your detailed comments.
It seems to me that what Jeff and Lanwench are implying is the
following:
Malicious code that replicates itself (whatever name you want to give
it: trojan, virus, etc.) typically does NOT use TCP/IP specific
networking (trying specific TCP ports, etc.) to perform the
replication. It will instead try to replicate via higher level
network services (i.e. MS Networking). If that is the case, it
doesn't matter what underlying protocol is bound to MS Networking,
since if ANY protocol is bound the connection will be successful.
Now, if the above assumption is true, then I agree my reliance on
NETBEUI to help protect my systems is foolish. But it also follows
that this has nothing to do with XP, and if it is true now, then it
was true back in the days of Win95, Win98 and ME. If that is the
case, then is Steve's article (I assume it is yours; if not, please
accept my apologies) at:
http://www.practicallynetworked.com/sharing/netbeui.htm
also invalid?? If not, what's the difference??
This article (and others like it) is where I first got the idea of
using different protocols for internal and external communications.
The subsequent comments I've seen regarding NETBEUI and WinXP focused
on Microsoft's removing "support" for NETBEUI and NOT on the validity
of the original concept promoted in the article.
Thanx in advance for any further responses,
emmette
- Next message: Steven L Umbach: "Re: Usage of certificates with different DN"
- Previous message: Jetro: "Re: How to Install TCP/IP"
- In reply to: Jeff Cochran: "Re: Why not use NETBEUI on Windows XP ??"
- Next in thread: Steven L Umbach: "Re: Why not use NETBEUI on Windows XP ??"
- Reply: Steven L Umbach: "Re: Why not use NETBEUI on Windows XP ??"
- Reply: Jeff Cochran: "Re: Why not use NETBEUI on Windows XP ??"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
