Re: Why not use NETBEUI on Windows XP ??
From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 11/29/04
- Next message: CajunClickers: "user logs on because they have no rights to install"
- Previous message: pinky: "Re: XP SP2 Internet Connection Sharing trouble - Baffled"
- In reply to: ehgoodrich_at_hotmail.com: "Re: Why not use NETBEUI on Windows XP ??"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 29 Nov 2004 16:12:04 GMT
>OK, here's where I started worrying about all this:
>Inside my home, I believe I am fairly secure behind a NAT
>router/firewall, with strong admin passwords, users logged on to
>non-admin accounts and an additional software firewall and antivirus
>program on ALL machines (NIS 2004).
>However, I am a VERY mobile user: two of the three machines on my
>network are laptops and one of those spends more time connected away
>from home than behind the hardware router. That one is made more
>secure by not even installing File and Print sharing for MS Networks.
>When I am connecting to the Internet outside my hardware firewall, I
>am obviously relying heavily on NIS to protect me from the bad guys...
I'd suggest that's a major issue. Since there are many attacks that
can't be blocked by a firewall, relying on a firewall for *all* your
security isn't very healthy. You don't mention other security tools
you may or may not use, so I really don't have any specific comments.
>But here's the two scenarios I am most concerned with:
>1. I want to be able to allow friends who come inside my house to
>connect to my network, primarily to share my internet connection, but
>also to use my printers if necessary and perhaps share files.
>Obviously the internet connection does not require F&PS, but the
>others do. Is there a way I can allow this safely?
Depends a lot on how printers are "used" but bascially, secure your
systems from attacks that don't come from an internet connection.
Firewalls can do this.
>2. More importantly, I want to be able to take my laptop to friend's
>houses and do the same things. Even if I don't have F&PS installed on
>my laptop (because I don't want to share MY stuff with them, just the
>converse!), I do need Client for MS Networks installed and bound to
>SOME protocol in order to access their files/printers. In addition,
>if that protocol is TCP/IP, then I HAVE to either disable Norton's
>firewall, OR put their machine in the "Trusted Zone" as I mentioned
>before.
Couldn't tell you. Norton's may not be as configurable as you need,
but you should be able to open specific ports to specific systems.
>Otherwise, NIS will prevent me from accessing any of their
>shared resources. (I don't understand why I need to "trust" them if I
>just want to use THEIR resources, but that's what Norton appears to
>require. If anyone knows of another way to achieve this with NIS,
>PLEASE LET ME KNOW!!!) However, if I bind NETBEUI (and ONLY NETBEUI)
>to Client for MS Networks, then Norton ignores my MS Network traffic,
>and I can keep it enabled monitoring the TCP/IP traffic to and from my
>machine.
So you use NetBEUI and allow Microsoft Networking acrtoss it, correct?
And a virus/trojan that replicates through network shares is now
blocked by..., well, it's not. You're now exposed and vulnerable.
>Can you tell me a way to do this WITHOUT using NETBEUI and still
>maintaining my software firewall?? Please don't tell me to get better
>software. NIS may not be the best solution, but most other products
>behave in the same way from what I have seen. Even the XP firewall
>(obviously not the best example) must be disabled in order to use
>F&PS.
File and printer sharing works perfectly well with both Norton's and
XP's firewalls running. You need to configure them correctly.
And if you intend to share files, you're open to one of the files
being infected. You're open to all the standard issues on any
networked system. You need to use a combination of security, NTFS
permissions, firewall settings, auditing changes and so on.
NetBEUI, as you're using it, provides a false sense of security.
Which is often worse than no security at all.
>Malicious code that replicates itself (whatever name you want to give
>it: trojan, virus, etc.) typically does NOT use TCP/IP specific
>networking (trying specific TCP ports, etc.) to perform the
>replication. It will instead try to replicate via higher level
>network services (i.e. MS Networking). If that is the case, it
>doesn't matter what underlying protocol is bound to MS Networking,
>since if ANY protocol is bound the connection will be successful.
Quite true. Or it may not rely on any transport other than user
action.
>Now, if the above assumption is true, then I agree my reliance on
>NETBEUI to help protect my systems is foolish. But it also follows
>that this has nothing to do with XP, and if it is true now, then it
>was true back in the days of Win95, Win98 and ME. If that is the
>case, then is Steve's article (I assume it is yours; if not, please
>accept my apologies) at:
>
>http://www.practicallynetworked.com/sharing/netbeui.htm
>
>also invalid?? If not, what's the difference??
It's very valid. In one instance only. Let's say you have system A,
using TCP/IP, which is external to your control so it may become
compromised. System B connects to it via TCP/IP. System C connects
to system B via NetBEUI.
System C is protected from direct attacks by system A, since there is
no network path to reach it. System C cannot get to system A to share
resources either.
I've never put much stock in the binding/unbinding of protocols but
leaving them on the system, too much administration and too many
points where a misconfiguration destroys everything. And using
NetBEUI internally made sense years ago, when there were few automated
attacks and they exploited a relatively few access points. No longer
the case.
>This article (and others like it) is where I first got the idea of
>using different protocols for internal and external communications.
>The subsequent comments I've seen regarding NETBEUI and WinXP focused
>on Microsoft's removing "support" for NETBEUI and NOT on the validity
>of the original concept promoted in the article.
The original articles have been overshadowed by developments over
time. While still possibly valid, they really aren't the best methods
available.
Similar is the suggestion that internet servers shouldn't advertise
their software versions in the headers (or FTP servers). The idea is
it makes a hacker's job easier if they know the software used, it's
referred to as security by obscurity. But an attack script doesn't
care. It tries a known exploit, if it doesn't work it moves to the
next system. The IP may be a vulnerable system, or it may be an IP
addressable coffee pot. Either way, it still gets attacked.
Jeff
- Next message: CajunClickers: "user logs on because they have no rights to install"
- Previous message: pinky: "Re: XP SP2 Internet Connection Sharing trouble - Baffled"
- In reply to: ehgoodrich_at_hotmail.com: "Re: Why not use NETBEUI on Windows XP ??"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
