Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Thu Mar 22 2007 - 14:15:49 CDT
True SSH and WebDAV are better options, but that's changing the topic.
I'm guess since it's an "untrusted server" that someone else is
administering it. So using a different protocol probably isn't an
As far as being less likely to draw attention from attackers than
opening up SMB ports, the key here is to only open SMB ports to allow
communication between the server and client. Don't just open SMB ports
to the world because you need to communicate with one IP address on the
other side of your firewall. That's as silly as opening all ports on a
server, just because you need one open.
> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com] On Behalf Of James (njan) Eaton-
> Sent: Thursday, March 22, 2007 1:15 PM
> To: Jim Harrison
> Cc: aehealdgmail.com; focus-mssecurityfocus.com
> Subject: Re: Shared drives through a firewall
> Jim Harrison wrote:
> > You might consider using FTPS or SSH connections; they're relatively
> > secure, depending on the server/client package you select.
> Webdav is under-promoted in these scenarios - it's built on top of a
> well-understood and easily securable protocol (http), and it has great
> crossplatform support. Webdav allows access either via a webdav client
> that supports writing (windows explorer and gnome/nautilus both do
> and OSX/KDE/$desktopofchoice probably do too) or a standard http
> (ie, lynx, firefox). It supports well-understood mechanisms to encrypt
> traffic (TLS/SSL) and authenticate users (http basic auth).
> It has good application layer support from a wide variety of reverse
> proxy/firewall products (including ISA) designed for protecting web
> traffic if you choose to expose it externally.
> It's also fairly difficult to distinguish from a regular webserver, so
> it's far less likely to draw attention from attackers than opening up
> SMB ports, particularly if you had a webserver running anyway.
> There's also been webdav support in IIS and in Apache for quite some
> - James.
> James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org
> "The universe is run by the complex interweaving of three
> elements: Energy, matter, and enlightened self-interest." - G'Kar
> https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3