Home Storage Area Network security

Bob German bobgerman at irides.com
Sun Sep 21 23:37:53 UTC 2003



Funny, in the earlier thread you argue against blocking ports as a means
of taking the steam out of these virii/worms.  In this one, you make the
point of SMB being insecure on the Internet.  Sorry if I'm replying to
thread A through thread B, but I feel they're connected.

At one point I agreed with you about blocking ports being a bad thing
and not what customers want.  They want unfiltered, and full.  Anything
less is theft.  Right?  Well, I started wavering as I learned more about
security, specifically, how insecure some protocols are by default.  

What caused me to completely cross over into the "port filtering is OK"
camp was the fact that Microsoft themselves, in a "securing Windows NT"
document we found a while back, recommended that due to inherent
insecurities, NetBIOS be disabled on Internet machines.  If the vendor
says it shouldn't be connected to the Internet, I tend to agree.  

Obviously I won't recommend that transit providers do the same thing.
But as an access and hosting provider, I block NetBIOS by default, and
let my customers know.  If a customer comes to me and says, "hey, I'm
running Exchange and my customers need to connect to it with Outlook," I
explain the risks involved, let them know they will have to be vigilant
about patching, and open the ACL for their Exchange server.  If I'm
feeling particularly talkative, I explain the benefits of using a VPN
over opening 135 and its unsafe brother and sister ports.

I have yet to lose a customer due to these policies, probably because I
chose to enforce it softly and flexibly.  In fact, I have converted one
customer, or rather the customer converted himself after not patching
his server quickly enough and becoming infected with Blaster.  Once he
realized how vulnerable he was, he changed the methodology he used to
connect his Exchange users to his server.

Your home storage example serves to illustrate further.  In today's
plug-and-play culture, end users and even lazy administrators often
overlook the security implications of some of the things they do.  By
filtering and explaining to my customers what and why I am filtering, I
am helping to educate and protect them.  This might be beyond the job
description of the edge ISP, but my customers seem to be happy with it.

-bob

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Sean Donelan
Sent: Sunday, September 21, 2003 5:59 PM
To: nanog at merit.edu
Subject: Home Storage Area Network security



I received a few comments about file servers not serving files by
default.

There are a bunch of home SAN products on the market.  They are designed
to make it very easy for customers to set up and use a home storage area
network.

I think these are very cool products, and although some geeks like
building stuff from scratch, other folks like buying stuff assembled and
working out of the box.  But they seem very dangerous when connected
directly to the open Internet without some access control turned on.
Instead they "assume" there will always be a secure firewall in place,
protecting the devices.

But in all the discussion about how secure their products are, you
rarely see an explicit requirement for these SAN devices to be installed
behind a firewall.  Just because you use Linux does not make SMB secure
on the Internet.



http://www.mirra.com/
Ease of Use: Just plug in Mirra, run the installer, and let it
auto-detect your network settings. Name your Mirra, say .ok. to the
recommended backup set (or select your own), then forget it. Remote
access is simple to use as well. No IPs to configure, no firewalls to
penetrate. Mirra does it for you.



http://www.martian.com/howtouseit.html
The NetDrive comes pre-configured from the factory, so you don't have to
worry about reading a long manual or learning about setting up file
serving software. Of course, if you do want to enable password
protection for your files or use a special network configuration, the
NetDrive's simple web-based configuration interface will let you.

What protocols does it serve files under?
The NetDrive uses the standard SMB protocol to share its files. This
makes it compatible with Windows PCs, Macs running OS X, and Linux
boxes.




More information about the NANOG mailing list