Re: Is Samba the answer?
From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 14 Mar 2004 09:23:59 -0800
email@example.com (Richard Williamson) wrote in message news:<firstname.lastname@example.org>...
> Hi all
> I'm hoping that you guys can provide the solution to a problem which
> has caused many others to take a sharp intake of breath.
> At my school, the scenario is we have a Linux web server that we use
> to run a virtual learning environment. This has its own dedicated
> external IP
> address, as well as being connected to the LAN.
> We also have an internal network of Win2003 (sorry) servers and XP
> Is it possible using Samba to allow users access to their home
> directories on the 2003 server from home via the Linux machine with
> its own IP? ...
I'm answering this as quick as I can to save you from interminable
misery! See below!
> ... And if so, how? This must be a reasonably common
> requirement, so I figure that there must be instructions somewhere out
> there - it's just that I can't find them :(
> Many thanks
> Richard Williamson
Presumably you mean access from outside the school's net via the
If you are _addicted_ to "ease of use" such access can be done (with
or without Samba) -- just as exposing NFS services across the internet
can be done. In both cases, you might just as well get rid of your
firewall and put out a sign that says, "Welcome, come on in.
Many people want to do this as an easy way to provide file uploading
to web servers, user access to files, etc. You are trying to use your
Linux box as a means of providing authentication and access sevices to
your _internal_ network using one of the most insecure means possible.
Do you think your bank should try this? Do you think your school
network and the data on it is any less valued?
Reasons this is suicidal:
-- Inherently _insecure_ protocols and open ports must be running that
will readily expose your _entire_ network, especially the Win machines
-- Exposes password/authentication traffic on the internet for anyone
to sniff. Can you protect the passwords? Can you protect against
replay attacks? That Linux box would sure make a great place to set
up a man-in-the-middle attack -- can you secure it?
-- Probably before the first week is out, some student(s) will have
found one of the numerous ways to overcome any and all of your
"safeguards" and will have so many backdoors into your net that you'll
be forced to re-install the OS and files on _every_ machine on your
net (since you can't be sure which ones are infested).
-- Provides 24/7 access for the "bad guys" using their home
accounts/shares as a starting place and you won't be there to monitor
the activity. By the time you notice what's going on, you're cooked!
-- Are you really that confident of your ability/time to maintain
security in such an inherently hostile environment? And even if you
catch/punish the guilty, who ends up paying the most in time and money
to recover? Can you afford such convenience?
-- That Linux box would provide an _excellent_ base from which to
attack the internal network as well as being a target to be used for
laundering connections, etc. Can you really secure it? How can you
be sure? (This is already the case, but your "addition" would reduce
the effectiveness of your security measures 1,000-10,000%.)
-- Are your prepared to set up and maintain _internal_ firewalls? Log
reviews? Password auditing? Mandatory password policies? Remember,
you're inviting unmonitored access _inside_ your network 24/7. If
they get in at 2 a.m. and cover their tracks by 5 a.m. how will you
know they were even inside.
This list could continue for pages.
Granting _any_ kind of access to your internal network is _dangerous_
and is compounded if you don't have the resources to keep a close eye
I speak from the experience of having seen what happens following a
student "break-in". Fortunately, they were more interested in
mischief than vandalism or theft. Still the only way to be _sure_
everything was cleaned up was to wipe and replace software on every
disk in the high school. Not fun!
I think Samba or any other filesharing/exporting approach is the
_worst_ way to go if you feel compelled to allow external access to
your internal network. And any more secure approach will likely prove
"too inconvenient" by most end users.
Make the case that such access to your internal network is _necessary_
and not simply some innocent notion that it would be "nice to have".
Just my experience/opinion,
email above disabled