|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Operational impact of filtering SMB/NETBIOS traffic?
> From: Ethan Butterfield [mailto:[email protected]] > Sent: Sunday, November 19, 2000 11:45 AM > To: Jim Mercer > Cc: [email protected] > Subject: Re: Operational impact of filtering SMB/NETBIOS traffic? > > From: Jim Mercer <[email protected]> > > Subject: Re: Operational impact of filtering SMB/NETBIOS traffic? > > > > as i understand it, ipsec doesn't use ports. > > > > Yes and no. IPSec uses UDP port 500 for the ISAKMP key > exchange and the > tunnel setup, but all other traffic is IP Protocol 50 (ESP) > or 51 (AH). > Most firewalls I've seen block wierd (i.e., just about > everything that's > not standard TCP or IP Protocol 1 (ICMP)) by default, or at > least flag it > as strange. In shops that block SSH, this is also what they do and is exactly what I meant. I apologize for not communicating clearly and typing poorly (too many decades writing code). > It should not be hard to set up a persistent IPSec tunnel between UNIX > hosts in order to pass SMB/NETBIOS traffic. You could even do it > router-to-router in gateway mode and have the traffic be > cleartext on the > internal side of both networks, and 3DES/SHA-1 to the rest of > the world. When possible, I do this. The whole point of this is that transit providers should not be filtering unless specifically requested. > For the Road Warrior, though, it's going to be somewhat more difficult > without using a VPN, as the Win32 implementations of IPSec are > somewhat...lacking. (Or at least they were six months ago when I last > tried the SSH IPsec shim for NT4.) Win2K's built-in IPSec > makes life much > easier...if you've got clients using Win2K. Can't vouch for > interoperability between Win2K-UNIX, though. Never tried it myself. I did, just as soon as it came out. It sux! Active directory also does a number on the DOMAIN stuff in Samba. Fortunately, it allows backwards compatibility to old-style WinNT4SP5 hosts. In fact, and I am sure that MS did it to mess with the Samba folks, the entire DOMAIN stuff has been re-spec'd and re-written. --- I can't afford to have a preference, I must be agnostic. |