Samba and MNF

[floyd_3313]

I have 3 computers in my home network, mine is running Mandrake 10 CE, the others are running winXP.

They are all connected to a switch.

There is a cable modem connected to this switch.

All the computers have their own cable login, so a router or internet connection sharing isn't required.

 

I want to access file and printers on the winXP machines with my Linux machine.

 

Firstly, I want to ask, is this safe? By using SMB on this network, am I opening it up to the outside world?

Secondly, if it is safe, how can I do it securely? With Mandrake Firewall turned on, I cant access any shares on the other computers, how can I setup MNF to make SMB work?

 

Thanks

Floyd

Edited April 17, 2004 by floyd_3313

[Windependent]

it sounds like your network is already addressable by the outside world. go to the following web sites and run the tests from each PC on your LAN:

 

http://www.auditmypc.com/freescan/prefcan.asp

http://scan.sygatetech.com/quickscan.html

 

 

to secure your system, you need to have an adequate firewall in place between your network and the outside world. if you don't have a firewall between the WAN and your LAN, your pants are down.

 

a "typical" Linux solution is to put a firewall between your cable modem (WAN interface) and your hardware router/switch/hub (LAN interface). if you want the ultimate in control, this can be a PC running a linux firewall that performs firewall and routing services to the other machines that are connected by a switch or hub. configuring this sort of beast requires an extra PC and is not a task for the feint of heart and isn't quickly deployable if you're not already up to speed. a more simple interim implementation that is highly recommended for being easy to set-up and difficult to goof-up is to use an appliance type firewall/router -- your cable modem goes to the WAN connection on the router and each PC on your network plugs into the router's LAN ports.

 

based on your description, it sounds like you're plugging each PC directly into a switch, with each individual PC having unrestricted internet access. wow. I'd NEVER set up a network that way.

 

looking at INTERNAL threats first, in this type of configuration, each user on the network has complete and unrestricted access to the WAN. no administrative functions seem to be in place to limit the activity of your users. this could be okay if you're talking about a small SOHO environment where only a couple of extremely knowledgeable people are using the LAN, but if ANYONE who's not knowledgeable has access to your system, you're in big trouble. or if anyone who's knowledgeable and has bad intentions has access to your system, you're really screwed.

 

from a safety perspective, its as important to control the people on the INSIDE of your network as it is to control people on the OUTSIDE. whether you can trust the people on the inside is a decision that only you can make. one thing to consider, though, is that by giving each PC direct connections to the internet you compound your firewalling and security problem by requiring that EACH PC is adequately configured securely. you're assuming quite a bit of diversification risk by spreading your security policies across a number of computers. IMHO a centralized approach is much easier to administrate. it also costs less overall.

 

Looking at OUTSIDE threats, you have to consider that if you configure a SAMBA client/server on your network (aka a "broadcast" server), anyone on the WAN is going to have peer level access on your LAN, just as if their PC was plugged directly into your switch. IMHO, this is about as safe as loading a revolver with 6 rounds, putting it to your head, and pulling the trigger 6 times.

 

at an absolute minimum, you need to place a device between your WAN and LAN connections that performs Network Address Translation with non-routable addresses so that the PCs on your network are not directly addressable from the internet. read that last sentence again.

 

go to your local office store and buy a wired (not a wireless!) firewall/router tonight. for about $30-40 you can buy a something like a D-Link DI-604 that provides a reasonable level of protection that will cover your butt until you have enough time to adequately address this issue. an appliance such as this will have a web-addressible IP address at its WAN port (so the internet and your cable modem can talk to the router), and will perform NAT for the individual LAN ports so that the LAN PCs have IP addresses that can be addressed by any of the PCs behind the firewall, but these IP addresses cannot be directly accessed by the outside world. NAT is the absolute minimum security feature that you need to implement on your LAN to keep people on the outside from directly accessing your PC. with the combination of NAT (network address translation), SPI (stateful packet inspection) and the ability to be configured not respond to external pings, an inexpensive device like the D-Link router provides alot of protection bang for the buck.

 

in a setup where each PC has direct access to the cable modem/web (and the web has direct access to each PC) you need to be running a damned good firewall on each PC. you also have to have extremely good security on each PC and its shared resources, which makes file sharing a bit cumbersome.

 

practically speaking, if you're worried about attacks from the outside but you're not worried about attacks from the inside, its very easy to live with a SOHO network that facilitates communication between machines on the LAN but impedes communication with machines on the WAN. in contrast, a network that treats all PCs equally on the WAN and the LAN would be a headache.

 

Btw, if you haven't done so already, check out the excellent How-To's at TLDP.org.

 

best of luck!

 

bob

[floyd_3313]

First of all, huge thanks for the detailed reply Windependent :D

 

A couple of things I guess I should have mentioned initially. Firstly, the other computers on my network are operated by trusted family members :). Secondly, each computer is individually secured by a firewall (zonealarm for the XPs, Mandrake Firewall (shorewall?) for me). The XP machines passed the tests you linked, my machine kinda did but some ports were closed instead of blocked (stealthed). Not sure how to fix that yet. However, in this configuration SMB does not work. I have to relax all the firewalls to allow it to work, hence my question.

 

Given your reply, it is clear to me now that communication between the machines aint gonna happen securely in my current network setup, and by relaxing those firewalls to use SMB, well, it seems that was pretty stupid

 

I'll be heading out ASAP to pick up a router/firewall, you are right, it seems stupid not to pick one of these up when it will increase security and simplify network maintenance, especially now that they are so cheap.

 

Hopefully your explanation will also help others.

 

Thanks

 

Floyd

[Windependent]

I'm glad that you've decided to pick-up one of those little firewall routers. You can often find them with rebates where your final cost will be $20 plus tax. I bought one of those as a temporary stopgap measure for my SOHO LAN while I tinkered with the Linux firewall. For $20, it was cheap enough to be a temporary throwaway solution.

 

You may be happy enough with this type of device that you'll never want to go to a more sophisticated firewall. That's entirely up to you. There are plenty of people with broadband hookups that use an appliance firewall type router and have very secure systems. They really do offer alot of bang for the buck.

 

A couple of caveats, though:

 

Don't assume that just because you trust everyone at home, they'll never cause security problems for you. Even the best intentioned trustworthy people can make mistakes that threaten your LAN. I know more than the average Joe and I've made these types of mistakes myself. So just because you trust your users, this doesn't mean that everyone will be perfect and never make a mistake. A costly mistake can be something as simple as deploying a bad software program that circumvents your firewall by initiating transfers with the outside world. Look out for spyware.

 

For obvious reasons, I don't like to use a wireless router.

 

Samba will work pretty well with Windows/Linux once you're behind a firewall. If you use the firewall to keep the bad guys out, youmay decide to relax security on your LAN somewhat to facilitate file sharing. No matter what you do, though, I'd still require usernames and passwords to access Samba shares on the LAN.

 

There are plenty of people who will turn off all security on the LAN side of the firrewall in a SOHO LAN, relying exclusively on the firewall for security. Although this makes Samba really easy to use, you should really think twice about giving everyone on the LAN access to your hard drive's root directory.

 

best of luck.