[Dshield] Port 135

John Hardin johnh at aproposretail.com
Fri Oct 25 18:38:38 GMT 2002

On Fri, 2002-10-25 at 08:58, Jan Johansson wrote:
> On Wed, Oct 16, 2002 at 10:17:05AM -0700, John Hardin wrote:
> >If they're accessing this through your firewall, your firewall is
> >misconfigured. I think that could be an effective argument against
> >liability.
> What firewall? And where should I point it with 10 000 students.

I would assume you have a firewall between your 10k-student network and
the Internet.

> Protect the Internet from me or me from the Internet.

Both. You need to secure your network against unwanted traffic from the
rest of the world, and good citizenship means that you should block
outbound traffic from your network that would be considered an attack
elsewhere - e.g. spoofed source IP addresses, local protocols that have
no business on the Internet (such as SMB, NFS, WinPopup, SNMP), etc. 

You should also be running a NIDS on the local side of your network to
detect compromised and rogue systems. I suspect an educational
institution is far more prone to this sort of outward-directed abuse
than your average company, given the user profile: young students with a
fat pipe and their first flush of freedom from parental controls.

You may also want to implement internal security to protect students
from other students, perhaps partitioning the network with firewalls
between the segments. This won't prevent all attacks, but it will limit
their impact.

> It is as much harm on either side anyway which makes it useless.

Not quite sure what you mean here, but you'll have a hard time selling
me on the idea that security is useless.

> >135:139 SHOULD NOT be permitted in from or out to the Internet.
> How should my students then be able to access their files from
> home? Mapping shares over the Internet works and is easy to
> use for the computer illiterate.

It's also far too easy for unintended users to access those shares, and
it also generates far too much unwanted network traffic over the

SMB is *broadcast based* and was never designed to be used outside the
local network.

Unfortunately it *is* very easy to use, and I can't really recommend
anything as "simple" to replace it. I would suggest a publicly-visible
FTP server with a quota'd account for each student, which they can use
to transfer files between home and (I assume) dorm. This would allow you
control over access and use.

Granted you may not have the time or budget for doing this.

> The problem lies in the messenger service. It should validate
> messages using crypto and whatever means the administrator has
> decided. (This may be possible but I 'Don't do Windows').

The protocol was designed for LAN use and likely does not have any
provision for strong authentication or encryption. 
> Instead of talking law call your Micrsoft support line and ask
> for a better Messenger service.

I was only participating in the discussion. Legal means are not
effective ways to control misuse of poorly designed protocols - witness
spam, and the idea that "it's illegal to receive cell phone calls with a

In addition, I sincerely doubt MS gives a hoot about this issue.

John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 ...people confuse "security" and "Trustworthy Computing."
                                 - Craig Mundie, MS Senior VP and CTO
 2 days until Daylight Savings Time ends

More information about the list mailing list