[Dshield] Secure computing (was: Port 135)

Jan Johansson janj+dshield at wenf.org
Sat Oct 26 21:51:09 GMT 2002

I will try to respond on all the comments that have been made.

First we are talking about Windows Message Service not MSN

The sum 10,000 was taken out of the air, but I believe it is
pretty accurate for the whole university. Our department have
5,000 users in the database. This incorporate old and present
students. At this moment we have about 1,200 active students, 300
Windows workstations, 50 UNIX workstations, 60 SUNRays (thin
client, UNIX), 25 UNIX servers and 3 Windows servers
(ActiveDirectory (under development), Ghost).

Our opinion is that "Firewalls are for cowards". This does not
mean we take security lightly. We do use paket filters but mostly
for making sure our boxes are not cracked until they get patched.
Missbehaving computers are null routed. Missbehaving students
loose their access and are reported to the police.

AFS[1] is used for storing user data. There is nothing that can
match AFS in ease of administration and provided security. It was
moved to opensource a little while back and since then many
improvments have been made which make it even more superior. The
problem is however that there is not a good Windows client
available. One is out there but it is not as solid as one would
wish. And so we must provide workarounds:

- Kerberized FTP (no plaintext). This causes problem because the
  student can't use their FTP client of choice. The Kerberized
client is not very good (it can't upload/download a full
directory structure).

- SSH (protocol v2) with SCP, SFTP. Because of problems with
  compiling SSH (support for AFS and Kerberos) this is not a
supported solution at the moment. Many man hours have been put
into this as it would enable a whole range of alternatives for
our users.

- Samba (SMB server for UNIX). This works in plaintext[2] which
  is computing of the 80s (very bad with todays standard). We
don't advertise this. It is just for the really computer
illiterate when installation of the Kerberized FTP fails. Last
month we had zero(0) logins to our samba server from outside
campus network[3]. The goal is to turn of all SMB services within
six(6) months.

My solution to the Windows Messenger problem is to turn of the
service. It has huge flaws (no proper authentication) and as such
it can't be used. There are alternatives like Zephyr which uses
Kerberos for authentication and works on both Windows and UNIX.
Switching things off and replacing them with opensource tools is
a very common solution with Windows. It has huge flaws all over
and that is why we prefer to work with UNIX. This is not an easy
task as many applications are only available for Windows.

So to summarise. We work in a different way. We remove the bad
stuff from our network. We live in a world that has no firewalls
and we adapt after it. A firewall will never save your ass if a
cracker really wants it. A common thing today is to put up a $
5000 firewall, with a $ 1000 proxy to protect an Internet
Information Server. The correct solution for me is to put up a
$0 Apache with no firewall and tell my users that ASP with an
Access database is not the only solution available.

Thank you for reading this rant. :-)

[1] http://www.openafs.org/
[2] I am aware that Samba can be set
up do use encrypted passwords but this is not possible to use
with AFS.
[3] How? Using SMB over routed networks (the Internet) is very
easy. In older versions of Windows you need a WINS server.  In
more recent versions you just give IP or a FQDN
(\\samba.foo.com\bar). Today broadcasting after computer names is
used after DNS and WINS have been tried.

More information about the list mailing list