From: SMTP%"everhart@mail09.mitre.org" 22-JAN-1998 17:23:17.25 To: everhart@gce.com (everhart@gce.com) CC: Subj: FWD: Re: possible port number solution? --===_tgate3_44887_96626300_=== Content-Type: text/plain; charset="us-ascii" ----- Forwarded message follows ----- References: <5CEA8663F24DD111A96100805FFE6587031E38BF@red-msg-51.dns.microsoft.com> Date: Wed, 21 Jan 98 20:10:19 -0500 Reply-To: Common Internet File System From: Andrew Tridgell Subject: Re: possible port number solution? To: In-Reply-To: <5CEA8663F24DD111A96100805FFE6587031E38BF@red-msg-51.dns.microsoft.com> (message from Paul Leach on Wed, 21 Jan 1998 11:39:34 -0800) > > You continue with this dream despite not being able to point to any > > known port-139 exploits are that not SMB based. > > > The absence of an exploit does not mean that it's secure. You should know > that. Of course, but I also know that firewall administrators are a reactionary lot (I should know, I administer two firewalls myself and teach a course on IP security and firewalls). You claimed that the _reason_ firewall administrators block 139 is because of security holes in things other than SMB on port 139. Yet you can't point to any such holes and there have never been any security advisories (that I have heard of) about such holes. There have been lots of security holes in SMB implementations. Moving the port number does not fix this. What you are doing is subverting the firewall administrators decision. > > How many firewall > > admins even know that there are other things that can go over 139? > > > That isn't how firewall admins think. How many of them know anything about > 139, other than that they don't understand _everything_ that goes across it, > and hence won't let it through. Firewalls tend to fall into 2 broad categories. The first is "block everything and wait for a user to offer a very good reason why something should be unblocked". The second is "block things that are known to be security risks". Changing the port number fails on both counts. In the first case all ports will be blocked (even port 3020) and all traffic will go via user-space proxies. You're shooting user-space proxies in the foot by gettng rid of the session request and not listening to pleas for something equivalent. In the 2nd case the new port will be blocked as soon as the security advisory comes out explaining how the new port offers a security risk and is equivalent to port 139 for SMB. > I'm not saying that it will. What it will do is permit it to gradually get a > better reputation, without having to also convince the firewall admin that > the rest of the stuff that goes over 139 is also secure. It will lower the security reputation of SMB into the gutter. The change will achieve exactly the opposite of what you claim you are after. There will be a fuss (_much_ larger than the current debate) that will ensure that 3020 is permanently associated with security holes. There is also no need to convince a firewall admin that the rest of the stuff on port 139 is secure. They don't even know that there could be other stuff on 139! It gets worse. Right now many sites only block incoming SMB connections. Those that know about the file: bugs in IE also block outgoing. With the port number change firewall admins will know (because they will be told via a CERT advisory) that any connections their users make to external sites will now rely on *all* users on the remote site being trustworthy. This will force them to block both incoming *and* outgoing connections on the new port, just to protect their users from themselves. CIFS will die. This port number change is so ill-conceived it defies comprehension. Andrew ---------------------------------------------------------------- Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp contains important info including how to unsubscribe. Save time, search the archives at http://discuss.microsoft.com/archives/index.html ----- End of forwarded message ----- --===_tgate3_44887_96626300_===-- ================== RFC 822 Headers ================== Return-Path: everhart@mail09.mitre.org Received: by norlmn.gce.com (UCX X4.2-14, OpenVMS E7.1-1H1 Alpha); Thu, 22 Jan 1998 17:16:27 -0500 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by mercury.mv.net (8.8.8/mem-971025) with ESMTP id IAA26991 for ; Thu, 22 Jan 1998 08:34:43 -0500 (EST) Received: from TGATE3 (tgate3.mitre.org [129.83.20.27]) by mbunix.mitre.org (8.8.8/8.8.8/mitre.0) with ESMTP id IAA04953 for ; Thu, 22 Jan 1998 08:38:21 -0500 (EST) Received: from mail09.mitre.org (unverified [129.83.20.43]) by tgate3.mitre.org (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 22 Jan 1998 08:38:20 -0500 Received: by mail09.mitre.org; (5.65v3.2/1.1.8.2/22Jun94-0628PM) id AA16558; Thu, 22 Jan 1998 08:38:16 -0500 Subject: FWD: Re: possible port number solution? From: everhart@mail09.mitre.org (Glenn C. Everhart) To: everhart@gce.com (everhart@gce.com) Message-Id: <980122083815.31233@mail09.mitre.org.0> Date: Thu, 22 Jan 98 08:38:15 -0500 X-Mailer: MailWorks 2.0-4 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===_tgate3_44887_96626300_==="