From: Eric Chamberlain, CISSP (eric_at_uclink.berkeley.edu)
Date: Fri Aug 01 2003 - 13:28:37 PDT
While I support a long term plan to block NetBIOS at the border. I know
there are off-campus users accessing resources on campus that would be
cut-off. Particularly since today is a Friday and a popular day to
telecommute. Here is the off-campus connection numbers for the 8 CCS-SDA,
UC, and CAMPUS domain controllers over the last 24 hours:
8 Kerberos
162 NetBIOS Name and Datagram
439 NetBIOS session and SMB
29 NTP
90 LDAP
120 RPC
When I get back from the UCCSC conference, I plan to setup the Domain
Controllers to accept IPSEC traffic from any machines that want to use
IPSEC. The machines have network cards that off load the IPSEC processing.
-- Eric Chamberlain, CISSP Campus Active Directory Architect Central Computing Services University of California, Berkeley http://calnetad.berkeley.edu > -----Original Message----- > From: owner-ucb-security_at_uclink4.berkeley.edu > [mailto:owner-ucb-security_at_uclink4.berkeley.edu] On Behalf Of > Jake F Harwood > Sent: Friday, August 01, 2003 1:07 PM > To: ucb-security_at_uclink.berkeley.edu > Cc: projects_at_info-sec.berkeley.edu > Subject: [Security] [SNS #9838] Blocking netbios at the gatway > > > ucb-security et al, > > Unfortunately, I'm out for the next few days but I wanted to > put in my 2 > cents on this issue. > > I can certainly understand Craig's reluctance to block the > ports given the > serious problems this will cause for units whose operations > depend on using > net-bios. That being said, I personally agree with CNS and > others that the > breadth and severity of this vulnerability warrants blocking > the ports > temporarily, even though it will have a negative impact on > some campus > operations. This is a tricky balancing act and I hope we all > can see both > sides of the debate. > > > Since January, I have been working to document a case to > block net-bios at > the gateway. I have been working with CNS and others within > SNS to document > attack trends and network usage both legit and aggressive. > > As soon as this vulnerability was announced, I started > soliciting input > from various departments as to our explosibility, and actions > departments > were taking. I will be adding all of your comments to the Project > notes [SNS #9838],in order to bolster the argument for permanently > blocking net-bios as soon as we have a viable alternate > solution. Hopefully, this case will highlight the inherently > insecure > nature of net-bios and push us all to pick up the pace on > moving to a more > secure and robust solution, and what I feel are industry best > practices. > > I feel badly about being out at this critical time, but I > have a family > obligation this weekend and the early part of next week that I cannot > reschedule. > > I will be back on 8/6 to assist with these issues. > > jake-F > > > > -------------------------------------------------------------- > ----------- > Jake F Harwood University of > California, Berkeley > 2484 Shattuck Avenue > Phone (510)643-8241 > Cell > (510)390-2580 "Who is this General Failure and why is he > reading my hard drive?" -F > -------------------------------------------------------------- > ----------- > > ------------------------------------- > Sent via the ucb-security mailing list. > ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Fri Aug 01 2003 - 13:35:06 PDT