Very Computer

Hi,

We have a custom setup in which potentially sensitive information is passed from
 a Samba share on a machine running Solaris 2.5.1 to a PC. For political reasons
 the source codes of the applications involved are not avialable to us
 and the network used is freely acessible. We have been told by the authors of
 the package to use a secure network for transmission. (They won't consider
 adding encryption, at least for now ... politics,politics). This would involve
 purchasing additional network cards for the machines involved and setting
 up a private network.

 I was wondering if there is any utility that does encrypiton of SMB at the
 network level, eg something like secure-NFS or SSL. Note that the package
 was designed to run with PC-NFS and the authors were originally concerned
 about IP packet snooping/sniffing. Is there a similar risk posed to SMB
 transmissions?

                        Thanks in advance,

                           Duncan.

Duncan,

you might add encryption bridges/routers between these
computers, there is several brands available that can
"pass unknown" and "encrypt traffic to this host".

Network System (as you live in canada) , or sectra from sweden
which  is avaliable in most of the countries.

Price for the sectra is app usd 2000 per device.

This way you don't need additional adapters or network links.

Peter h (address mungled thanks to *promo!)

: Hi,

: We have a custom setup in which potentially sensitive information is passed from
:  a Samba share on a machine running Solaris 2.5.1 to a PC. For political reasons
:  the source codes of the applications involved are not avialable to us
:  and the network used is freely acessible. We have been told by the authors of
:  the package to use a secure network for transmission. (They won't consider
:  adding encryption, at least for now ... politics,politics). This would involve
:  purchasing additional network cards for the machines involved and setting
:  up a private network.

:  I was wondering if there is any utility that does encrypiton of SMB at the
:  network level, eg something like secure-NFS or SSL. Note that the package
:  was designed to run with PC-NFS and the authors were originally concerned
:  about IP packet snooping/sniffing. Is there a similar risk posed to SMB
:  transmissions?

:                       Thanks in advance,

:                          Duncan.

--
Unsolicited commercial/propaganda email subject to legal action.  Under US
Code Title 47, Sec.227(a)(2)(B), Sec.227(b)(1)(C), and Sec.227(b)(3)(C), a
State may impose a fine of not less than $500 per message.  Read the full
text of Title 47 Sec 227 at http://www.veryComputer.com/

Peter H?kanson,Volvo Technological Development. Dep 6970,Gothenburg,Sweden

You can try McAfee's NetCrypto product.  It's IPSEC-based software
encryption that does client-to-client tunnels, which can be managed by a
centralized station.  It supports WinTel and a variety of Unices, which
I think includes Solaris.  Plus, it's cheap:  only $100 or so per copy.

You can download it for a free trial at
http://www.mcafee.com/down/netcdown.asp

Because it's encryption at the IP layer, it'll encrypt any application
running over it, including SMB.

Good luck,

Chris
--

2) SKIP encrypts at the IP level.  This is Solstice SunScreen on Solaris
and SUN has versions for Win95 I think.

Why not try using the capability in SP3?  WinNTMag had a decent
write-up on it...

Carv

        Yes, snooping SMB's is quite possible, but Sun has
released SKIP for windows 95 without a fee: see
http://skip.incog.com/w95/
        It's available in source, and with binaries for BSD,
SunOS and Solaris, and is known to interwork with
Checkpoint   Firewall-1, Elvis Plus, Gemini GTFW-GD,Swiss ETH ENskip
Linux, VPnet and Java SKIP.

        Question: has anyone built the ETH sources for Linux????

--dave
--
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain

M2N 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb

Quote:>  adding encryption, at least for now ... politics,politics). This would involve
>  purchasing additional network cards for the machines involved and setting
>  up a private network.

>  I was wondering if there is any utility that does encrypiton of SMB at the
>  network level, eg something like secure-NFS or SSL. Note that the package

Quote:>  was designed to run with PC-NFS and the authors were originally concerned
>  about IP packet snooping/sniffing. Is there a similar risk posed to SMB
>  transmissions?

There's no way the US government would let MS put SMB
encryption that they couldn't crack into the Windows
code - that must be their nightmare :-).

Now if someone writes a replacement SMB network file system
for Win95 or NT - drop me an email and let's talk...

Jeremy Allison,
Samba Team.

Regards,
--

F-Secure Support
http://www.Europe.DataFellows.com/      Aim for the impossible and you
http://www.iki.fi/ged                   will achieve the improbable

You might want to take a look at SKIP from Sun. It's available on their
web-site. Does encryption at network level.

Regards,

ROSCO

Quote:

> >  I was wondering if there is any utility that does encrypiton of SMB at
the
> >  network level, eg something like secure-NFS or SSL. Note that the
package

> nope, been looking for years and years...

1) purchase, for $1000, microsoft's undocumented, unsupported IFS kit.  wait
for several weeks or possibly months to receive your IFS kit if you live
outside of the US / Canada, because microsoft thinks that there is a
crypto or export issue involved.

invest large amounts of time working out what's going on, and write
yourself a replacement SMB client for NT.  document and implement some
crypto SMBs.

at the end of your efforts, send microsoft all your source code, because
they own the rights to it.

re-read the IFS license agreement.

trash your entire implementation, and never release it publicly, because
it could possibly be deemed a "competitor" to a part of the NT OS that
already ships with NT.

you could _possibly_ only implement a new SMB level that is not supported
by NT or w95, and is only supported by those vendors with whom you can
obtain cooperation.  let me make it clear right now that co-operation
will be absolutely guaranteed on such a project, from me (another samba
team member) to put such an SMB level into Samba.

2) purchase, for $80,000 (possibly now only $50,000) from www.osr.com
(open system resources), OSR's fully documented, fully supported IFS kit,
and start work, anywhere in the world.

invest about six weeks writing yourself a replacement SMB client for NT,
with assistance from OSR.  document and implement some crypto SMBs, with
assistance and involvement of experts in those fields.

at the end of your efforts, do what you like, except don't release the
header files and the dynamic dlls, because that will break your license
agreement with OSR.

make friends very quickly with large numbers of CIFS server vendors for
unix, macintosh, os/2 and others (IBM, SCO, AT & T, Thursby, Syntax,
Auspex, Network Appliances to name a few), and a very large number of
users who would want to see secure SMB communication, knowing that some of
the best experts who _really_ understand secure communications have been
consulted and involved.

3) wait for NT 5.0.  replace all your samba servers with NT 5.0 servers.  
upgrade all your NT 4.0 and Win95 workstations to NT 5.0 Workstations.

spend $$$, not knowing if the protocol you are using is secure or not,
because you can never ask an expert, or anyone in fact, to independently
analyse the protocol being used.

anyone interested in investigating and investing in 2) above?

best regards,

luke

<a href = "http://mailhost.cb1.com/~lkcl"> Lynx2.7-friendly Home Page   </a>
<br><b>   "Apply the Laws of Nature to your environment because your
           environment applies the Laws of Nature to you"               </b>