Creating an encrypted tunnel for remote shares - SMB

This is a discussion on Creating an encrypted tunnel for remote shares - SMB ; Hi, all. I have several questions that I have not been able to adequately find an answer. These questions revolve around a pair of servers, one of which's /home I wish to mount on the other. They are both RHEL ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Creating an encrypted tunnel for remote shares

  1. Creating an encrypted tunnel for remote shares

    Hi, all. I have several questions that I have not been able to adequately
    find an answer. These questions revolve around a pair of servers, one of
    which's /home I wish to mount on the other.

    They are both RHEL 4.

    Everything is "standard" RHEL 4 packages -- I do not intend to compile
    anything from source or use any 3rd-party RPM repositories. (Consider
    compiling-from-source as Not an Option(TM))

    They have both been up2date-ed as recently as possible.

    Question 1
    Which remote share technology is preferred -- Samba or NFS?
    To me, Samba is much more configurable (and easier to configure) than NFS.
    I have tested shares mounted similarly, using either protocol, and from
    the point of view of the way I am using the servers, I can't see any real
    difference. Is Samba more or less secure than NFS? Or is that a moot
    question?

    Question 2
    How can I tunnel SMB through SSH (or use SSL)? I understand SSL has been
    removed from Samba3. What I can't figure out, though, is what people have
    been doing in its place. Stunnel? All the references to configuring
    stunnel I can find refer to older samba versions, and setting up stunnel
    on Windows. There will be no Windows here.

    Question 3
    Can I just clamp down access to either server and not worry too much about
    encrypting traffic? i.e., will encryption make my servers much more secure
    or am I going on a wild goose chase?

    Any advice in these areas would be appreciated. I can, of course, supply
    much more detail as requested. Just not sure what at the moment; let me
    know.


    --
    JDS | jeffrey@example.invalid
    | http://www.newtnotes.com
    DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/


  2. Re: Creating an encrypted tunnel for remote shares

    On Mon, 14 Nov 2005 14:32:42 -0500, JDS wrote:

    > Hi, all. I have several questions that I have not been able to
    > adequately find an answer. These questions revolve around a pair of
    > servers, one of which's /home I wish to mount on the other.


    Have you looked into FreeSwan http://www.freeswan.org/intro.html

    --
    The USA Patriot Act is the most unpatriotic act in American history.

  3. Re: Creating an encrypted tunnel for remote shares


    > Have you looked into FreeSwan http://www.freeswan.org/intro.html


    Yes you could use an IPSec connection to encapsulate your Samba
    connections. FreeSWAN is discontinued however, check out OpenSWAN
    instead (http://www.openswan.org).

    Jonathan

  4. Re: Creating an encrypted tunnel for remote shares

    On Tue, 15 Nov 2005 11:40:26 +0100, Joni wrote:

    > Yes you could use an IPSec connection to encapsulate your Samba
    > connections. FreeSWAN is discontinued however, check out OpenSWAN
    > instead (http://www.openswan.org).
    >
    > Jonathan


    Okay, thanks for the suggestion you two. I have some more fundamental,
    underlying questions about the whole thing though.

    * Does it matter that much? I mean, how important is encrypting the samba
    connection between the two machines?

    * How can I tell if the data stream is, in fact, being encrypted?

    * Would NFS be preferred? (My understanding is that NFS is a relatively
    primitive and insecure network filesystem).

    The most important aspect I wish to understand is the relative importance
    of encrypting the connection. I mean, I have iptables, tcpwrappers, and
    samba rules to limit the connection to only between these two machines.
    All packages are up to date and current. Do I really need to encrypt the
    data stream?

    My problem with the ipsec tools you two have suggested is that I will not
    be using any tools which do not come "officially" from Red Hat. I have a
    number of reasons for doing this, none of them technical.

    Thanks, all! Later...
    --
    JDS | jeffrey@example.invalid
    | http://www.newtnotes.com
    DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/


  5. Re: Creating an encrypted tunnel for remote shares


    "JDS" wrote in message
    newsan.2005.11.14.19.32.40.510920@example.invalid...
    > Hi, all. I have several questions that I have not been able to adequately
    > find an answer. These questions revolve around a pair of servers, one of
    > which's /home I wish to mount on the other.
    >
    > They are both RHEL 4.
    >
    > Everything is "standard" RHEL 4 packages -- I do not intend to compile
    > anything from source or use any 3rd-party RPM repositories. (Consider
    > compiling-from-source as Not an Option(TM))
    >
    > They have both been up2date-ed as recently as possible.
    >
    > Question 1
    > Which remote share technology is preferred -- Samba or NFS?
    > To me, Samba is much more configurable (and easier to configure) than NFS.
    > I have tested shares mounted similarly, using either protocol, and from
    > the point of view of the way I am using the servers, I can't see any real
    > difference. Is Samba more or less secure than NFS? Or is that a moot
    > question?


    Samba is a software protocol. SMB is the protocol. The *protocol* for SMB is
    not great for security, but standard NFS is even worse. Both require thought
    and configuration on the server end to work well.

    SMB does not support symlinks or hardlinks, but it does allow you to SMB
    share something that's NFS mounted from elsewhere. This..... can make life
    easier in certain circumstances.

    > Question 2
    > How can I tunnel SMB through SSH (or use SSL)? I understand SSL has been
    > removed from Samba3. What I can't figure out, though, is what people have
    > been doing in its place. Stunnel? All the references to configuring
    > stunnel I can find refer to older samba versions, and setting up stunnel
    > on Windows. There will be no Windows here.


    WebDAV over HTTPS, and cut&paste browsing from HTTPS clients is what I've
    been using for safe remote access. If you need real secure remote access via
    an NFS-like system, can you look at OpenAFS, integrated with Kerberos?

    > Question 3
    > Can I just clamp down access to either server and not worry too much about
    > encrypting traffic? i.e., will encryption make my servers much more secure
    > or am I going on a wild goose chase?
    >
    > Any advice in these areas would be appreciated. I can, of course, supply
    > much more detail as requested. Just not sure what at the DvHXnt; let me
    > know.


    Depends on what you're encrypting.....



  6. Re: Creating an encrypted tunnel for remote shares

    JDS wrote:

    > On Tue, 15 Nov 2005 11:40:26 +0100, Joni wrote:
    >
    > > Yes you could use an IPSec connection to encapsulate your Samba
    > > connections. FreeSWAN is discontinued however, check out OpenSWAN
    > > instead (http://www.openswan.org).
    > >
    > > Jonathan

    >
    > Okay, thanks for the suggestion you two. I have some more
    > fundamental, underlying questions about the whole thing though.
    >
    > * Does it matter that much? I mean, how important is encrypting the
    > samba connection between the two machines?
    >
    > * How can I tell if the data stream is, in fact, being encrypted?
    >
    > * Would NFS be preferred? (My understanding is that NFS is a
    > relatively primitive and insecure network filesystem).
    >
    > The most important aspect I wish to understand is the relative
    > importance of encrypting the connection. I mean, I have iptables,
    > tcpwrappers, and samba rules to limit the connection to only between
    > these two machines. All packages are up to date and current. Do I
    > really need to encrypt the data stream?
    >
    > My problem with the ipsec tools you two have suggested is that I will
    > not be using any tools which do not come "officially" from Red Hat. I
    > have a number of reasons for doing this, none of them technical.
    >
    > Thanks, all! Later...


    You could also consider using something like openvpn to form a secure
    and ssl based tunnel between the two systems. We've done this a few
    times for clients that wish to tunnel a variety of applications
    including very sensitive accounting datasets. I believe that there are
    redhat packages for openvpn and its very easy to setup. There are
    different levels of encryption including pre-shared keys and full-on
    ssl stuff and there are different ways of doing the tunnels.

    Just as a matter of interest, there are also clients/servers for
    windows from 2000 pro and on up. There is even a smallish taskbar
    applet for windows which will allow you to start or stop a connection.

    Some of the uses we have done for our clients include remote
    administration, network shares, access to remote applications and data
    stores, and a variety of administration approaches including tunneling
    VNC sessions. Wifi tunneling works very well too and the more recent
    releases of openvpn have a lot of features and the project is actively
    developed.

    We felt that even with user/password requirements and a few other
    encryption techniques that the use of a openvpn/vpn tunnel provided a
    set of uses that could also be expanded. The beauty of openvpn is its
    very easy to setup and manage and the configuration files for end to
    end, road warriors, or whatever are easily dealt with.


    --
    Michael Perry | Do or do not. There is no try --Master Yoda
    mperry@lnxpowered.org

+ Reply to Thread