Fog Creek Software
Discussion Board




Sharing drive through the Net?

Hi,

As some of our customers now need to use our LAN-based apps over the Net to share data between multiple sites, we're looking at ways to secure this to avoid leaving their Windows hosts widely open to the Net.

Besides rewriting the apps to exchange data in a more secure way (sockets) through a firewall or SSH, or setting up VPNs on both ends, is there a way to close some of the Windows ports (TCP/UDP 135, 137, 138, 139, 445) and secure the ones that really need to be left opened?

Thank you

Frederic Faure
Friday, October 17, 2003

A firewall (software or hardware) will give you many more options: for example, host and IP based access control.

And you can definitely close whichever ports you wish.

Portabella
Friday, October 17, 2003

Right, but since both sites are connected to the Net through dynamic IPs... do some firewalls provide login/passwd authentication instead?

Frederic Faure
Friday, October 17, 2003

I have seen software firewalls that are username/password-based. I'm sorry I cannot remember the names, but they do exist. We used them at a place I worked 7 years ago -- they required a name and password and everything you did went over that tunnel. I remember it was a pain because it ran in the notification area and required a user login -- and we had to use it for an Exchange server to talk to another Exchange server. Big pain to have to leave the mail server with a logged in console.

Troy King
Friday, October 17, 2003

Looks like we're going to take a look at VPNs :-) Thanks.

Frederic Faure
Friday, October 17, 2003

VPN boxes are the way to go. Now they even come with a firewall and built in ADSL box.
One end should have a static IP and a non NAT interface. (BT in the UK have a nasty habit of giving you a static IP which is then NAT'd to your dynamic IP, VPNs get cross about this)
We've used the Vigor 2600 boxes. A word of warning, make sure the VPN boxes are all from the same manufacturer it makes life a lot simpler. (VPN errors can be VERY opaque)

Peter Ibbotson
Friday, October 17, 2003

Hmm sharing files across latent connections is ugly, you're much better off having some server software that reacts to data requests.

Simon Lucy
Friday, October 17, 2003

*  Recent Topics

*  Fog Creek Home