File sharing over NON-tcp/ip networks - what is the best protocol?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
File sharing over NON-tcp/ip networks - what is the best protocol?
Hi. I would like to set up a file server that does not use tcp/ip at all. Only some other protocol. What protocol can be used?
The reason I want to do this is what is known as protocol isolation: if the server only speaks a non-tcp/ip protocol, it is much harder to hack into from other computers in the LAN. These computers are connected to the internet for web browsing, and can therefore get penetrated.
So what is the most secure non-tcp/ip protocol for protocol isolation? Ie the hardest to penetrate?
And what protocol should be used above that for the file sharing? NFS? Samba? Ftp?
IF the machines that can speak to the isolated machine can have access to the isolated machines, then there is very little point in changing the proticol that they speak in. ie once they have hacked into the bridge machine, they have access to the isolated machine. Almost all of the common file sharing methods make use of tcp/ip. If you just want to prevent direct outside access just make good use of hosts.allow and hosts.deny. That way you can control what machines can speak directly to your "isolated" machine (ie block all non local ips).
IF the machines that can speak to the isolated machine can have access to the isolated machines, then there is very little point in changing the proticol that they speak in. ie once they have hacked into the bridge machine, they have access to the isolated machine.
I do not mind the access to the shared files, it is hacking with tcp/ip port scans that protocol isolation aims to prevent. Recommended protocol for this is netbeui in windows, but it is not available on linux any more (used to be 10 years ago). Maybe tcp/ip properly set up is better than protocol isolation, but can we please not consider tcp/ip in this discussion. It is about protocol isolation, not general best security practises.
Is it possible to do the same thing as laplink file-sharing but do it through ethernet cards instead of serial ports?
Protocol isolation (by way of NetBEUI, IPX/SPX or whatever else ancient, crappy and proprietary standard) is just one way to guard against attacks. Regardless of the protocol used there still may occur DoSses, besides using non-IP protocols does not mean servers or clients are without flaws and on top of that you effectively double risks where you interface both ways on your protocol edge. In short: protocol isolation does not provide absolute security. It is not a holy grail you should pursue. (BTW wrt what's mentioned elsewhere, AFAIK any brokering that VPN or virtual network offer, are provided over IP and therefore do not match your requirement of "non-TCP/IP protocol".) I suggest you exhaust the hardening and segregation possibilities the IP protocol suite allows for and then assess the security posture. I am confident that will address ninetynine percent of what's possible. If then you decide that's not enough for you, then you could throw all your effort in chasing the fabled "protocol isolation" phantom.
Protocol isolation (by way of NetBEUI, IPX/SPX or whatever else ancient, crappy and proprietary standard) is just one way to guard against attacks. Regardless of the protocol used there still may occur DoSses, besides using non-IP protocols does not mean servers or clients are without flaws and on top of that you effectively double risks where you interface both ways on your protocol edge. In short: protocol isolation does not provide absolute security. It is not a holy grail you should pursue. (BTW wrt what's mentioned elsewhere, AFAIK any brokering that VPN or virtual network offer, are provided over IP and therefore do not match your requirement of "non-TCP/IP protocol".) I suggest you exhaust the hardening and segregation possibilities the IP protocol suite allows for and then assess the security posture. I am confident that will address ninetynine percent of what's possible. If then you decide that's not enough for you, then you could throw all your effort in chasing the fabled "protocol isolation" phantom.
The US Army seem to have a different opinion. I just found this:
It's from 2000 FCOL. I think you should not confuse that kind of posts on that kind of lists as being even remotely representative of any best practices. The amount of true "protocol isolation" threads on LQ may be kind of indicative of that it represents in the networking panoply. In my years here I've encountered only two. And the other thread definately showed the member in question having multiple problems completely unrelated to GNU/Linux, networking theory or network best practices...
What exactly does this mean for you? Old proprietary computers are easier to hack?
Quote:
I think you should not confuse that kind of posts on that kind of lists as being even remotely representative of any best practices.
Why is what you say a better practise than appletalk? Can you hack me a computer if I set it up with appletalk, as the link says? What tools would you use?
What exactly does this mean for you? Old proprietary computers are easier to hack?
In means just what it says: that you shouldn't use arbitrary information on the 'net as basis for defending your "protocol isolation" idea on.
Quote:
Originally Posted by Ulysses_
Why is what you say a better practise than appletalk?
Maybe some research could do you good. Try finding whitepapers by any renowned institute or official source on the subject of network best practices.
Quote:
Originally Posted by Ulysses_
Can you hack me a computer if I set it up with appletalk, as the link says?
"Hacking" to me means ameliorating, making something behave different or work better. You're asking about cracking or pentesting really. cve.mitre.org, osvdb.org, nvd.nist.gov or secunia.com list a few reported problems with Appletalk in the past three years so that could be a starting point.
In means just what it says: that you shouldn't use arbitrary information on the 'net as basis for defending your "protocol isolation" idea on.
But you only mention it's from the year 2000, you have not given any reasoning what's wrong with the year 2000. There's nothing wrong with the year 2000. In fact it's an advantage because proprietary computers of the year 2000 are obviously harder to break into by a hacker. Here is some reasoning why: Say you put a sniffer and detect the linux box is using appletalk or some other obscure protocol that there are no hacking tools for, what are you going to do about it? Reverse engineer the entire protocol? Little used hardware and software like apple macs are considered the toughest to hack into by the FBI because nobody bothers to develop hacking tools for them - too much effort for two few possible target computers.
Quote:
Maybe some research could do you good.
Thanks, I have done three years of research at university and another three in industry. Research is not just reading other people's papers. It's also inventing.
Quote:
cve.mitre.org, osvdb.org, nvd.nist.gov or secunia.com list a few reported problems with Appletalk in the past three years so that could be a starting point.
I'll check these out then. I'm sure any problems are not as well known in the underground and exploitable as those of windows or linux. Here's a security expert who got visited by the FBI.
"Dave had some surprises up his sleeve as well. You'll remember that I said he was using a ThinkPad (running Windows!). I asked him [the FBI agent] about that, and he told us that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box. ... Are you listening, Apple? The FBI wants to buy your stuff. Dave also had a great quotation for us: "If you're a bad guy and you want to frustrate law enforcement, use a Mac."
But you only mention it's from the year 2000, you have not given any reasoning what's wrong with the year 2000. There's nothing wrong with the year 2000.
It's just a story told and it's old. That it's old doesn't mean it's a bad story. Lots of old stories are good. And there's nothing wrong with the year 2000 itself. The year 2000 was a good year, especially for telling stories...
Quote:
Originally Posted by Ulysses_
In fact it's an advantage because proprietary computers of the year 2000 are obviously harder to break into by a hacker.
Uh uh, obviously!
Quote:
Originally Posted by Ulysses_
Here is some reasoning why: Say you put a sniffer and detect the linux box is using appletalk or some other obscure protocol that there are no hacking tools for, what are you going to do about it? Reverse engineer the entire protocol?
It's been done way before Motorola existed, I don't see what would be the problem with that.
Quote:
Originally Posted by Ulysses_
Little used hardware and software like apple macs are considered the toughest to hack into by the FBI because nobody bothers to develop hacking tools for them - too much effort for two few possible target computers.
This is just too much, ROTFL!
Quote:
Originally Posted by Ulysses_
Thanks, I have done three years of research at university and another three in industry. Research is not just reading other people's papers. It's also inventing.
Ah. That sounds familiar. Have you by any chance been on LQ under another handle? Possibly talking about the same topic?
No I'm not anyone you know on this forum, never written here before. By the way, many articles by security experts recommend going to browsers like opera, konqueror etc, because there are not many exploits for them. That is not so because they are better, but because nobody bothers to do vulnerability research on them - not enough return on investment. Feel free to roll over the floor as much as you like.
By the way, many articles by security experts recommend going to browsers like opera, konqueror etc, because there are not many exploits for them. That is not so because they are better, but because nobody bothers to do vulnerability research on them - not enough return on investment.
That would be akin to the old "security by obscurity" pitfall me thinks. Anyway, you being a researcher, will probably be able to back that up by posting a few references...
Quote:
Originally Posted by Ulysses_
Feel free to roll over the floor as much as you like.
No, that was only because the quote was utterly dated. It may be nothing in the life of a comet or a moving contintent but 5 years in terms of computing is a lot.
Little used hardware and software like apple macs are considered the toughest to hack into by the FBI because nobody bothers to develop hacking tools for them - too much effort for two few possible target computers.
Quote:
Originally Posted by Ulysses_
many articles by security experts recommend going to browsers like opera, konqueror etc, because there are not many exploits for them.
I'm not sure where you get your security information from, but it's painfully out of date. There are plenty of exploits for Opera, Konquerer, Safari and so on. There are also plenty of vulns in OS X. It's not the safe haven it was previously believed to be.
As has been previously stated, security by obscurity is not a sound policy. You are also relying on an improper assumption that there is such thing as a secure protocol. The correct assumption is to consider all protocols insecure and harden your system accordingly.
I'm not sure where you get your security information from, but it's painfully out of date. There are plenty of exploits for Opera, Konquerer, Safari and so on. There are also plenty of vulns in OS X. It's not the safe haven it was previously believed to be.
As has been previously stated, security by obscurity is not a sound policy. You are also relying on an improper assumption that there is such thing as a secure protocol. The correct assumption is to consider all protocols insecure and harden your system accordingly.
Τhanks for the info. It turns out the weakest link in security is humans because we inevitably go to dangerous sites (they don't say "dangerous" on the package), we try questionable software, we choose weak passwords, etc. We can't really stop doing all of these at home. So one philosophy is to accept that you will eventually get infected and plan for it, in order to limit the spread and durability of the infection. So I'm using sandboxed firefox for now and it is surprisingly effective. But planning to move to a linux liveCD. That will be on a diskless linux box and anything worth saving will be saved on a separate server. So the question is, if you were to hack into this server from my linux box, 1. how long would it take you if the server only spoke appletalk, 2. how long would it take you if it only had the decnet suite installed, 3. how long if it spoke tcp/ip? Is the time taken to penetrate, a sound metric of security? Or you can provide perfect unbreakable security?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.