2.4. File Transfer, File Sharing, and PrintingElectronic mail transfers data from place to place, but it's designed for small files in human-readable form. Electronic mail transfer protocols are allowed to make changes in a message that are acceptable to humans (for instance, inserting ">" before the word "From" at the beginning of a line, so the mailer doesn't get it confused with a header line) but are unacceptable to programs.
Inserting ">" before "From" is so common that some published books still contain the occasional ">From" in the text, where the ">" was inserted as authors exchanged drafts via electronic mail.Although electronic mail systems these days include elaborate workarounds for such problems, so that a large binary file may be split into small pieces and encoded on the sending side and decoded and reassembled on the receiving side, the workarounds are cumbersome and error prone. Also, people may want to actively look for files, instead of waiting for someone to send them. Therefore, even when electronic mail is available, it's useful to have a method designed for transferring files on request.
Furthermore, you may not want to transfer files between machines; you may want to have a single copy of a file but use it on multiple machines. This is file sharing. File sharing protocols can be used as file transfer protocols (first you share the file, then you make a local copy of it), but they also allow you to use a file more or less as if it were a local file. File sharing is usually more convenient than file transfer for users, but because it provides more functionality, it is less efficient, less robust, and less secure.
Printing is often based on file sharing or file transfer protocols; this makes a certain amount of sense, since you have to transfer the data to the printer somehow.
2.4.1. File TransferFile Transfer Protocol (FTP) is the Internet standard protocol for file transfers. Most web browsers will support FTP as well as HTTP and will automatically use FTP to access locations with names that begin "ftp:", so many people use FTP without ever being aware of it. In theory, allowing your users to bring in files is not an increase of risk over allowing electronic mail; in fact, some sites offer services allowing you to access FTP via electronic mail. FTP is also nearly interchangeable in risk with HTTP, yet another way of bringing in files. In practice, however, people do use FTP differently from the way they use HTTP and electronic mail, and may bring in more files and/or larger files.
What makes these files undesirable? The primary worry at most sites is that users will bring in Trojan horse software. Although this can happen, actually the larger concern is that users will bring in computer games, pirated software, and pornographic pictures. Although these are not a direct security problem, they present a number of other problems (including wasting time and disk space and introducing legal problems of various sorts), and they are often used as carriers for viruses. If you make sure to do the following, then you can consider inbound FTP to be a reasonably safe service that eases access to important Internet resources:
To get access to the files you've made available, users log into your system using FTP with a special login name (usually "anonymous" or "ftp"). Most sites request that users enter their own electronic mail address, in response to the password prompt, as a courtesy so that the site can track who is using the anonymous FTP server, but this requirement is rarely enforced (mostly because there is no easy way to verify the validity of an electronic mail address).
In setting up an anonymous FTP server, you'll need to ensure that people who use it can't get access to other areas or files on the system, and that they can't use FTP to get shell-level access to the system itself. Writable directories in the anonymous FTP area are a special concern, as we'll see in Chapter 17, "File Transfer, File Sharing, and Printing".
You'll also need to ensure that your users don't use the server inappropriately. It can be very tempting for people to put up files that they want specific people to read. Many times people don't realize that anybody on the Internet can read them, or they do realize this but believe in security through obscurity. Unfortunately for these innocents, a number of tools attempt to index anonymous FTP servers, and they succeed in removing most of the obscurity.
You may have heard of other file transfer protocols. Trivial File Transport Protocol (TFTP) is a simplified FTP protocol that diskless machines use to transfer information. It's extremely simple so that it can be built into hardware, and therefore supports no authentication. There's no reason to provide TFTP access outside of your network; ordinary users don't transfer files with TFTP.
Within a Unix site, you may want to use rcp to transfer files between systems. rcp (described in Chapter 18, "Remote Access to Hosts", with the rest of the so-called "Berkeley `r' commands") is a file transfer program that behaves like an extended version of the Unix cp command. It is inappropriate for use across the Internet because it uses a trusted host authentication model. Rather than requiring user authentication on the remote machine, it looks at the IP address of the host the request is coming from. Unfortunately, you can't know that packets are really coming from that host. There is an rcp replacement called scp that provides considerably more security, including user authentication and encryption of the data that passes across the network; it is also discussed in Chapter 18, "Remote Access to Hosts", along with the ssh command on which it is based.
2.4.2. File SharingSeveral protocols are available for file sharing, which allow computers to use files that are physically located on disks attached to other computers. This is highly desirable, because it lets people use remote files without the overhead of transferring them back and forth and trying to keep multiple versions synchronized. However, file sharing is much more complicated to implement than file transfer. File sharing protocols need to provide transparency (the file appears to be local, you do not see the file sharing occurring) and rich access (you can do all the things to the remote file that you could do to a local file). These features are what make file sharing desirable for users, but the need to be transparent puts limits on the sort of security that can be implemented, and the need to provide rich access makes the protocols complex to implement. More complexity inevitably leads to more vulnerability.
The most commonly used file sharing protocols are the Network File System (NFS) under Unix, the Common Internet File System (CIFS) under Microsoft Windows, and AppleShare on the Macintosh. CIFS is part of a family of related protocols and has a complex heritage, involving Server Message Block (SMB), NetBIOS/NetBEUI, and LanManager. You will see all of these names, and some others, used to refer to file sharing protocols on icrosoft operating systems. Although there are differences between these protocols, sometimes with radical security implications, they are interrelated and, for the most part, interoperable, and at the highest level, their security implications are similar. In fact, at the highest level, all of the file sharing protocols have similar implications for firewalls; they are all insecure and difficult to use across the Internet.
NFS was designed for use in local area networks and assumes fast response, high reliability, time synchronization, and a high degree of trust between machines. There are some serious security problems with NFS. If you haven't properly configured NFS (which can be tricky), an attacker may be able to simply NFS-mount your filesystems. The way NFS works, client machines are allowed to read and change files stored on the server without having to log in to the server or enter a password. Because NFS doesn't log transactions, you might not even know that someone else has full access to your files.
NFS does provide a way for you to control which machines can access your files. A file called /etc/exports lets you specify which filesystems can be mounted and which machines can mount them. If you leave a filesystem out of /etc/exports, no machine can mount it. If you put it in /etc/exports, but don't specify what machines can mount it, you're allowing any machine to mount it.
A number of subtler attacks on NFS are also possible. For example, NFS has very weak client authentication, and an attacker may be able to convince the NFS server that a request is coming from a client that's permitted in the exports file. There are also situations where an attacker can hijack an existing NFS mount.
These problems are mostly due to the fact that NFS uses host authentication, which is easily spoofed. Because NFS doesn't actually work well across the Internet in any case (it assumes a much faster connection between hosts), there isn't much point in allowing it between your site and the Internet. It creates a security problem without adding functionality.
CIFS and AppleShare both rely on user authentication instead of host authentication, which is a slight improvement in security. However, AppleShare is not capable of supporting flexible methods of user authentication with normal clients. You are limited to using reusable passwords, which means that attackers can simply capture passwords. CIFS can provide good authentication and good protection in recent versions. However, backward compatibility features in CIFS increase its vulnerability, as it attempts to support older clients that have much weaker security. Furthermore, CIFS actually provides an entire family of services, some of them even more vulnerable than file sharing. (For instance, it provides a general-purpose remote procedure call mechanism that can be used to allow arbitrary programs to communicate with each other.) Although it is possible for a firewall to understand CIFS and allow only some operations through (in order to allow CIFS file sharing but not other CIFS-based protocols), this is quite complex, and few firewalls are capable of it. It's also not clear how useful it would be, since file sharing and other services are intertwined; the commands for reading data from files and for reading data from other programs are the same.
There are file sharing protocols designed for use on networks like the Internet; for instance, the Andrew File System (AFS) uses Kerberos for authentication, and optionally encryption, and is designed to work across wide area networks, including the Internet. NFS, CIFS, and AppleShare are all shipped as part of popular operating systems, while AFS is a third-party product. Because of this, and because AFS and Kerberos require significant technical expertise to set up and maintain, AFS is not widely used outside of a small number of large sites. If you have a need to do secure, wide area network filesystems, it may be worth investigating AFS, but it is not covered here.
2.4.3. Printing SystemsAlmost every operating system these days provides remote printing -- via lp or lpr on Unix machines, SMB printing on Windows machines, or AppleTalk print services on acintoshes. Remote printing allows a computer to print to a printer that is physically connected to a different computer or directly to the network. Obviously, this is highly desirable in a local area network; you shouldn't need as many printers as you have machines. However, all of the remote printing options are insecure and inefficient as ways to transfer data across the Internet. There is no reason to allow them. If you have a need to print at a site across the Internet or to allow another site to use your printers, it's possible to set up special mail aliases that print the mail on receipt. This is the method many companies use even across in-house wide area networks because it's considerably more reliable.
Copyright © 2002 O'Reilly & Associates. All rights reserved.