Why not use NETBEUI on Windows XP ??

I've been googling for several hours now on this subject and can't
find a thread that answers all my concerns in this area. NETBEUI
seems to be a good solution for small office or home networks that
want to share files/printers internally in addition to sharing an
internet connection. Here are the pros and cons as I see them.

PRO:

It seems to me that NETBEUI offers an additional level of security for
small networks connected to the internet, even those using a hardware
router/firewall. Most people seem to agree that a protocol other than
TCP/IP is recommended when all your computers have a separate external
IP address (no NAT translation). However, even if you do have a NAT
firewall, it seems to me that someone could format packets designed to
access your internal IP addresses. If they were successful, and you
are using TCP/IP for Microsoft Networking, they now have access to all
your network resources. However, if you are using NETBEUI (or some
other protocol) for Microsoft Networking, they have some additional
work to do in order to get to those same resources.

In addition, if you start messing with your firewall (opening ports,
etc. as many gamers, VPN users, etc. must do), it is difficult to know
exactly what security holes you have opened up. Again, if you're
using NETBEUI for internal file/printer sharing, it's simple: your
network resources are protected because Microsoft Networking is not
bound to TCP/IP. (NOTE: I realize that if you open up a big enough
hole in your firewall, someone could get onto one of your machines and
reconfigure MS Networking to do whatever they wanted. However, I
think most would agree this is more difficult than just getting past
the firewall.)

I also use a software firewall (NIS 2004) on my computers, especially
my laptop that is frequently connected directly to the internet away
from the house without any hardware router/firewall. In that program
(and most other simple software firewalls), I have to put my local
Microsoft Networked computers in a "Trusted Zone" to allow
file/printer sharing over TCP/IP. I'm not sure (and have never gotten
exact information from Symantec) what this does, but I have to assume
the worst: there are NO firewall limitations AT ALL on communications
between computers in the "Trusted Zone". This does not seem
acceptable to me, since it is easy to invision a scenario whereby my
daughter takes her laptop to school and picks up some malicious code
and returns to my network, or a friend comes over with his infected
wireless laptop and connects to my network to print something. In
either case, if all computers in my local subnet are in my "Trusted
Zone", the malicious code can spread throughout the network with no
restrictions. HOWEVER, if I use NETBEUI for internal file/print
sharing, I don't have to put ANYONE in the "Trusted Zone", and the
same scenario would result in my NIS firewall (hopefully) raising a
flag when the malicious code attempts to spread itself inside my home
network.

CON:

Microsoft no longer "supports" NETBEUI... SO WHAT??!! Microsoft
support has never been that great anyway for home users and
furthermore, WHAT's to support? Whenever I have used NETBEUI in the
past (since ~ 1996, when I began moving away from IPX/SPX), it has
worked. (read "it has worked period"). It's trivial to install
NETBEUI on XP from the Install Disk (or as someone pointed out, you
can use the NETBEUI files from a W2K installation).

So, please tell me why I shouldn't use NETBEUI to reduce my security
concerns in this day when security is the single biggest problem
computer users face??

Please be specific: I've already seen too many general answers like:

"too many protocols slows down your network" (I only want to use two)
"NETBEUI is not supported" (see above)
"NETBEUI causes problems, especially with XP" (Please give specific
example)

(Feel free to chime in here, Steve)

Thanx for any comments,
emmette

wrote:
I've been googling for several hours now on this subject and can't
find a thread that answers all my concerns in this area. NETBEUI
seems to be a good solution for small office or home networks that
want to share files/printers internally in addition to sharing an
internet connection. Here are the pros and cons as I see them.

PRO:

It seems to me that NETBEUI offers an additional level of security for
small networks connected to the internet, even those using a hardware
router/firewall. Most people seem to agree that a protocol other than
TCP/IP is recommended when all your computers have a separate external
IP address (no NAT translation).

This would be a very bad network setup indeed and I wouldn't touch it. No
public IPs on the LAN at all - and use NAT.

However, even if you do have a NAT
firewall, it seems to me that someone could format packets designed to
access your internal IP addresses.

Via what inbound ports? Don't open up ports you don't need - and don't open
up ports that are dangerous even if you think you need them. There is nearly
always a better, secure way to do what you want.

If they were successful, and you
are using TCP/IP for Microsoft Networking, they now have access to all
your network resources. However, if you are using NETBEUI (or some
other protocol) for Microsoft Networking, they have some additional
work to do in order to get to those same resources.

Such as? The computers need IP addresses to access the Internet -


In addition, if you start messing with your firewall (opening ports,
etc. as many gamers, VPN users, etc. must do),

VPN isn't an issue - but if a game needs inbound access, don't use it.

it is difficult to know
exactly what security holes you have opened up. Again, if you're
using NETBEUI for internal file/printer sharing, it's simple: your
network resources are protected because Microsoft Networking is not
bound to TCP/IP. (NOTE: I realize that if you open up a big enough
hole in your firewall, someone could get onto one of your machines and
reconfigure MS Networking to do whatever they wanted. However, I
think most would agree this is more difficult than just getting past
the firewall.)

Not really.

I also use a software firewall (NIS 2004) on my computers, especially
my laptop that is frequently connected directly to the internet away
from the house without any hardware router/firewall. In that program
(and most other simple software firewalls), I have to put my local
Microsoft Networked computers in a "Trusted Zone" to allow
file/printer sharing over TCP/IP. I'm not sure (and have never gotten
exact information from Symantec) what this does, but I have to assume
the worst: there are NO firewall limitations AT ALL on communications
between computers in the "Trusted Zone". This does not seem
acceptable to me, since it is easy to invision a scenario whereby my
daughter takes her laptop to school and picks up some malicious code
and returns to my network, or a friend comes over with his infected
wireless laptop and connects to my network to print something.

This isn't a technical problem, though, is it? Don't let possibly infected
computers connect to your network until you've scanned them.

In
either case, if all computers in my local subnet are in my "Trusted
Zone", the malicious code can spread throughout the network with no
restrictions. HOWEVER, if I use NETBEUI for internal file/print
sharing, I don't have to put ANYONE in the "Trusted Zone", and the
same scenario would result in my NIS firewall (hopefully) raising a
flag when the malicious code attempts to spread itself inside my home
network.

CON:

Microsoft no longer "supports" NETBEUI... SO WHAT??!! Microsoft
support has never been that great anyway for home users and
furthermore, WHAT's to support? Whenever I have used NETBEUI in the
past (since ~ 1996, when I began moving away from IPX/SPX), it has
worked. (read "it has worked period"). It's trivial to install
NETBEUI on XP from the Install Disk (or as someone pointed out, you
can use the NETBEUI files from a W2K installation).

So, please tell me why I shouldn't use NETBEUI to reduce my security
concerns in this day when security is the single biggest problem
computer users face??

Please be specific: I've already seen too many general answers like:

"too many protocols slows down your network" (I only want to use two)
"NETBEUI is not supported" (see above)
"NETBEUI causes problems, especially with XP" (Please give specific
example)

(Feel free to chime in here, Steve)

Thanx for any comments,
emmette

I'm sure you'll get other, perhaps more detailed replies, but I'll add that
you absolutely do not need NetBEUI. Protect your network at the perimeter,
don't open inbound ports that can cause problems, and also possibly using
software firewalls on the computers in question. Your suggestions don't
really provide you with any additional security, and TCP/IP when set up
should be all you need. If you're on a network, you need a NAT device
(ideally with a built-in firewall) and something acting as a DHCP server to
make client configuration easier. Use good antivirus software, updated
regularly, run Windows Update regularly. I have been setting up networks,
large and small, for quite some time - both home networks and corporate
networks, and I stopped using NetBEUI a gazillion years ago - and I make
sure the networks are protected, and the users practice safe hex. Haven't
had any problems to speak of. Just my $.02.

Lanwench [MVP - Exchange] wrote:

I'm sure you'll get other, perhaps more detailed replies...

No one can explain it clearly and elegantly as you did Lanwench, or at
least few can.

John

In article ,
wrote:
I've been googling for several hours now on this subject and can't
find a thread that answers all my concerns in this area. NETBEUI
seems to be a good solution for small office or home networks that
want to share files/printers internally in addition to sharing an
internet connection. Here are the pros and cons as I see them.

PRO:

It seems to me that NETBEUI offers an additional level of security for
small networks connected to the internet, even those using a hardware
router/firewall. Most people seem to agree that a protocol other than
TCP/IP is recommended when all your computers have a separate external
IP address (no NAT translation). However, even if you do have a NAT
firewall, it seems to me that someone could format packets designed to
access your internal IP addresses. If they were successful, and you
are using TCP/IP for Microsoft Networking, they now have access to all
your network resources. However, if you are using NETBEUI (or some
other protocol) for Microsoft Networking, they have some additional
work to do in order to get to those same resources.

In addition, if you start messing with your firewall (opening ports,
etc. as many gamers, VPN users, etc. must do), it is difficult to know
exactly what security holes you have opened up. Again, if you're
using NETBEUI for internal file/printer sharing, it's simple: your
network resources are protected because Microsoft Networking is not
bound to TCP/IP. (NOTE: I realize that if you open up a big enough
hole in your firewall, someone could get onto one of your machines and
reconfigure MS Networking to do whatever they wanted. However, I
think most would agree this is more difficult than just getting past
the firewall.)

I also use a software firewall (NIS 2004) on my computers, especially
my laptop that is frequently connected directly to the internet away
from the house without any hardware router/firewall. In that program
(and most other simple software firewalls), I have to put my local
Microsoft Networked computers in a "Trusted Zone" to allow
file/printer sharing over TCP/IP. I'm not sure (and have never gotten
exact information from Symantec) what this does, but I have to assume
the worst: there are NO firewall limitations AT ALL on communications
between computers in the "Trusted Zone". This does not seem
acceptable to me, since it is easy to invision a scenario whereby my
daughter takes her laptop to school and picks up some malicious code
and returns to my network, or a friend comes over with his infected
wireless laptop and connects to my network to print something. In
either case, if all computers in my local subnet are in my "Trusted
Zone", the malicious code can spread throughout the network with no
restrictions. HOWEVER, if I use NETBEUI for internal file/print
sharing, I don't have to put ANYONE in the "Trusted Zone", and the
same scenario would result in my NIS firewall (hopefully) raising a
flag when the malicious code attempts to spread itself inside my home
network.

CON:

Microsoft no longer "supports" NETBEUI... SO WHAT??!! Microsoft
support has never been that great anyway for home users and
furthermore, WHAT's to support? Whenever I have used NETBEUI in the
past (since ~ 1996, when I began moving away from IPX/SPX), it has
worked. (read "it has worked period"). It's trivial to install
NETBEUI on XP from the Install Disk (or as someone pointed out, you
can use the NETBEUI files from a W2K installation).

So, please tell me why I shouldn't use NETBEUI to reduce my security
concerns in this day when security is the single biggest problem
computer users face??

Please be specific: I've already seen too many general answers like:

"too many protocols slows down your network" (I only want to use two)
"NETBEUI is not supported" (see above)
"NETBEUI causes problems, especially with XP" (Please give specific
example)

(Feel free to chime in here, Steve)

Thanx for any comments,
emmette

Your network setup sounds fine to me. You've done it right --
un-binding sharing from TCP/IP and installing the NetBEUI files from
the XP CD-ROM -- which can be hard for people with less technical
knowledge than you have.

What I've said repeatedly is that it's never necessary to use NetBEUI,
not that there's anything wrong with using it.

You make a good point about protecting LAN computers from an infected
machine that joins the local subnet. The Blaster worm and other
nasties can spread that way. Microsoft took that into account in
designing the Windows Firewall in XP Service Pack 2, where you can
enable selected exceptions in the firewall (e.g. File and Printer
Sharing) while blocking other types of communication (e.g. RPC) that
can spread worms.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

On 27 Nov 2004 10:52:18 -0800, wrote:

I've been googling for several hours now on this subject and can't
find a thread that answers all my concerns in this area. NETBEUI
seems to be a good solution for small office or home networks that
want to share files/printers internally in addition to sharing an
internet connection. Here are the pros and cons as I see them.

PRO:

It seems to me that NETBEUI offers an additional level of security for
small networks connected to the internet, even those using a hardware
router/firewall. Most people seem to agree that a protocol other than
TCP/IP is recommended when all your computers have a separate external
IP address (no NAT translation).

Okay, that's just dumb. You already have a full TCP/IP network if
each has their own IP address, NetBEUI offers no protection or
security. NetBEUI isn't routable, which is where this idea is coming
from, but NetBEUI has to be the *only* protocol on the systems, not
TCP/IP.

However, even if you do have a NAT
firewall, it seems to me that someone could format packets designed to
access your internal IP addresses. If they were successful, and you
are using TCP/IP for Microsoft Networking, they now have access to all
your network resources. However, if you are using NETBEUI (or some
other protocol) for Microsoft Networking, they have some additional
work to do in order to get to those same resources.

True. Unless you use both.

In addition, if you start messing with your firewall (opening ports,
etc. as many gamers, VPN users, etc. must do), it is difficult to know
exactly what security holes you have opened up. Again, if you're
using NETBEUI for internal file/printer sharing, it's simple: your
network resources are protected because Microsoft Networking is not
bound to TCP/IP.

Only if you remove the bindings or don't use TCP/IP on internal
systms.

(NOTE: I realize that if you open up a big enough
hole in your firewall, someone could get onto one of your machines and
reconfigure MS Networking to do whatever they wanted. However, I
think most would agree this is more difficult than just getting past
the firewall.)

I wouldn't, but it's not an actual issue. When you're compromised,
you're compromised.

I also use a software firewall (NIS 2004) on my computers, especially
my laptop that is frequently connected directly to the internet away
from the house without any hardware router/firewall. In that program
(and most other simple software firewalls), I have to put my local
Microsoft Networked computers in a "Trusted Zone" to allow
file/printer sharing over TCP/IP. I'm not sure (and have never gotten
exact information from Symantec) what this does, but I have to assume
the worst: there are NO firewall limitations AT ALL on communications
between computers in the "Trusted Zone".

What is most disturbing is that you have configured the system
security without knowing what it does. The admin is far more often
the culprit than any software issue in any security breach.

This does not seem
acceptable to me, since it is easy to invision a scenario whereby my
daughter takes her laptop to school and picks up some malicious code
and returns to my network, or a friend comes over with his infected
wireless laptop and connects to my network to print something. In
either case, if all computers in my local subnet are in my "Trusted
Zone", the malicious code can spread throughout the network with no
restrictions.

Not even close to a valid assumption. Malicious code is simply code.
It doesn't actually "spread". That requires a mechanism of some sort,
such as a trojan, active virus, activated email link, or the code
being run. And firewalls don't block that.

HOWEVER, if I use NETBEUI for internal file/print
sharing, I don't have to put ANYONE in the "Trusted Zone", and the
same scenario would result in my NIS firewall (hopefully) raising a
flag when the malicious code attempts to spread itself inside my home
network.

You don't have to put anyone in any "trusted zone" and never should
unless you actually trust that system.

CON:

Microsoft no longer "supports" NETBEUI... SO WHAT??!! Microsoft
support has never been that great anyway for home users and
furthermore, WHAT's to support? Whenever I have used NETBEUI in the
past (since ~ 1996, when I began moving away from IPX/SPX), it has
worked. (read "it has worked period"). It's trivial to install
NETBEUI on XP from the Install Disk (or as someone pointed out, you
can use the NETBEUI files from a W2K installation).

So, please tell me why I shouldn't use NETBEUI to reduce my security
concerns in this day when security is the single biggest problem
computer users face??

Because you've drawn the conclusion that NetBEUI is a secure protocol,
and that NetBEUI will protect your network by virtue of being on it.
Any worm that travels by Windows networking will travel via any
protocol you have on the system. NetBEUI is a non-secure protocol.

Please be specific: I've already seen too many general answers like:

"too many protocols slows down your network" (I only want to use two)
"NETBEUI is not supported" (see above)
"NETBEUI causes problems, especially with XP" (Please give specific
example)

NetBEUI is chatty and causes additional overhead on the network.
NetBEUI in addition to another protocol can disguise networking
problems making troubleshooting harder. NetBEUI is inherently
insecure because you cannot block or modify any protion of it, it's
either on or off.

And mostly. NetBEUI is only a security assett when used correctly, as
the only protocol on an internal network which only faces threats from
an outside network, running through a router that can translate
between NetBEUI and TCP/IP.

Jeff

The NETBEUI protocol can still be installed on Windows XP, it;s only a SYS
file....NETBEUI is not a routeable protocol unlike TCP/IP...they can't be
propagated/advertised to MSFC/Core routers...

hope this helps..

"Jeff Cochran" wrote:

On 27 Nov 2004 10:52:18 -0800, wrote:

I've been googling for several hours now on this subject and can't
find a thread that answers all my concerns in this area. NETBEUI
seems to be a good solution for small office or home networks that
want to share files/printers internally in addition to sharing an
internet connection. Here are the pros and cons as I see them.

PRO:

It seems to me that NETBEUI offers an additional level of security for
small networks connected to the internet, even those using a hardware
router/firewall. Most people seem to agree that a protocol other than
TCP/IP is recommended when all your computers have a separate external
IP address (no NAT translation).

Okay, that's just dumb. You already have a full TCP/IP network if
each has their own IP address, NetBEUI offers no protection or
security. NetBEUI isn't routable, which is where this idea is coming
from, but NetBEUI has to be the *only* protocol on the systems, not
TCP/IP.

However, even if you do have a NAT
firewall, it seems to me that someone could format packets designed to
access your internal IP addresses. If they were successful, and you
are using TCP/IP for Microsoft Networking, they now have access to all
your network resources. However, if you are using NETBEUI (or some
other protocol) for Microsoft Networking, they have some additional
work to do in order to get to those same resources.

True. Unless you use both.

In addition, if you start messing with your firewall (opening ports,
etc. as many gamers, VPN users, etc. must do), it is difficult to know
exactly what security holes you have opened up. Again, if you're
using NETBEUI for internal file/printer sharing, it's simple: your
network resources are protected because Microsoft Networking is not
bound to TCP/IP.

Only if you remove the bindings or don't use TCP/IP on internal
systms.

(NOTE: I realize that if you open up a big enough
hole in your firewall, someone could get onto one of your machines and
reconfigure MS Networking to do whatever they wanted. However, I
think most would agree this is more difficult than just getting past
the firewall.)

I wouldn't, but it's not an actual issue. When you're compromised,
you're compromised.

I also use a software firewall (NIS 2004) on my computers, especially
my laptop that is frequently connected directly to the internet away
from the house without any hardware router/firewall. In that program
(and most other simple software firewalls), I have to put my local
Microsoft Networked computers in a "Trusted Zone" to allow
file/printer sharing over TCP/IP. I'm not sure (and have never gotten
exact information from Symantec) what this does, but I have to assume
the worst: there are NO firewall limitations AT ALL on communications
between computers in the "Trusted Zone".

What is most disturbing is that you have configured the system
security without knowing what it does. The admin is far more often
the culprit than any software issue in any security breach.

This does not seem
acceptable to me, since it is easy to invision a scenario whereby my
daughter takes her laptop to school and picks up some malicious code
and returns to my network, or a friend comes over with his infected
wireless laptop and connects to my network to print something. In
either case, if all computers in my local subnet are in my "Trusted
Zone", the malicious code can spread throughout the network with no
restrictions.

Not even close to a valid assumption. Malicious code is simply code.
It doesn't actually "spread". That requires a mechanism of some sort,
such as a trojan, active virus, activated email link, or the code
being run. And firewalls don't block that.

HOWEVER, if I use NETBEUI for internal file/print
sharing, I don't have to put ANYONE in the "Trusted Zone", and the
same scenario would result in my NIS firewall (hopefully) raising a
flag when the malicious code attempts to spread itself inside my home
network.

You don't have to put anyone in any "trusted zone" and never should
unless you actually trust that system.

CON:

Microsoft no longer "supports" NETBEUI... SO WHAT??!! Microsoft
support has never been that great anyway for home users and
furthermore, WHAT's to support? Whenever I have used NETBEUI in the
past (since ~ 1996, when I began moving away from IPX/SPX), it has
worked. (read "it has worked period"). It's trivial to install
NETBEUI on XP from the Install Disk (or as someone pointed out, you
can use the NETBEUI files from a W2K installation).

So, please tell me why I shouldn't use NETBEUI to reduce my security
concerns in this day when security is the single biggest problem
computer users face??

Because you've drawn the conclusion that NetBEUI is a secure protocol,
and that NetBEUI will protect your network by virtue of being on it.
Any worm that travels by Windows networking will travel via any
protocol you have on the system. NetBEUI is a non-secure protocol.

Please be specific: I've already seen too many general answers like:

"too many protocols slows down your network" (I only want to use two)
"NETBEUI is not supported" (see above)
"NETBEUI causes problems, especially with XP" (Please give specific
example)

NetBEUI is chatty and causes additional overhead on the network.
NetBEUI in addition to another protocol can disguise networking
problems making troubleshooting harder. NetBEUI is inherently
insecure because you cannot block or modify any protion of it, it's
either on or off.

And mostly. NetBEUI is only a security assett when used correctly, as
the only protocol on an internal network which only faces threats from
an outside network, running through a router that can translate
between NetBEUI and TCP/IP.

Jeff

Thanx for all the comments I received on this issue. I was quite
surprised at the high quality of all the responses I got.

I still have a few questions:

(Jeff Cochran) wrote in message ...
On 27 Nov 2004 10:52:18 -0800, wrote:

I've been googling for several hours now on this subject and can't
find a thread that answers all my concerns in this area. NETBEUI
seems to be a good solution for small office or home networks that
want to share files/printers internally in addition to sharing an
internet connection. Here are the pros and cons as I see them.

PRO:

It seems to me that NETBEUI offers an additional level of security for
small networks connected to the internet, even those using a hardware
router/firewall. Most people seem to agree that a protocol other than
TCP/IP is recommended when all your computers have a separate external
IP address (no NAT translation).

Okay, that's just dumb. You already have a full TCP/IP network if
each has their own IP address, NetBEUI offers no protection or
security. NetBEUI isn't routable, which is where this idea is coming
from, but NetBEUI has to be the *only* protocol on the systems, not
TCP/IP.

I neglected to mention that I would (of course) unbind TCP/IP from the
Microsoft Networking components on my network. Does this help my
scenario in your opinion? If no, Why not?


However, even if you do have a NAT
firewall, it seems to me that someone could format packets designed to
access your internal IP addresses. If they were successful, and you
are using TCP/IP for Microsoft Networking, they now have access to all
your network resources. However, if you are using NETBEUI (or some
other protocol) for Microsoft Networking, they have some additional
work to do in order to get to those same resources.

True. Unless you use both.

But I'm not using both internally. See above.


In addition, if you start messing with your firewall (opening ports,
etc. as many gamers, VPN users, etc. must do), it is difficult to know
exactly what security holes you have opened up. Again, if you're
using NETBEUI for internal file/printer sharing, it's simple: your
network resources are protected because Microsoft Networking is not
bound to TCP/IP.

Only if you remove the bindings or don't use TCP/IP on internal
systms.

(NOTE: I realize that if you open up a big enough
hole in your firewall, someone could get onto one of your machines and
reconfigure MS Networking to do whatever they wanted. However, I
think most would agree this is more difficult than just getting past
the firewall.)

I wouldn't, but it's not an actual issue. When you're compromised,
you're compromised.

I think we're all compromised to some extent. Like physical security,
if someone wants to bad enough, they WILL find a way into your system.
I'm just trying to put more locks on the door.


I also use a software firewall (NIS 2004) on my computers, especially
my laptop that is frequently connected directly to the internet away
from the house without any hardware router/firewall. In that program
(and most other simple software firewalls), I have to put my local
Microsoft Networked computers in a "Trusted Zone" to allow
file/printer sharing over TCP/IP. I'm not sure (and have never gotten
exact information from Symantec) what this does, but I have to assume
the worst: there are NO firewall limitations AT ALL on communications
between computers in the "Trusted Zone".

What is most disturbing is that you have configured the system
security without knowing what it does. The admin is far more often
the culprit than any software issue in any security breach.

I have tried to find out what adding computers to the "Trusted Zone"
in Symantec's Norton Internet Security 2004 means, but have been
unable to locate that information. As I said, I believe (from reading
and testing) that it means "disable the firewall for any
communications between me and any computer in the Trusted Zone".


This does not seem
acceptable to me, since it is easy to invision a scenario whereby my
daughter takes her laptop to school and picks up some malicious code
and returns to my network, or a friend comes over with his infected
wireless laptop and connects to my network to print something. In
either case, if all computers in my local subnet are in my "Trusted
Zone", the malicious code can spread throughout the network with no
restrictions.

Not even close to a valid assumption. Malicious code is simply code.
It doesn't actually "spread". That requires a mechanism of some sort,
such as a trojan, active virus, activated email link, or the code
being run. And firewalls don't block that.

If the malicious code executes on an infected machine and tries to
replicate itself over my network via TCP/IP NETBIOS ports, it will
fail if TCP/IP is not bound to MS Networking. Is that not correct?


HOWEVER, if I use NETBEUI for internal file/print
sharing, I don't have to put ANYONE in the "Trusted Zone", and the
same scenario would result in my NIS firewall (hopefully) raising a
flag when the malicious code attempts to spread itself inside my home
network.

You don't have to put anyone in any "trusted zone" and never should
unless you actually trust that system.

OK, here's where I started worrying about all this:
Inside my home, I believe I am fairly secure behind a NAT
router/firewall, with strong admin passwords, users logged on to
non-admin accounts and an additional software firewall and antivirus
program on ALL machines (NIS 2004).
However, I am a VERY mobile user: two of the three machines on my
network are laptops and one of those spends more time connected away
from home than behind the hardware router. That one is made more
secure by not even installing File and Print sharing for MS Networks.
When I am connecting to the Internet outside my hardware firewall, I
am obviously relying heavily on NIS to protect me from the bad guys...

But here's the two scenarios I am most concerned with:
1. I want to be able to allow friends who come inside my house to
connect to my network, primarily to share my internet connection, but
also to use my printers if necessary and perhaps share files.
Obviously the internet connection does not require F&PS, but the
others do. Is there a way I can allow this safely?

2. More importantly, I want to be able to take my laptop to friend's
houses and do the same things. Even if I don't have F&PS installed on
my laptop (because I don't want to share MY stuff with them, just the
converse!), I do need Client for MS Networks installed and bound to
SOME protocol in order to access their files/printers. In addition,
if that protocol is TCP/IP, then I HAVE to either disable Norton's
firewall, OR put their machine in the "Trusted Zone" as I mentioned
before. Otherwise, NIS will prevent me from accessing any of their
shared resources. (I don't understand why I need to "trust" them if I
just want to use THEIR resources, but that's what Norton appears to
require. If anyone knows of another way to achieve this with NIS,
PLEASE LET ME KNOW!!!) However, if I bind NETBEUI (and ONLY NETBEUI)
to Client for MS Networks, then Norton ignores my MS Network traffic,
and I can keep it enabled monitoring the TCP/IP traffic to and from my
machine.

Can you tell me a way to do this WITHOUT using NETBEUI and still
maintaining my software firewall?? Please don't tell me to get better
software. NIS may not be the best solution, but most other products
behave in the same way from what I have seen. Even the XP firewall
(obviously not the best example) must be disabled in order to use
F&PS.


CON:

Microsoft no longer "supports" NETBEUI... SO WHAT??!! Microsoft
support has never been that great anyway for home users and
furthermore, WHAT's to support? Whenever I have used NETBEUI in the
past (since ~ 1996, when I began moving away from IPX/SPX), it has
worked. (read "it has worked period"). It's trivial to install
NETBEUI on XP from the Install Disk (or as someone pointed out, you
can use the NETBEUI files from a W2K installation).

So, please tell me why I shouldn't use NETBEUI to reduce my security
concerns in this day when security is the single biggest problem
computer users face??

Because you've drawn the conclusion that NetBEUI is a secure protocol,
and that NetBEUI will protect your network by virtue of being on it.
Any worm that travels by Windows networking will travel via any
protocol you have on the system. NetBEUI is a non-secure protocol.

Please be specific: I've already seen too many general answers like:

"too many protocols slows down your network" (I only want to use two)
"NETBEUI is not supported" (see above)
"NETBEUI causes problems, especially with XP" (Please give specific
example)

NetBEUI is chatty and causes additional overhead on the network.
NetBEUI in addition to another protocol can disguise networking
problems making troubleshooting harder. NetBEUI is inherently
insecure because you cannot block or modify any protion of it, it's
either on or off.

And mostly. NetBEUI is only a security assett when used correctly, as
the only protocol on an internal network which only faces threats from
an outside network, running through a router that can translate
between NetBEUI and TCP/IP.

Jeff

Thanx again, Jeff (and Lanwench and Steve) for your detailed comments.
It seems to me that what Jeff and Lanwench are implying is the
following:

Malicious code that replicates itself (whatever name you want to give
it: trojan, virus, etc.) typically does NOT use TCP/IP specific
networking (trying specific TCP ports, etc.) to perform the
replication. It will instead try to replicate via higher level
network services (i.e. MS Networking). If that is the case, it
doesn't matter what underlying protocol is bound to MS Networking,
since if ANY protocol is bound the connection will be successful.

Now, if the above assumption is true, then I agree my reliance on
NETBEUI to help protect my systems is foolish. But it also follows
that this has nothing to do with XP, and if it is true now, then it
was true back in the days of Win95, Win98 and ME. If that is the
case, then is Steve's article (I assume it is yours; if not, please
accept my apologies) at:

http://www.practicallynetworked.com/sharing/netbeui.htm

also invalid?? If not, what's the difference??

This article (and others like it) is where I first got the idea of
using different protocols for internal and external communications.
The subsequent comments I've seen regarding NETBEUI and WinXP focused
on Microsoft's removing "support" for NETBEUI and NOT on the validity
of the original concept promoted in the article.

Thanx in advance for any further responses,
emmette

Trusted zones means that firewall rules will be bypassed for any or certain
[such as file and print sharing] traffic for computers in the trusted zone
by their IP address or subnet location depending on how you configure it.

I am not an expert on how viruses propagate via netbeui and it is true that
many worms use ping or scan IP ranges to find target computers BUT I would
not count on netbeui being a defense for such as long as smb connectivity
remains between computers as the worm could possibly spread by using
computer names or when a user connects to another computer share.

Windows XP SP2 does allow file and print sharing connectivity while the
firewall is activated for inbound initiated connections. You can now specify
exemptions and the scope of the exemptions such as allowed IP
addresses/subnets. XP SP2 also allows inbound rules based on application to
further fine tune access. Any XP computer with the firewall enable without
exemptions can be allowed to access other computer shares while not allowing
other computers to access it's shares. That is the nature of a firewall that
manages only inbound traffic. The XP and NIS are stateful firewalls in that
they dynamically open inbound ports that are responses to outbound traffic
that your computer initiated and the ports are closed again when the
connection is done. These sessions are tracked by a number of parameters
including sequence numbers so not as to allow an attacker to "sneak" in
while the connection is open.

You an also configure your NIS firewall to act in this way if you want to go
somewhere to access other shares but not allow access to yours. Instead of
trusted zone, create a rule that allows "outbound" traffic on ports 137, 138
UDP and 139, 445, TCP. That should allow you to access other computers
shares but not allow other computers to access your computer. Note that if
your firewall is blocking inbound traffic, that you will probably NOT see
other computers in My Network Places because that traffic is broadcast based
on smaller networks and blocked by your firewall. You can still access a
computer if you know it's name or IP address. Using unc in the run box as in
\\computername\sahre is one way to do such. If you want to allow others to
access your computer while at home you can enable your trusted zone for only
while you are at home.

If you have not upgraded to XP SP2 yet, I highly recommend that you
consider it. It has some major improvements to protect your computer
including the way that RPC is handled. --- Steve

http://www.microsoft.com/technet/pro.../sp2chngs.mspx
-- XP SP2 improvements.

wrote in message
m...
Thanx for all the comments I received on this issue. I was quite
surprised at the high quality of all the responses I got.

I still have a few questions:

(Jeff Cochran) wrote in message
...
On 27 Nov 2004 10:52:18 -0800, wrote:

I've been googling for several hours now on this subject and can't
find a thread that answers all my concerns in this area. NETBEUI
seems to be a good solution for small office or home networks that
want to share files/printers internally in addition to sharing an
internet connection. Here are the pros and cons as I see them.

PRO:

It seems to me that NETBEUI offers an additional level of security for
small networks connected to the internet, even those using a hardware
router/firewall. Most people seem to agree that a protocol other than
TCP/IP is recommended when all your computers have a separate external
IP address (no NAT translation).

Okay, that's just dumb. You already have a full TCP/IP network if
each has their own IP address, NetBEUI offers no protection or
security. NetBEUI isn't routable, which is where this idea is coming
from, but NetBEUI has to be the *only* protocol on the systems, not
TCP/IP.

I neglected to mention that I would (of course) unbind TCP/IP from the
Microsoft Networking components on my network. Does this help my
scenario in your opinion? If no, Why not?


However, even if you do have a NAT
firewall, it seems to me that someone could format packets designed to
access your internal IP addresses. If they were successful, and you
are using TCP/IP for Microsoft Networking, they now have access to all
your network resources. However, if you are using NETBEUI (or some
other protocol) for Microsoft Networking, they have some additional
work to do in order to get to those same resources.

True. Unless you use both.

But I'm not using both internally. See above.


In addition, if you start messing with your firewall (opening ports,
etc. as many gamers, VPN users, etc. must do), it is difficult to know
exactly what security holes you have opened up. Again, if you're
using NETBEUI for internal file/printer sharing, it's simple: your
network resources are protected because Microsoft Networking is not
bound to TCP/IP.

Only if you remove the bindings or don't use TCP/IP on internal
systms.

(NOTE: I realize that if you open up a big enough
hole in your firewall, someone could get onto one of your machines and
reconfigure MS Networking to do whatever they wanted. However, I
think most would agree this is more difficult than just getting past
the firewall.)

I wouldn't, but it's not an actual issue. When you're compromised,
you're compromised.

I think we're all compromised to some extent. Like physical security,
if someone wants to bad enough, they WILL find a way into your system.
I'm just trying to put more locks on the door.


I also use a software firewall (NIS 2004) on my computers, especially
my laptop that is frequently connected directly to the internet away
from the house without any hardware router/firewall. In that program
(and most other simple software firewalls), I have to put my local
Microsoft Networked computers in a "Trusted Zone" to allow
file/printer sharing over TCP/IP. I'm not sure (and have never gotten
exact information from Symantec) what this does, but I have to assume
the worst: there are NO firewall limitations AT ALL on communications
between computers in the "Trusted Zone".

What is most disturbing is that you have configured the system
security without knowing what it does. The admin is far more often
the culprit than any software issue in any security breach.

I have tried to find out what adding computers to the "Trusted Zone"
in Symantec's Norton Internet Security 2004 means, but have been
unable to locate that information. As I said, I believe (from reading
and testing) that it means "disable the firewall for any
communications between me and any computer in the Trusted Zone".


This does not seem
acceptable to me, since it is easy to invision a scenario whereby my
daughter takes her laptop to school and picks up some malicious code
and returns to my network, or a friend comes over with his infected
wireless laptop and connects to my network to print something. In
either case, if all computers in my local subnet are in my "Trusted
Zone", the malicious code can spread throughout the network with no
restrictions.

Not even close to a valid assumption. Malicious code is simply code.
It doesn't actually "spread". That requires a mechanism of some sort,
such as a trojan, active virus, activated email link, or the code
being run. And firewalls don't block that.

If the malicious code executes on an infected machine and tries to
replicate itself over my network via TCP/IP NETBIOS ports, it will
fail if TCP/IP is not bound to MS Networking. Is that not correct?


HOWEVER, if I use NETBEUI for internal file/print
sharing, I don't have to put ANYONE in the "Trusted Zone", and the
same scenario would result in my NIS firewall (hopefully) raising a
flag when the malicious code attempts to spread itself inside my home
network.

You don't have to put anyone in any "trusted zone" and never should
unless you actually trust that system.

OK, here's where I started worrying about all this:
Inside my home, I believe I am fairly secure behind a NAT
router/firewall, with strong admin passwords, users logged on to
non-admin accounts and an additional software firewall and antivirus
program on ALL machines (NIS 2004).
However, I am a VERY mobile user: two of the three machines on my
network are laptops and one of those spends more time connected away
from home than behind the hardware router. That one is made more
secure by not even installing File and Print sharing for MS Networks.
When I am connecting to the Internet outside my hardware firewall, I
am obviously relying heavily on NIS to protect me from the bad guys...

But here's the two scenarios I am most concerned with:
1. I want to be able to allow friends who come inside my house to
connect to my network, primarily to share my internet connection, but
also to use my printers if necessary and perhaps share files.
Obviously the internet connection does not require F&PS, but the
others do. Is there a way I can allow this safely?

2. More importantly, I want to be able to take my laptop to friend's
houses and do the same things. Even if I don't have F&PS installed on
my laptop (because I don't want to share MY stuff with them, just the
converse!), I do need Client for MS Networks installed and bound to
SOME protocol in order to access their files/printers. In addition,
if that protocol is TCP/IP, then I HAVE to either disable Norton's
firewall, OR put their machine in the "Trusted Zone" as I mentioned
before. Otherwise, NIS will prevent me from accessing any of their
shared resources. (I don't understand why I need to "trust" them if I
just want to use THEIR resources, but that's what Norton appears to
require. If anyone knows of another way to achieve this with NIS,
PLEASE LET ME KNOW!!!) However, if I bind NETBEUI (and ONLY NETBEUI)
to Client for MS Networks, then Norton ignores my MS Network traffic,
and I can keep it enabled monitoring the TCP/IP traffic to and from my
machine.

Can you tell me a way to do this WITHOUT using NETBEUI and still
maintaining my software firewall?? Please don't tell me to get better
software. NIS may not be the best solution, but most other products
behave in the same way from what I have seen. Even the XP firewall
(obviously not the best example) must be disabled in order to use
F&PS.


CON:

Microsoft no longer "supports" NETBEUI... SO WHAT??!! Microsoft
support has never been that great anyway for home users and
furthermore, WHAT's to support? Whenever I have used NETBEUI in the
past (since ~ 1996, when I began moving away from IPX/SPX), it has
worked. (read "it has worked period"). It's trivial to install
NETBEUI on XP from the Install Disk (or as someone pointed out, you
can use the NETBEUI files from a W2K installation).

So, please tell me why I shouldn't use NETBEUI to reduce my security
concerns in this day when security is the single biggest problem
computer users face??

Because you've drawn the conclusion that NetBEUI is a secure protocol,
and that NetBEUI will protect your network by virtue of being on it.
Any worm that travels by Windows networking will travel via any
protocol you have on the system. NetBEUI is a non-secure protocol.

Please be specific: I've already seen too many general answers like:

"too many protocols slows down your network" (I only want to use two)
"NETBEUI is not supported" (see above)
"NETBEUI causes problems, especially with XP" (Please give specific
example)

NetBEUI is chatty and causes additional overhead on the network.
NetBEUI in addition to another protocol can disguise networking
problems making troubleshooting harder. NetBEUI is inherently
insecure because you cannot block or modify any protion of it, it's
either on or off.

And mostly. NetBEUI is only a security assett when used correctly, as
the only protocol on an internal network which only faces threats from
an outside network, running through a router that can translate
between NetBEUI and TCP/IP.

Jeff

Thanx again, Jeff (and Lanwench and Steve) for your detailed comments.
It seems to me that what Jeff and Lanwench are implying is the
following:

Malicious code that replicates itself (whatever name you want to give
it: trojan, virus, etc.) typically does NOT use TCP/IP specific
networking (trying specific TCP ports, etc.) to perform the
replication. It will instead try to replicate via higher level
network services (i.e. MS Networking). If that is the case, it
doesn't matter what underlying protocol is bound to MS Networking,
since if ANY protocol is bound the connection will be successful.

Now, if the above assumption is true, then I agree my reliance on
NETBEUI to help protect my systems is foolish. But it also follows
that this has nothing to do with XP, and if it is true now, then it
was true back in the days of Win95, Win98 and ME. If that is the
case, then is Steve's article (I assume it is yours; if not, please
accept my apologies) at:

http://www.practicallynetworked.com/sharing/netbeui.htm

also invalid?? If not, what's the difference??

This article (and others like it) is where I first got the idea of
using different protocols for internal and external communications.
The subsequent comments I've seen regarding NETBEUI and WinXP focused
on Microsoft's removing "support" for NETBEUI and NOT on the validity
of the original concept promoted in the article.

Thanx in advance for any further responses,
emmette

OK, here's where I started worrying about all this:
Inside my home, I believe I am fairly secure behind a NAT
router/firewall, with strong admin passwords, users logged on to
non-admin accounts and an additional software firewall and antivirus
program on ALL machines (NIS 2004).
However, I am a VERY mobile user: two of the three machines on my
network are laptops and one of those spends more time connected away
from home than behind the hardware router. That one is made more
secure by not even installing File and Print sharing for MS Networks.
When I am connecting to the Internet outside my hardware firewall, I
am obviously relying heavily on NIS to protect me from the bad guys...

I'd suggest that's a major issue. Since there are many attacks that
can't be blocked by a firewall, relying on a firewall for *all* your
security isn't very healthy. You don't mention other security tools
you may or may not use, so I really don't have any specific comments.

But here's the two scenarios I am most concerned with:
1. I want to be able to allow friends who come inside my house to
connect to my network, primarily to share my internet connection, but
also to use my printers if necessary and perhaps share files.
Obviously the internet connection does not require F&PS, but the
others do. Is there a way I can allow this safely?

Depends a lot on how printers are "used" but bascially, secure your
systems from attacks that don't come from an internet connection.
Firewalls can do this.

2. More importantly, I want to be able to take my laptop to friend's
houses and do the same things. Even if I don't have F&PS installed on
my laptop (because I don't want to share MY stuff with them, just the
converse!), I do need Client for MS Networks installed and bound to
SOME protocol in order to access their files/printers. In addition,
if that protocol is TCP/IP, then I HAVE to either disable Norton's
firewall, OR put their machine in the "Trusted Zone" as I mentioned
before.

Couldn't tell you. Norton's may not be as configurable as you need,
but you should be able to open specific ports to specific systems.

Otherwise, NIS will prevent me from accessing any of their
shared resources. (I don't understand why I need to "trust" them if I
just want to use THEIR resources, but that's what Norton appears to
require. If anyone knows of another way to achieve this with NIS,
PLEASE LET ME KNOW!!!) However, if I bind NETBEUI (and ONLY NETBEUI)
to Client for MS Networks, then Norton ignores my MS Network traffic,
and I can keep it enabled monitoring the TCP/IP traffic to and from my
machine.

So you use NetBEUI and allow Microsoft Networking acrtoss it, correct?
And a virus/trojan that replicates through network shares is now
blocked by..., well, it's not. You're now exposed and vulnerable.

Can you tell me a way to do this WITHOUT using NETBEUI and still
maintaining my software firewall?? Please don't tell me to get better
software. NIS may not be the best solution, but most other products
behave in the same way from what I have seen. Even the XP firewall
(obviously not the best example) must be disabled in order to use
F&PS.

File and printer sharing works perfectly well with both Norton's and
XP's firewalls running. You need to configure them correctly.

And if you intend to share files, you're open to one of the files
being infected. You're open to all the standard issues on any
networked system. You need to use a combination of security, NTFS
permissions, firewall settings, auditing changes and so on.

NetBEUI, as you're using it, provides a false sense of security.
Which is often worse than no security at all.

Malicious code that replicates itself (whatever name you want to give
it: trojan, virus, etc.) typically does NOT use TCP/IP specific
networking (trying specific TCP ports, etc.) to perform the
replication. It will instead try to replicate via higher level
network services (i.e. MS Networking). If that is the case, it
doesn't matter what underlying protocol is bound to MS Networking,
since if ANY protocol is bound the connection will be successful.

Quite true. Or it may not rely on any transport other than user
action.

Now, if the above assumption is true, then I agree my reliance on
NETBEUI to help protect my systems is foolish. But it also follows
that this has nothing to do with XP, and if it is true now, then it
was true back in the days of Win95, Win98 and ME. If that is the
case, then is Steve's article (I assume it is yours; if not, please
accept my apologies) at:

http://www.practicallynetworked.com/sharing/netbeui.htm

also invalid?? If not, what's the difference??

It's very valid. In one instance only. Let's say you have system A,
using TCP/IP, which is external to your control so it may become
compromised. System B connects to it via TCP/IP. System C connects
to system B via NetBEUI.

System C is protected from direct attacks by system A, since there is
no network path to reach it. System C cannot get to system A to share
resources either.

I've never put much stock in the binding/unbinding of protocols but
leaving them on the system, too much administration and too many
points where a misconfiguration destroys everything. And using
NetBEUI internally made sense years ago, when there were few automated
attacks and they exploited a relatively few access points. No longer
the case.

This article (and others like it) is where I first got the idea of
using different protocols for internal and external communications.
The subsequent comments I've seen regarding NETBEUI and WinXP focused
on Microsoft's removing "support" for NETBEUI and NOT on the validity
of the original concept promoted in the article.

The original articles have been overshadowed by developments over
time. While still possibly valid, they really aren't the best methods
available.

Similar is the suggestion that internet servers shouldn't advertise
their software versions in the headers (or FTP servers). The idea is
it makes a hacker's job easier if they know the software used, it's
referred to as security by obscurity. But an attack script doesn't
care. It tries a known exploit, if it doesn't work it moves to the
next system. The IP may be a vulnerable system, or it may be an IP
addressable coffee pot. Either way, it still gets attacked.

Jeff