0

I work for a Social Welfare Center, which consists of 5 institutions, located many kilometers away from each other.

4 of them are effectively connected to a LAN, but one has no access, and I am thinking of opening ports 445 and 139 on a specific server inside the LAN, to allow shared file access using its external IP.

Questions:
1) Is it even possible / reasonable to do that? Can I create a network share with its external IP?

2) Is it an extremely bad idea? If not, is there a way to restrict who can access those files without hard-coding IPs? Any security-related suggestions are welcome.

I have tried nothing so far, because our port-forwarding is managed by our ISP.
Thank you for your time.

mavrosxristoforos
  • 125
  • 7
  • 1
    It's an **EXTREMELY** bad idea. You very likely deal with highly sensitive data and need to do everything to protect it. Just opening a file share on the internet is completely unacceptable. – Sven May 22 '14 at 09:41

2 Answers2

4

You should connect your locations over a VPN. Lan to Lan VPN or restricted access only to your file server. You can exactly see who is connecting to your LAN. And you can use normal SMB Access rights on your server from an Active Directory for example.

You also can use WEBdav Service, but VPN is recommended.

DjangoUnchained
  • 96
  • 4
  • Thank you DjangoUnchanined. I do understand that VPN is the best way to go. I actually asked for some help on that, earlier today, if you check my questions here on ServerFault. Although, judging from the use it is intended for, I think VPN is an over-kill. What do you think? – mavrosxristoforos May 22 '14 at 09:41
  • 3
    @mavrosxristoforos: No, it's not overkill but the standard solution for such a situation. – Sven May 22 '14 at 09:44
  • 1
    It's not a overkill! It will save you a lot of headaches afterwards. There are a lot of tutorials available to realize that. Just google OpenVPN Lan to Lan or buy a small VPN appliance. May be your router offers you VPN-Connections so you can steup it. – DjangoUnchained May 22 '14 at 09:58
  • I wish it did. I will return to the original idea, then. Thanks a lot. – mavrosxristoforos May 22 '14 at 10:09
1

Just following on from what DjangoUnchained said, SMB protocol version 1.0 and 2.0 are not encrypted and are susceptible to man in the middle attacks aswell as eavesdropping.

SMB Version 3.0 on Windows 2012 does provide file sharing encryption end to end however as DjangoUnchained said, a site to site VPN is your best option in this case.

Mbond65
  • 166
  • 6