Tunnelling Windows services to remote secured hosts

Here is an interesting security problem I have been fighting with. It
involves Microsoft software and a firewall I don't control, and my efforts
to fashion a secure solution with and in spite of these things.

If anyone has suggested solutions, I would welcome them. If not, it would be
nice to identify specific improvements that would solve the problems.

The Problem: tunnelling Windows smb service.

A remote computer, behind a fairly restrictive firewall, needs to access a
local samba server. The samba server provides services on a local,
unrouted network by a host that also has server routed network addresses.

The file systems served have some sensitive files on them. The samba service
is jailed
such that a compromise should not threaten the server in a meaningful way.
But if the samba server itself has a bug, or the Microsoft smb authentication
is weak or sniffed, the files would be exposed, and I would like to avoid that.

Therefore, the files are served only on an unrouted local network, to hosts
with local addresses. An attacker would have to break into these hosts, and
then gain access to the server. This is certainly not impossible, but it is
quite a bit harder than a direct attack,
and there are intrusion detection systems that are likely
to detect the first break-in.
Placing the samba server on the external network would be an unacceptible risk,
opening it to a variety of attacks and probes.

SMB over ssh?

Bill Cheswick - Tunnelling Windows services

NEW DELHI -- Three months ago, Howard Staab learned that he suffered from a life-threatening heart condition and would have to undergo surgery at a cost of up to $200,000 -- an impossible sum for the 53-year-old carpenter from Durham, N.C., who has no health insurance.

So he outsourced the job to India.

Howard Staab, who had a life-threatening heart condition requiring surgery, went to India with his partner, Maggi Grace, in search of affordable care. (John Lancaster -- The Washington Post)

Taking his cue from cost-cutting U.S. businesses, Staab last month flew about 7,500 miles to the Indian capital, where doctors at the Escorts Heart Institute & Research Centre -- a sleek aluminum-colored building across the street from a bicycle-rickshaw stand -- replaced his balky heart valve with one harvested from a pig. Total bill: about $10,000, including round-trip airfare and a planned side trip to the Taj Mahal.

All your major, non-emergency-room healthcare is belong to India and Thailand. Check out Goa or Phuket while you're there.

Surgeries, Side Trips for 'Medical Tourists' (washingtonpost.com)

Innovating within the email server industry since 1998, Calacode develops @Mail, a robust integration of Open Source Technology, Unix, Strong Encryption, and industry-standard Groupware Features in a centralized messaging platform.

The software can be used as a WebMail interface to an existing mailserver, a complete Email Server platform, or an Exchange replacement.

WebMail Client / WebMail Server for Linux , Unix and Windows

If, however, the currency is more seriously damaged or mutilated, it must be sent to the BEP for examination and identification after which the claimant will be reimbursed for its face value by a U.S. Treasury check. The standards by which mutilated currency can be exchanged at face value are: (1) at least 51% of a currency note is present and identifiable; or (2) 50% or less of a currency note is present and the submitted evidence justifies the method of mutilation and the U.S. Treasury is satisfied that all missing portions of the currency note have been totally destroyed.

Bureau of Engraving and Printing

Zimbra™ Collaboration Suite Open Source Project Beta Launch

Zimbra is a community for building and maintaining next generation collaboration technology. Currently, this technology is available as a beta version. At Zimbra, our goal is to make e-mail, calendar, contacts and other communications technologies the best they can be. We believe that by opening the technology to the community we will ensure that we can maximize innovation, scale and the ability to co-exist with existing messaging systems.

CooooooooL!

Zimbra™ - Home

JasperReports is a powerful open source Java reporting tool that has the ability to deliver rich content onto the screen, to the printer or into PDF, HTML, XLS, CSV and XML files.

It is entirely written in Java and can be used in a variety of Java enabled applications, including J2EE or Web applications, to generate dynamic content.

Its main purpose is to help creating page oriented, ready to print documents in a simple and flexible manner.

JasperReports - Java Reporting Tool

What is the key benefit of Microsoft Domain Security?

In a word, single sign-on, or SSO for short. To many, this is the Holy Grail of MS Windows NT and beyond networking. SSO allows users in a well-designed network to log onto any workstation that is a member of the domain that contains their user account (or in a domain that has an appropriate trust relationship with the domain they are visiting) and they will be able to log onto the network and access resources (shares, files, and printers) as if they are sitting at their home (personal) workstation. This is a feature of the domain security protocols.

Samba HOWTO Chapter 4. Domain Control

Open-source Samba turns a Unix or Linux system into a file and print server for Microsoft Windows network clients. Tom Syroid dishes up a juicy tutorial that shows you how to configure Samba as the primary domain controller on an xSeries server.

Using Samba as a primary domain controller

This document describes how to setup Samba on a Debian GNU/Linux file server to act as a primary domain controller for Windows 2000 workstations.

The Golden Ear - Setting up Samba, as a primary domain controller with roaming profiles

Secure Shell (SSH) is open, free, fast, secure, and easy to setup (once you know how).

O'Reilly Network: Using SSH Tunneling