Symantec™ Security Gateways Reference Guide - Sawmill

50 Understanding accessProxiesExamples of traffic that the CIFS proxy supports include:■■External users trying to access internal SMB servers from home or the road to read mail, accessdatabases, or access documents. For this type of access, you configure the security gateway to disablewrite access to the servers. These users connect non-transparently and use service redirection to let theCIFS proxy hide the details about the real SMB servers.Internal users trying to access external SMB servers. These types of users only need to connecttransparently to the server.The CIFS proxy does not support authentication of the CIFS/SMB client except through Out of BandAuthentication. Additionally, you can create rules that include CIFS just as is done with HTTP, FTP, Telnet,SMTP, NNTP, and other protocols. Table 4-3 lists the configurable options for CIFS.Table 4-3ServiceConfigurable CIFS servicesDescriptionFile Reading AllowedFile Printing AllowedFile Renaming AllowedFile Writing AllowedFile Deleting AllowedLets users read files or query attributes of files on an SMB server. This is useful forsetting up public directories for download purposes only.Lets users perform print operations or connect to print shares on an SMB server.(May not work for Windows 2000 clients)Lets users and applications rename or move files on an SMB server.Lets users write or copy files, or create directories on an SMB server. This is useful insetting up public directories for upload purposes only.Lets users or applications delete files and directories from the SMB server.File Access Allowed Lets users connect to file shares on an SMB server. (May not work for Windows 2000clients)File Permission Change AllowedFile Generic Access AllowedLets users and applications change modal attributes of any file on an SMB server.Lets users connect to any shared resource not covered by:■ File Printing Allowed■ Pipe Use Allowed■ File Access Allowed■ COM Port Access AllowedSome CIFS clients use generic access to connect to CIFS servers for administrativepurposes. In general, they connect to server-namePC$ with a target of “$$$$” (thegeneric device). The connection to the IPC$ share on the server lets the servervalidate the client as existing in the domain. If you want to prevent this type oftraffic from passing through the security gateway, uncheck this option. However, ifyou disable this option, and the client and server are in different domains, file andprint sharing between client and server will not work.File Directory Access AllowedPipe Use AllowedCOM Port Access AllowedSMB Operation LoggedLets users and applications obtain directory listings.Lets applications use named pipes over an SMB connection. Name pipes are used fora variety of applications, such as remote management, network printer sharing, andSQL server (using default transport). If you uncheck Pipe Use Allowed, you cannotpass traffic from these applications through the security gateway. If you do not wantyour inside servers remotely managed from the outside, and you have CIFS enabled,uncheck this option.Lets users connect to shared communication devices (such as serial ports).Causes the CIFS daemon to perform an audit log of all SMB operations attempted.This causes performance degradation under heavy loads, but lets you see what filesare being read, modified, or deleted on each SMB server. This can be used tosupplement the audit logs on Microsoft Windows server platforms. This option alsoincreases the size of the security gateway log file.