Planning the NetBIOS network

The IBM® Domino® network is compatible with NetBIOS, a set of IBM session-layer LAN services that has evolved into a standard interface that applications use to access transport-layer network protocols.

Domino supports the NetBIOS interface on Microsoft™ Windows™ systems over the following transport protocols: TCP/IP (on systems running TCP/IP) and NetBEUI (supplied with all Microsoft network products).

Note: Although you can add some NetBIOS services to Linux™ and UNIX™ systems, NRPC communication does not use them.

Deciding whether to use NetBIOS services

Including NetBIOS in the Domino network has both benefits and risks. The benefits are as follows:

  • NetBIOS has low overhead relative to other protocol suites. NetBIOS over NetBEUI has the least overhead; and NetBIOS over TCP/IP has the most.
  • Because it is not directly routable, NetBIOS over NetBEUI can provide a secure means to access your server for administration within a flat network. To access the server over a routed IP network, you can create a data-link switching (DLSw) tunnel to limit the administration access with NetBIOS over NetBEUI.
  • Because NetBIOS name-to-address resolution services offer dynamic registration by name broadcasts, you can use NetBIOS to build a remote Domino network for temporary or emergency use.

The risks of using NetBIOS involve the security of the file system on Domino servers. Depending on the access permissions of the operating system and on the transport protocol being used, NetBIOS name and file services might allow users to see or access the server's file system. When a server provides NRPC services, mitigate this risk by disabling the NetBIOS name and file services (SMB/CIFS) on the system so that the system's name cannot be seen over the network. Other IBM Notes® and Domino systems can still find the Domino server because Domino has its own NetBIOS name service to propagate and register the Domino server's NetBIOS name, but access is secure because it is controlled by the authentication and certification features in NRPC.

If the system on which you run Domino requires NetBIOS name or authentication services, mitigate the security risk by isolating the NetBIOS services. Install an additional NIC on the system for NetBIOS over a private administration network, and disable NetBIOS on the NIC that the Domino server uses.

How to tell if NetBIOS is active on a system

The following are indications that NetBIOS is active:

  • On Windows systems, you can see or access another Windows system's file system through the Network Neighborhood (indicates Server Message Block/NetBIOS).
  • You can register with an NT domain (indicates Server Message Block/NetBIOS).
  • On Windows 2000 or XP systems, NetBIOS over IP is selected in the system's TCP/IP protocol settings.
Note: On Linux and UNIX systems, the SAMBA server service (Windows file server) can offer Server Message Block/NetBIOS or Common Internet File System/IP access, or both.