• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4811
  • Last Modified:

SMB Signing on NetApp

Hi,

We are currently running a NetApp filer in a PCI environment. Due to policy, we are required to scan server systems for vulnerabilites using Nessus, and must resolve all medium or higher.

Unfortunately, we were presented with the following vul.: http://www.nessus.org/plugins/index.php?view=single&id=57608

We have already enabled the option cifs.signing.enable, but this does not resolve the problem, as it doesn't force signing, but only permits it if required from the client.

If I understand correctly, there is no way to force SMB signing on the NetApp side (Microsoft network server: Digitally sign communications (always) - on a Windows machine). That means, we can enforce signing by requiring the clients to sign - communication between filer and client should be fine against man-in-the-middle. However, this setting would have to be made on every client (via GPO or LSP on stand-alone machines...)

Does anyone have an idea if we are overlooking anything? We are expected to fix all vulnerabilities...

Thanks for any feedback!

eS1
0
eSourceONE
Asked:
eSourceONE
1 Solution
 
slemmesmiCommented:
Dear eS1,

You are correct when you write "there is no way to force SMB signing on the NetApp side".

E.g. the "Data ONTAP 7.3 File Access and Protocols Management Guide" https://library.netapp.com/ecm/ecm_get_file/ECMM1278400, page 76 states "It is not possible to configure the storage system to require SMB signing  communications from clients, which is the equivalent of the Microsoft Network server policy "Digitally sign communications (always)."

This means you should enable SMB signing on both your clients and storage, in order to achieve that all SMB communication is signed.

In fact - if you enable it on the storage but not on all clients, you may run into the problem described in NetApp KB 2013300 "Common Internet File System protocol fails with SMB protocol signing" https://kb.netapp.com/support/index?page=content&id=2013300 i.e. you should enable it on both (on your client e.g. via GPO).

Beware of the significant performance impact though!

You can however enable required signing of SMB 2.0 (a.k.a. SMBv2) from storage side - please refer to pages 78 and 79 in the above mentioned "Common Internet File System protocol fails with SMB protocol signing".

I don't know if the Nessus identifies "SMB" and/or SMB 2.0 thus, so it may be that the combination of "options cifs.signing.enable on" and "options cifs.smb2.signing.required on" will not make it "happy".

I recommend you test the setup "outside business hours" to ensure the enabling does not cause any undesired negative impact.

Kind regards,
Soren
0
 
eSourceONEAuthor Commented:
That's what we were afraid of... Thanks for the feedback
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now