Solved

SMB Signing on NetApp

Posted on 2012-03-21
2
4,532 Views
Last Modified: 2012-03-26
Hi,

We are currently running a NetApp filer in a PCI environment. Due to policy, we are required to scan server systems for vulnerabilites using Nessus, and must resolve all medium or higher.

Unfortunately, we were presented with the following vul.: http://www.nessus.org/plugins/index.php?view=single&id=57608

We have already enabled the option cifs.signing.enable, but this does not resolve the problem, as it doesn't force signing, but only permits it if required from the client.

If I understand correctly, there is no way to force SMB signing on the NetApp side (Microsoft network server: Digitally sign communications (always) - on a Windows machine). That means, we can enforce signing by requiring the clients to sign - communication between filer and client should be fine against man-in-the-middle. However, this setting would have to be made on every client (via GPO or LSP on stand-alone machines...)

Does anyone have an idea if we are overlooking anything? We are expected to fix all vulnerabilities...

Thanks for any feedback!

eS1
0
Comment
Question by:eSourceONE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
ID: 37762800
Dear eS1,

You are correct when you write "there is no way to force SMB signing on the NetApp side".

E.g. the "Data ONTAP 7.3 File Access and Protocols Management Guide" https://library.netapp.com/ecm/ecm_get_file/ECMM1278400, page 76 states "It is not possible to configure the storage system to require SMB signing  communications from clients, which is the equivalent of the Microsoft Network server policy "Digitally sign communications (always)."

This means you should enable SMB signing on both your clients and storage, in order to achieve that all SMB communication is signed.

In fact - if you enable it on the storage but not on all clients, you may run into the problem described in NetApp KB 2013300 "Common Internet File System protocol fails with SMB protocol signing" https://kb.netapp.com/support/index?page=content&id=2013300 i.e. you should enable it on both (on your client e.g. via GPO).

Beware of the significant performance impact though!

You can however enable required signing of SMB 2.0 (a.k.a. SMBv2) from storage side - please refer to pages 78 and 79 in the above mentioned "Common Internet File System protocol fails with SMB protocol signing".

I don't know if the Nessus identifies "SMB" and/or SMB 2.0 thus, so it may be that the combination of "options cifs.signing.enable on" and "options cifs.smb2.signing.required on" will not make it "happy".

I recommend you test the setup "outside business hours" to ensure the enabling does not cause any undesired negative impact.

Kind regards,
Soren
0
 

Author Closing Comment

by:eSourceONE
ID: 37765451
That's what we were afraid of... Thanks for the feedback
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Raid failed pictures attached 7 35
vSAN Datastore usage on disk warning 3 159
VPN Exposure 19 33
Wannacry 44 91
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question