Solved

SMB Signing on NetApp

Posted on 2012-03-21
2
4,351 Views
Last Modified: 2012-03-26
Hi,

We are currently running a NetApp filer in a PCI environment. Due to policy, we are required to scan server systems for vulnerabilites using Nessus, and must resolve all medium or higher.

Unfortunately, we were presented with the following vul.: http://www.nessus.org/plugins/index.php?view=single&id=57608

We have already enabled the option cifs.signing.enable, but this does not resolve the problem, as it doesn't force signing, but only permits it if required from the client.

If I understand correctly, there is no way to force SMB signing on the NetApp side (Microsoft network server: Digitally sign communications (always) - on a Windows machine). That means, we can enforce signing by requiring the clients to sign - communication between filer and client should be fine against man-in-the-middle. However, this setting would have to be made on every client (via GPO or LSP on stand-alone machines...)

Does anyone have an idea if we are overlooking anything? We are expected to fix all vulnerabilities...

Thanks for any feedback!

eS1
0
Comment
Question by:eSourceONE
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
Comment Utility
Dear eS1,

You are correct when you write "there is no way to force SMB signing on the NetApp side".

E.g. the "Data ONTAP 7.3 File Access and Protocols Management Guide" https://library.netapp.com/ecm/ecm_get_file/ECMM1278400, page 76 states "It is not possible to configure the storage system to require SMB signing  communications from clients, which is the equivalent of the Microsoft Network server policy "Digitally sign communications (always)."

This means you should enable SMB signing on both your clients and storage, in order to achieve that all SMB communication is signed.

In fact - if you enable it on the storage but not on all clients, you may run into the problem described in NetApp KB 2013300 "Common Internet File System protocol fails with SMB protocol signing" https://kb.netapp.com/support/index?page=content&id=2013300 i.e. you should enable it on both (on your client e.g. via GPO).

Beware of the significant performance impact though!

You can however enable required signing of SMB 2.0 (a.k.a. SMBv2) from storage side - please refer to pages 78 and 79 in the above mentioned "Common Internet File System protocol fails with SMB protocol signing".

I don't know if the Nessus identifies "SMB" and/or SMB 2.0 thus, so it may be that the combination of "options cifs.signing.enable on" and "options cifs.smb2.signing.required on" will not make it "happy".

I recommend you test the setup "outside business hours" to ensure the enabling does not cause any undesired negative impact.

Kind regards,
Soren
0
 

Author Closing Comment

by:eSourceONE
Comment Utility
That's what we were afraid of... Thanks for the feedback
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now