?
Solved

SMB Signing on NetApp

Posted on 2012-03-21
2
Medium Priority
?
4,726 Views
Last Modified: 2012-03-26
Hi,

We are currently running a NetApp filer in a PCI environment. Due to policy, we are required to scan server systems for vulnerabilites using Nessus, and must resolve all medium or higher.

Unfortunately, we were presented with the following vul.: http://www.nessus.org/plugins/index.php?view=single&id=57608

We have already enabled the option cifs.signing.enable, but this does not resolve the problem, as it doesn't force signing, but only permits it if required from the client.

If I understand correctly, there is no way to force SMB signing on the NetApp side (Microsoft network server: Digitally sign communications (always) - on a Windows machine). That means, we can enforce signing by requiring the clients to sign - communication between filer and client should be fine against man-in-the-middle. However, this setting would have to be made on every client (via GPO or LSP on stand-alone machines...)

Does anyone have an idea if we are overlooking anything? We are expected to fix all vulnerabilities...

Thanks for any feedback!

eS1
0
Comment
Question by:eSourceONE
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 2000 total points
ID: 37762800
Dear eS1,

You are correct when you write "there is no way to force SMB signing on the NetApp side".

E.g. the "Data ONTAP 7.3 File Access and Protocols Management Guide" https://library.netapp.com/ecm/ecm_get_file/ECMM1278400, page 76 states "It is not possible to configure the storage system to require SMB signing  communications from clients, which is the equivalent of the Microsoft Network server policy "Digitally sign communications (always)."

This means you should enable SMB signing on both your clients and storage, in order to achieve that all SMB communication is signed.

In fact - if you enable it on the storage but not on all clients, you may run into the problem described in NetApp KB 2013300 "Common Internet File System protocol fails with SMB protocol signing" https://kb.netapp.com/support/index?page=content&id=2013300 i.e. you should enable it on both (on your client e.g. via GPO).

Beware of the significant performance impact though!

You can however enable required signing of SMB 2.0 (a.k.a. SMBv2) from storage side - please refer to pages 78 and 79 in the above mentioned "Common Internet File System protocol fails with SMB protocol signing".

I don't know if the Nessus identifies "SMB" and/or SMB 2.0 thus, so it may be that the combination of "options cifs.signing.enable on" and "options cifs.smb2.signing.required on" will not make it "happy".

I recommend you test the setup "outside business hours" to ensure the enabling does not cause any undesired negative impact.

Kind regards,
Soren
0
 

Author Closing Comment

by:eSourceONE
ID: 37765451
That's what we were afraid of... Thanks for the feedback
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question