Solved

SMB Signing on NetApp

Posted on 2012-03-21
2
4,437 Views
Last Modified: 2012-03-26
Hi,

We are currently running a NetApp filer in a PCI environment. Due to policy, we are required to scan server systems for vulnerabilites using Nessus, and must resolve all medium or higher.

Unfortunately, we were presented with the following vul.: http://www.nessus.org/plugins/index.php?view=single&id=57608

We have already enabled the option cifs.signing.enable, but this does not resolve the problem, as it doesn't force signing, but only permits it if required from the client.

If I understand correctly, there is no way to force SMB signing on the NetApp side (Microsoft network server: Digitally sign communications (always) - on a Windows machine). That means, we can enforce signing by requiring the clients to sign - communication between filer and client should be fine against man-in-the-middle. However, this setting would have to be made on every client (via GPO or LSP on stand-alone machines...)

Does anyone have an idea if we are overlooking anything? We are expected to fix all vulnerabilities...

Thanks for any feedback!

eS1
0
Comment
Question by:eSourceONE
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
ID: 37762800
Dear eS1,

You are correct when you write "there is no way to force SMB signing on the NetApp side".

E.g. the "Data ONTAP 7.3 File Access and Protocols Management Guide" https://library.netapp.com/ecm/ecm_get_file/ECMM1278400, page 76 states "It is not possible to configure the storage system to require SMB signing  communications from clients, which is the equivalent of the Microsoft Network server policy "Digitally sign communications (always)."

This means you should enable SMB signing on both your clients and storage, in order to achieve that all SMB communication is signed.

In fact - if you enable it on the storage but not on all clients, you may run into the problem described in NetApp KB 2013300 "Common Internet File System protocol fails with SMB protocol signing" https://kb.netapp.com/support/index?page=content&id=2013300 i.e. you should enable it on both (on your client e.g. via GPO).

Beware of the significant performance impact though!

You can however enable required signing of SMB 2.0 (a.k.a. SMBv2) from storage side - please refer to pages 78 and 79 in the above mentioned "Common Internet File System protocol fails with SMB protocol signing".

I don't know if the Nessus identifies "SMB" and/or SMB 2.0 thus, so it may be that the combination of "options cifs.signing.enable on" and "options cifs.smb2.signing.required on" will not make it "happy".

I recommend you test the setup "outside business hours" to ensure the enabling does not cause any undesired negative impact.

Kind regards,
Soren
0
 

Author Closing Comment

by:eSourceONE
ID: 37765451
That's what we were afraid of... Thanks for the feedback
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Choosing CentOS 16 79
Auto Login Script 3 40
is this a virus? 3 40
HP Storage Array 2700 Not Happy 4 32
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question