- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
SMB encryption and signing
VNX for file/unified systems support of SMB 3.0 and Windows 2012 includes encrypting CIFS traffic on the network. This encryption of data in transit provides end-to-end encryption of all SMB data and requests sent between the CIFS server and the client system and protects these exchanges from eavesdropping or snooping attacks on the network.
SMB encryption can be configured per share or for each CIFS or Virtual Data Mover (VDM) CIFS server. Once a share is defined as encrypted, any SMB3 client must encrypt all its requests related to the share; otherwise, access to the share will be denied.
NOTE: Use of SMB encryption impacts performance and CPU utilization on both client and server.
To enable SMB encryption, you either set the encryption through the server_export command or set it through the registry of the CIFS server. There is no setting required on the SMB client.
A new type option, Encrypted, has been added to the server_export command. If you set this option, it indicates that the server requires encrypted messages for accessing the CIFS share. For example, to create a share "share10" that is accessible only through encrypted SMB messages, type server_export vdm1 -P cifs -name share10 -o type=Encrypted /fs42/protected_dir1.
For encrypting all shares at the CIFS/VDM CIFS server level, new values, EncryptData and RejectUnencryptedAccess, have been added into the CIFS server registry (at HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > LanmanServer > Parameters).
| Registry Value | Type | Default Value | Description |
|---|---|---|---|
| EncryptData | DWORD | 0 (disabled) | If enabled, all the sessions established from any SMB3 clients to the CIFS server should be encrypted. |
| RejectUnencryptedAccess | DWORD | 1 (enabled) | If enabled, the SMB3 client must encrypt its message. If the client sends an unencrypted message instead, the server will return an ACCESS_DENIED error. Also, SMB1, SMB2.0, and SMB2.1 clients will not be able to access an encrypted share or a CIFS server that requires encrypted sessions. |
NOTE:For more information about setting SMB encryption, refer to the
VNX Command Line Interface Reference for File, and the
Configuring and Managing CIFS on VNX
technical module.
Incoming traffic and outgoing traffic are encrypted using two different secret keys. Both are computed once the user is authenticated successfully. The encryption and decryption 16-bytes keys are generated using the Key Derivation Function (KDF) algorithm in Counter Mode. SMB messages on the network are encrypted between the client and server using the AES128-CCM cryptographic algorithm. Any SMB2 message can be encrypted, except SMB2_NEGOTIATE and SMB2_SESSION_SETUP.
SMB also provides data integrity validation (signing). This mechanism ensures that packets have not been intercepted, changed, or replayed. SMB signing adds a signature to every packet and guarantees that a third party has not changed the packets. When signed, the SMB2 messages contained in the SMB2_HEADER buffer a 16-bytes signature that guarantees the integrity of the message. If SMB3 is negotiated, the sender must compute a 16-byte hash using the AES128-CCM cryptographic algorithm over the entire message, beginning with the SMB2 Header and using the signing key. The signing key is generated using the KDF algorithm in Counter Mode. The Pseudo Random Function (PRF) used in the key derivation must be HMAC-SHA256. The SMB signing policy can be changed through Global Policy Objects (GPOs) or Windows Registry settings.
NOTE:For more information about configuring SMB signing, refer to the
Configuring and Managing CIFS on VNX
technical module and the
Parameters Guide for VNX for File.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\