Highlighted
2 Bronze

SMB3 Encryption

I am doing some checking on OneFS 8.2 SMB3 encryption.   Currently at the global and per-access-zone level I can:

  • Reject Unencrypted Access
  • Support SMB3 Encryption

At the Access Zone level I can set defaults for new shares:

  • Smb3 Encryption Enabled

On any share I can set:

  • Smb3 Encryption Enabled

What I am finding is that with 'Reject Unencrypted Access' set globally, the setting on an Access Zone overrides this (which is expected).  If I have this set to 'Yes' on the Access Zone, attempts to connect to a share from a Windows Server 2008 R2 client (which is not capable of SMB3 encryption) are rejected, regardless of whether the share has 'Smb3 Encryption Enabled' set to Yes or No.

If I have 'Reject Unencrypted Access' set to No on the Access Zone, the Windows Server 2008 R2 client can connect to the share, regardless of whether the share has 'Smb3 Encryption Enabled' set to Yes or No.

As it happens I can also see from tcpdump that when I use a client that does support SMB3 encryption, the data packets are SMB3 encrypted regardless of whether the share has 'Smb3 Encryption Enabled' set to Yes or No.  I guess that in the negotiation both end points agree that they are capable of SMB3 encryption.

This is not very intuitive.  It means that if I want to guarantee that access to a share is encrypted, it must be in an Access Zone with 'Reject Unencrypted Access' set to Yes.   It also means that on any Access Zone with  'Reject Unencrypted Access' set to No, it makes little difference whether the share has 'Smb3 Encryption Enabled' set to Yes or No; the data will be encrypted if the client is capable, and unencrypted access is permitted if the client does not support SMB3 encryption.

This blog post by trimbm does not say different:

https://community.emc.com/community/products/isilon/blog/2018/08/02/smb3-encryption

Basically it says that the older OS can only access unencrypted shares if the cluster (or Access Zone) permits it.  What it doesn't say is that if the cluster permits unencrypted connections, it permits unencrypted access to shares that have 'Smb3 Encryption Enabled'.  What seems seriously missing is a share-level 'Reject Unencrypted Access'.

 

William

0 Kudos
3 Replies
Highlighted
Moderator
Moderator

Re: SMB3 Encryption

Hello William,

Here is the link to Isilon OneFS 8.2.2 CLI Administration Guide & if you look on page 215 it explains a little more how the restrictions work at the different levels.  https://dell.to/37ZutGi

Please let us know if you have any other questions.

DELL-Sam L
Dell | Social Outreach Services - Enterprise
Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)

0 Kudos
Highlighted
2 Bronze

Re: SMB3 Encryption

I agree that the document is factually correct, I just think that it is perhaps missing a couple of warnings. It describes the available settings accurately but it doesn't say anything about the effects.

In the section 'Enforce SMBv3 encryption' it could be clearer that unless --reject-unencrypted-access is set to Yes on the Access Zone, then access to a share may or may not use encryption, regardless of the settings of --support-smb3-encryption.

It could also make clearer that setting --reject-unecrypted-access globally to Yes is not effective in an Access Zone unless the setting for the Access Zone is also changed from the default 'No' to 'Yes', as the Access Zone setting (whether explicit or defaulted) overrides the global setting.

 

0 Kudos
Highlighted
3 Zinc

Re: SMB3 Encryption

@WilliamDLB 

NL400 can only go to OneFS 8.1.2 and it has SMB3 encryption support.

https://www.dellemc.com/resources/en-us/asset/white-papers/products/storage/h17463-wp-dell-emc-isilo... page 37.

 

2.4 SMB encryption


2.4.1 Feature introduction
OneFS 8.1.1 and above provide SMB encryption to secure access to data over untrusted networks by
providing over the wire encryption between the client and PowerScale cluster. It is an on-wire data encryption
which prevents an attacker from tampering with any data packet in transit without needing an extra
infrastructure.


SMB encryption can be used by any clients which support SMB3 encryption from Windows Server 2012,
2012R2, 2016, Windows Client 8, and Windows 10 and does not require any extra infrastructure
management. PowerScale can also be configured to allow accepting or rejecting the old clients that lack the
SMB encryption support access.

0 Kudos