Thanks for your reply. I already read the Security Best Practices document and unfortunately it does not help wrt my question.
What I need is a way to completely "hide" some shares that a device/user has access right so (wrt acl and share permissions) from within the same subnet while having other shares being visible from within the same subnet.
Sort of what one one would do with separating shares to two fileservers: one fileserver in the same subnet where access from the client/user is "direct" (with no firewall with content inspection in between) and the other fileserver in a different subnet (with a firewall with content inspection in between).
Example use case: One SMB share on user/device VLAN for %homedir%, one SMB fileshare on DMZ VLAN for data exchange between security zones where all traffic passes a firewall with deep SMB inspection. Neither share should be available in any form in the "other" security zones / VLANs.
In a classic file server scenario I would simply run two separate fileservers; one in each VLAN with one SMB share respectively.
In an Isilon file server scenario, I would simply partition my Isilon cluster into multiple access zones and "link" the shares to the correct access zone, right? With "smart" use of SC Zone/DNS delegation (in case of above scenario something in the likes of "sc-lan.isilon.mydomain" and "sc-dmz.isilon.mydomain") and IP pool + access zone linking, the "same" Isilon would be visible and accessible by clients as if it was separate fileserver entities...? And hereby effectively prevent access to shares which reside on the "other" (access zone) entity since every share is bound one single access zone only.
I hope it is somehow possible to interpret what I am trying to explain
DELL-Sam L
Moderator
•
7.8K Posts
0
November 30th, 2020 17:00
Hello CendresMetaux,
Here is the link to the Security Configuration Guide.
https://dell.to/3obYXwp
CendresMetaux
1 Rookie
•
62 Posts
0
November 30th, 2020 23:00
Hi DELL-Sam L
Thanks for your reply. I already read the Security Best Practices document and unfortunately it does not help wrt my question.
What I need is a way to completely "hide" some shares that a device/user has access right so (wrt acl and share permissions) from within the same subnet while having other shares being visible from within the same subnet.
Sort of what one one would do with separating shares to two fileservers: one fileserver in the same subnet where access from the client/user is "direct" (with no firewall with content inspection in between) and the other fileserver in a different subnet (with a firewall with content inspection in between).
Example use case: One SMB share on user/device VLAN for %homedir%, one SMB fileshare on DMZ VLAN for data exchange between security zones where all traffic passes a firewall with deep SMB inspection. Neither share should be available in any form in the "other" security zones / VLANs.
In a classic file server scenario I would simply run two separate fileservers; one in each VLAN with one SMB share respectively.
In an Isilon file server scenario, I would simply partition my Isilon cluster into multiple access zones and "link" the shares to the correct access zone, right? With "smart" use of SC Zone/DNS delegation (in case of above scenario something in the likes of "sc-lan.isilon.mydomain" and "sc-dmz.isilon.mydomain") and IP pool + access zone linking, the "same" Isilon would be visible and accessible by clients as if it was separate fileserver entities...? And hereby effectively prevent access to shares which reside on the "other" (access zone) entity since every share is bound one single access zone only.
I hope it is somehow possible to interpret what I am trying to explain
DELL-Josh Cr
Moderator
•
9.5K Posts
0
December 1st, 2020 10:00
Your plan sounds fine and should work.