Release notes
Configure and enable CIFS SMB signing and sealing
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
You can configure and enable SMB signing that protects the security of the data fabric by making sure that traffic between storage systems and clients is not compromised by replay or man-in-the-middle attacks. SMB signing protects by verifying that SMB messages have valid signatures.
A common threat vector for file systems and architectures lies in the SMB protocol. To address this vector, the ONTAP 9 solution uses industry-standard SMB signing and sealing. SMB signing protects the security of the data fabric by making sure that traffic between storage systems and clients is not compromised by replay or man-in-the-middle attacks. It does so by verifying that SMB messages have valid signatures.
Although SMB signing is disabled by default in the interest of performance, NetApp highly recommends that you enable it. In addition, the ONTAP solution supports SMB encryption, which is also known as sealing. This approach enables the secure transport of data on a share-by-share basis. By default, SMB encryption is disabled. However, NetApp recommends that you enable SMB encryption.
LDAP signing and sealing are now supported in SMB 2.0 and later. Signing (protection against tampering) and sealing (encryption) enable secure communication between SVMs and Active Directory servers. Accelerated AES new instructions (Intel AES NI) encryption is now supported in SMB 3.0 and later. Intel AES NI improves on the AES algorithm and accelerates data encryption with supported processor families.
-
To configure and enable SMB signing, use the
vserver cifs security modifycommand and verify that the-is-signing-requiredparameter is set totrue. See the following example configuration:cluster1::> vserver cifs security modify -vserver vs1 -kerberos-clock-skew 3 -kerberos-ticket-age 8 -is-signing-required true
-
To configure and enable SMB sealing and encryption, use the
vserver cifs security modifycommand and verify that the-is-smb-encryption-requiredparameter is set totrue. See the following example configuration:cluster1::> vserver cifs security modify -vserver vs1 -is-smb-encryption-required true cluster1::> vserver cifs security show -vserver vs1 -fields is-smb-encryption-required vserver is-smb-encryption-required -------- ------------------------- vs1 true