Unsolved
This post is more than 5 years old
7 Posts
0
2410
August 15th, 2012 08:00
CIFS signature and CIFS acceleration
We are using Windows XP Client and 2003 Server. Our ISP tested the CIFS acceleration feature using Windows XP SP2 client and Windows Server 2003 SP1 using NTFS. They say, In order to benefit from CIFS acceleration, all Windows platforms must be configured in NetBIOS over TCP/IP enabled, and CIFS signatures MUST be disabled.
As per them, CIFS acceleration feature was designed for CIFs v1 protocol, and transferring files by cut & paste, drag & drop or explorer browsing. The CIFS acceleration also works together with the WANcompress (on the fly file compression) feature.
I have no experience with CIFS acceleration or CIFS signature (which I think is SMB signature since CIFS is a Microsoft version of SMB). After a bit of research I found that CIFS/SMB signature is enabled by default on the DM. Please see below output from the VNX VG8 celerra we have.
[nasadmin@ITNASA4 ~]$ server_param server_2 -facility cifs -info smbsigning
server_2 :
name = smbsigning
facility_name = cifs
default_value = 1
current_value = 1
configured_value =
user_action = restart Service
change_effective = restart Service
range = (0,1)
description = Controls SMB signing on the data mover
Now as per the ISP, for the CIFS acceleration feature to work we would need to disable CIFS signature on the particular CIFS server. As per my understanding CIFS signature can be enabled or disabled on the DM level.
I would like to know would disabling it is going to affect normal user access to CIFS shares or affect normal working of the Celerra? I found the below note in the document "Configuring and Managing CIFS on Celerra; P/N 300-007-526; REV A04" pg 134 (first line)
"Note: The default value of the cifs.smbSigning parameter should not be changed."
Please advise what is going to be the affect of disabling CIFS signature and whether we should go for the CIFS acceleration feature to be enabled?
ashish3004
7 Posts
0
August 21st, 2012 08:00
I haven't received any response to this yet. Still waiting if someone has more information on this.
Rainer_EMC
4 Operator
•
8.6K Posts
0
August 23rd, 2012 00:00
Which „CIFS accleration“ specifically ?
I would NOT disable SMB signing – I believe newer Windows clients would refuse to connect to it
ashish3004
7 Posts
0
August 24th, 2012 00:00
CIFS accelerator device is from "OneAccess Networks." They are UDgateway CSO for the Data Centre and RSO for the remote. Both are running the latest software version – 5.3.10. They are configured in VPN only mode so all data is encrypted over the WAN link – the DC unit is located behind the customer’s own firewall.
More information about the technology is available from their website here: http://www.udcast.com/products/udcast_udgateway_technology.htm
A corporate firewall would be located between the DC side unit and the internet. There is a satellite connection on the remote side – hence the need to mitigate against the high latency that creates.
nas_version we are using is 6.0.41-4 which uses SMB2 signing whereas clients Win 2003/XP uses SMB sigining. SMB signing is disabled on the client side.
However, one of the EMC tech raised a security or "man in the middle attack" concern but that shouldn't be a concern here since as written above acceleration devices are configured in VPN only mode and all data is encrypted over WAN.
EMC tech also mentioned SMB signing is set to "NOT REQUIRED" by default on all CIFS servers on the datamover. To verify this, I checked the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\, set requiresecuritysignature was set to 0 (disabled), which is default, for all the cifs servers on datamover.
If the above holds true then what the ISP BT required for CIFS signing to be disabled for CIFS acceleration is already in place? Please advise.