We've had a request to consider providing encrypted access to a CIFS filer. From the quick search I've done so far it appears that SMB itself doesn't provide any encryption options so instead we'd need to use IPSec at the filer and workstation ends. I've found NetApp man entries for the commands to manage this.
Before I dig too deep into this, I'm hoping to get a feeling of whether anyone is using this in the real world. If so, how hard is it to set up? Is there a significant performance overhead? Any other gotchas?
Hope to hear from you,
rrue
If you are still on 7G, here is step by step example how to configure IPsec between Windows and filer: https://kb.netapp.com/support/index?page=content&id=1011748
As of now IPsec is not supported for 8.x.
I have not used it myself so cannot comment on overhead. ________________________________________ From: toasters-bounces@teaparty.net [toasters-bounces@teaparty.net] On Behalf Of Randy Rue [rrue@fhcrc.org] Sent: Wednesday, May 23, 2012 20:41 To: toasters@teaparty.net Subject: encrypted SMB traffic?
We've had a request to consider providing encrypted access to a CIFS filer. From the quick search I've done so far it appears that SMB itself doesn't provide any encryption options so instead we'd need to use IPSec at the filer and workstation ends. I've found NetApp man entries for the commands to manage this.
Before I dig too deep into this, I'm hoping to get a feeling of whether anyone is using this in the real world. If so, how hard is it to set up? Is there a significant performance overhead? Any other gotchas?
Hope to hear from you,
rrue _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
We've been using IPsec on our FAS3020 running 7.3.4p4 for a few years. One thing we learned early on was that encrypting traffic incurred too much overhead. So we use it for authentication only (AH), which provides us with the security improvement for NFS that our environment requires (NFS clients in unsupervised labs with accessable network jacks).
Almost certainly a newer/faster filer, or a accelerator card would allow encryption, without a noticable performance hit.
Re:
From: Randy Rue rrue@fhcrc.org Date: Wed, 23 May 2012 09:41:41 -0700 (PDT) Subject: encrypted SMB traffic? To: toasters@teaparty.net
We've had a request to consider providing encrypted access to a CIFS filer. From the quick search I've done so far it appears that SMB itself doesn't provide any encryption options so instead we'd need to use IPSec at the filer and workstation ends. I've found NetApp man entries for the commands to manage this.
Before I dig too deep into this, I'm hoping to get a feeling of whether anyone is using this in the real world. If so, how hard is it to set up? Is there a significant performance overhead? Any other gotchas?
Hope to hear from you,
rrue _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
-
Borzenkov, Andrey -
Brian Parent -
Randy Rue