Month: April 2017

Categories
Knowledge Support Support exacqVision Server Categories Products

SMB server signing and encryption for Archiving

exacqVision’s default method for archiving recorded data uses the SMB protocol. Using an exacqVision S-Series storage system makes configuring archiving simple. Users may also archive to SMB shares configured on their own third-party systems, but installing and configuring Samba or SMB Shares on non-Exacq built systems is outside the scope of Exacq Support.

There have been several iterations of SMB since the protocol was first introduced. Devices wishing to communicate via SMB must first perform a negotiation to determine which version they will use. The version and dialect of SMB chosen will determine what features are used.

<br><br>

Versions

Discussing versions quickly becomes a tangled web, which we will try to unravel here.

When capturing the network traffic between two devices, using applications such as Wireshark, the protocol will be listed as SMB2, which supports many dialects including 2.1, 3.0, 3.1, which can cause some confusion as many people will refer dialects as versions. We will be using the term dialect for these here.

Introduced in 2015, dialect 3.1.1 is the latest release of SMB at the moment. While SMB is the protocol used, SMB is implemented on Linux systems using an application named Samba. Samba provides support for SMB as well as other protocols, thus it has it’s own version numbering separate from SMB. Samba has supported SMB dialect 3.1.1 since Samba 4.3.

How to check the version of Samba installed on your S-series or other Linux system:

  1. Open a Terminal window, by pressing CTRL+ALT+T
  2. Type samba --version, and press Enter.

<br><br>

Server Signing

Server signing is a security method used by SMB. When signing is enabled, every SMB message includes a signature key and a hash of the entire message is included in the message header.

How does signing help protect data? In addition to verifying the identities of the sending and receiving devices, the nature of hashing means that if an attacker changes the message between the NVR and the archive share, the hash will no longer match.

<br><br>

Encryption

SMB version 2.0 provides encryption, but used HMAC-SHA256 encryption. SMB 3.0 updated the encryption used to AES-CMAC and AES-CCM. SMB 3.1.1 then updated to support AES-128-GCM and AES-128-CCM as well as other security enhancements.

SMB DialectEncryption Method
2.0HMAC-SHA256
3.0AES-CMAC and AES-CCM
3.1.1AES-128-GCM and AES-128-CCM

<br><br>

Manual Enforcement

As mentioned above, when two devices attempt to communicate using SMB they first negotiate the connection to determine the version and dialect they will use.

The client first advertises to the server which versions and dialects it supports. The server replies with the highest version and dialect it supports so they can agree. In the case of exacqVision’s Archiving, the client is the recording NVR system and the server is the S-Series system.

IMPORTANT: Because the protocol automatically selects the highest version both devices support, and because SMB signing and encryption are mature technologies, there is usually no need to manually configure settings. It is recommended only in situations where specific network requirements must be enforced to function properly.

<br>

To manually configure SMB:

  1. On the S-Series server, open a Terminal window by pressing CTRL+ALT+T
  2. Use sudo permissions to edit /etc/samba/smb.conf
  3. Locate the [global] settings section.
  4. Beneath the [global] tag, add the following lines:
    server signing = mandatory
    server min protocol = SMB3_11
    server max protocol = SMB3_11
  5. Save your changes, then exit the file.
  6. Restart Samba by entering
    sudo /etc/init.d/samba restart

The entries given for Step 4 above enforce server signing as well as SMB dialect 3.1.1. Attempts to connect with anything else would fail. A list of possible options for these three entries is given below.

server signing = [default, auto, mandatory, disabled]

server min protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]

server max protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]

Note: ‘server min protocol’ should be the same or lower than ‘server max protocol’. If these are different values the client and server must support a dialect in between these values. If these are the same value, they must support that specific dialect.

IMPORTANT: Without editing the configuration at all, the default behavior when these fields are excluded from the smb.conf file are the same as entering the following:
server signing = auto
server min protocol = SMB2_02
server max protocol = SMB3

<br>