Tag: S-Series
exacqVision’s default method for archiving recorded data uses the SMB protocol. Using an exacqVision S-Series storage system makes configuring archiving simple. Users may also archive to SMB shares configured on their own third-party systems, but installing and configuring Samba or SMB Shares on non-Exacq built systems is outside the scope of Exacq Support.
There have been several iterations of SMB since the protocol was first introduced. Devices wishing to communicate via SMB must first perform a negotiation to determine which version they will use. The version and dialect of SMB chosen will determine what features are used.
<br><br>
Versions
Discussing versions quickly becomes a tangled web, which we will try to unravel here.
When capturing the network traffic between two devices, using applications such as Wireshark, the protocol will be listed as SMB2, which supports many dialects including 2.1, 3.0, 3.1, which can cause some confusion as many people will refer dialects as versions. We will be using the term dialect for these here.
Introduced in 2015, dialect 3.1.1 is the latest release of SMB at the moment. While SMB is the protocol used, SMB is implemented on Linux systems using an application named Samba. Samba provides support for SMB as well as other protocols, thus it has it’s own version numbering separate from SMB. Samba has supported SMB dialect 3.1.1 since Samba 4.3.
How to check the version of Samba installed on your S-series or other Linux system:
- Open a Terminal window, by pressing CTRL+ALT+T
- Type
samba --version, and press Enter.
<br><br>
Server Signing
Server signing is a security method used by SMB. When signing is enabled, every SMB message includes a signature key and a hash of the entire message is included in the message header.
How does signing help protect data? In addition to verifying the identities of the sending and receiving devices, the nature of hashing means that if an attacker changes the message between the NVR and the archive share, the hash will no longer match.
<br><br>
Encryption
SMB version 2.0 provides encryption, but used HMAC-SHA256 encryption. SMB 3.0 updated the encryption used to AES-CMAC and AES-CCM. SMB 3.1.1 then updated to support AES-128-GCM and AES-128-CCM as well as other security enhancements.
| SMB Dialect | Encryption Method |
|---|---|
| 2.0 | HMAC-SHA256 |
| 3.0 | AES-CMAC and AES-CCM |
| 3.1.1 | AES-128-GCM and AES-128-CCM |
<br><br>
Manual Enforcement
As mentioned above, when two devices attempt to communicate using SMB they first negotiate the connection to determine the version and dialect they will use.
The client first advertises to the server which versions and dialects it supports. The server replies with the highest version and dialect it supports so they can agree. In the case of exacqVision’s Archiving, the client is the recording NVR system and the server is the S-Series system.
IMPORTANT: Because the protocol automatically selects the highest version both devices support, and because SMB signing and encryption are mature technologies, there is usually no need to manually configure settings. It is recommended only in situations where specific network requirements must be enforced to function properly.
<br>
To manually configure SMB:
- On the S-Series server, open a Terminal window by pressing CTRL+ALT+T
- Use
sudopermissions to edit/etc/samba/smb.conf - Locate the
[global]settings section. - Beneath the
[global]tag, add the following lines:server signing = mandatory
server min protocol = SMB3_11
server max protocol = SMB3_11 - Save your changes, then exit the file.
- Restart Samba by entering
sudo /etc/init.d/samba restart
The entries given for Step 4 above enforce server signing as well as SMB dialect 3.1.1. Attempts to connect with anything else would fail. A list of possible options for these three entries is given below.
server signing = [default, auto, mandatory, disabled]
server min protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]
server max protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]
Note: ‘server min protocol’ should be the same or lower than ‘server max protocol’. If these are different values the client and server must support a dialect in between these values. If these are the same value, they must support that specific dialect.
IMPORTANT: Without editing the configuration at all, the default behavior when these fields are excluded from the smb.conf file are the same as entering the following:server signing = auto
server min protocol = SMB2_02
server max protocol = SMB3
<br>
The S-series come defaulted for Archiving. This article will walk you through the steps of preparing the S-series for Extended Storage and assumes you have already configured the IP address of the S-series for your network.
Extended Storage relies upon an iSCSI connection to the S-series device. If using an exacqVision Server and exacqVision S-series storage device the iSCSI initiation is handled automatically. If using third-party hardware you will need to create the iSCSI initiation manually.<br>
Steps
- Within the exacqVision Client, add the S-series connection. Navigate to the Add Systems page.<br>
<br><br> - Click on the New button (A) and enter the IP address (B) of the S-Series unit, as well as the Username and Password (default admin/admin256). Click Apply.<br>
<br><br> - With the S-Series unit now added to the navigation tree on the left, expand your options under this server name and go to the S-Series Storage settings page.<br>
<br><br> - On the Network tab is a list of the Storage Volumes contained in the S-Series. The Type will be defaulted to None. The volumes in an S-Series may be of mixed types to achieve your desired storage configuration, so some volumes may be Archiving while others are Extended.<br>
<br><br> - To change existing volumes to Extended, first change the Type column on your desired volumes to None and press Apply. Give the system a few minutes to complete the change.<br>
Warning: Changing volume types will erase any existing data on the storage volume.<br>
<br><br> - Change the Type of the desired volumes to Extended Storage (A). In the column labeled Server Address, enter the IP address of the exacqVision recording server (B). Press Apply. It may take a few minutes for the Status to cycle through the steps needed and finally display ‘OK’. There should now be an IQN listed in the Address column (C).<br>
<br><br> - Return to the recording server’s Storage page and select the Extended tab.<br>
<br><br> - Under the Portals section, enter the IP address of the S-Series system. Leave the port as 3260 and click the Add button.<br>
<br><br> - The S-Series will be scanned and a list of Targets will appear.<br>
<br><br> - Place a check mark in the Enabled column for each Target. If using an exacqVision S-Series, you will not need to enter a Username or Password. Press the Apply button.<br>
<br>* Username and Password are required for use with third-party iSCSI hosts. Exacq support cannot provide assistance in setup or troubleshooting third-party iSCSI hosts or devices.<br><br> - After pressing Apply, each of the Targets will be prepared. As they finish preparing they will appear in the Partitions panel below.<br>
<br><br> - Once the Status in the Partitions panel is ‘OK’, a Mount point will also be displayed. This indicates the Target on the S-Series is now being seen on the local recording server as if it were a local drive.<br>
<br><br> - Return to the Drive tab on the recording server and your new Extended Storage drives should now appear in the Drive list.<br>
<br>* The above image is an example from a Linux/Ubuntu system. On a Windows system, the Drive names will appear as letters (e.g. – C, D, E, F, etc.)<br><br>
<br>
If an exacqVision S-Series Enterprise system is configured for Samba (SMB) shares, and then the number of partitions on the drive is changed, configuring a Samba share on the new partitions could fail.
<br>
As a workaround, first configure the new partitions for extended storage to ensure that partitions are properly formatted.
<br>
Configuring-Samba-SMB-Shares-on-exacqVision-S-Series-Enterprise-Could-Fail-After-Repartitioning-a-Drive.pdfIn April 2014 a Security Advisory was issued by the OpenSSL project notifying the public of a serious vulnerability in the encryption software used by a large number of companies. (For detailed information, visit http://heartbleed.com/.) Exacq Technologies took immediate action to assess how its products might be affected by this vulnerability.
<br>
The exacqVision S-Series uses Ubuntu 12.04 with the version of OpenSSL that could be affected. However, the vulnerability exists only if you have installed the exacqVision Web Service on your S-Series system and you are using SSL connections on the exacqVision web server, which is not the default configuration. If you have manually set up that configuration, complete the following procedure to ensure you do not have any issues. (If you are not using SSL in the web server, this procedure is optional.
<br>
Affected Versions
All exacqVision S-Series Servers manufactured before Apr 10, 2014 (including S-Series Version A, S-Series Version B-1 B-2)
Files affected: openssl, libssl1.0.0
<br>
S-Series Version B-1 and B- 2 with a Desktop
- Visit https://exacq.com/files.
Username: evsupport
Password: evsupport - Click on the Heartbleed folder and download the two files to the Desktop. Alternately, you can download them to a portable drive and save them to the server.
- Double-click each file to install.
- If you see a message stating that a newer repository is available, click OK to continue the installation.
- After the installations are complete, delete the files from the Desktop.
If you have configured SSH connections to the computer, the next time you connect you will get a Security Warning message. This is expected, and the script will update the server’s SSH keys.
In April 2014 a Security Advisory was issued by the OpenSSL project notifying the public of a serious vulnerability in the encryption software used by a large number of companies. (For detailed information, visit http://heartbleed.com/.) Exacq Technologies took immediate action to assess how this affects its products.
<br>
exacqVision uses OpenSSL for a few functions, but the version affected is used only in a small number of exacqVision products:
<br>
exacqVision Server and Client 6.0 for Window
OpenSSL 1.0.1e is used in exacqVision 6.0, released in March 2014. However, the use of this product is not subject to the Heartbleed vulnerability. You can optionally upgrade to the latest version that includes updated OpenSSL at https://exacq.com/support/downloads.php.
<br>
exacqVision S-Series
exaqVision S-Series systems use Ubuntu 12.04, which includes the affected version of OpenSSL. However, only specific non-default configurations expose the system to the Heartbleed vulnerability. See https://exacq.com/kb/?crc=61212 details.
<br>
exacqVision-and-Heartbleed-1.pdfThe exacqVision Server version 5.10 Linux installer requires additional library packages (libnspr4-0d and libnss3-1d) that are not included on S-Series systems manufactured before December 2013. To avoid a failure when upgrading to version 5.10, complete the following steps. <br>
NOTE: These steps are required ONLY for exacqVision S-Series systems.<br>
Systems with Internet Access
Install the required libraries directly from the repository:
sudo apt-get install libnspr4-0d
sudo apt-get install libnss3-1d
<br>
Systems without Internet Access
Download the following packages to a USB flash drive using a separarte computer:
http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3_3.15.3-0ubuntu0.12.04.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.15.3-0ubuntu0.12.04.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/universe/n/nspr/libnspr4-0d_4.9.5-0ubuntu0.12.04.1_i386.deb
<br>
Connect the USB flash drive to the S-Series system and install the packages in the following order: <br>
sudo dpkg -i libnss3_3.15.3-0ubuntu0.12.04.1_i386.deb <br>
sudo dpkg -i libnss3-1d_3.15.3-0ubuntu0.12.04.1_i386.deb <br>
sudo dpkg -i libnspr4-0d_4.9.5-0ubuntu0.12.04.1_i386.deb <br>
After this is complete, you can update to exacqVision Server 5.10.