Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 3609 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMB/Cifs versus WAF/Webdav

RemoHehlert

Hallo werte Forengemeinde,

folgenden Konstellation:

Test 1: SMB/CIFS

PC (Win10) => LAN => FW1 => FW2 (SG230) > NAT zu NAS Server

Test 2: WAF/WEBDAV

PC (Win10) => LAN => FW1 => FW2 (SG230) > WAF zu NAS Server

 

Öffne ich eine Datei (Word / Excel / PDF / TXT) über Testfall 1 dauert das aufrufen bis zum vollständigen Anzeigen sehr lange: (400KB über. 10 Sek).

Die gleiche Datei über Testfall 2 (Web Application Firewall und Webdav) dauert hingegen ca. 2 Sekunden)

 

Mit anderen Worten, ein privat Cloud Zugirff auf den den gleichen NAS Server ist sehr schnell hingegen über SMB/CIFS sehr langsam.

IPS hatte ich mal abgeschaltet, hat aber keine Änderung gebracht.

 

Hat jemand eine Idee wie ich diesem Problem auf die Spur kommen kann?

 

Besten Dank im Voraus

VG TBC



This thread was automatically locked due to age.
Parents
  • 0

    Hallo,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    If you read #1 in Rulz, you will see that disabling Intrusion Prevention has no effect on Anti-UDP Flooding.  I bet Doug's answer is what you needed though.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • 0 in reply to BAlfson

    Hello Douglas and Bob,

     

    thanks for replay!

    I check some more things and figure out that one more SMB Parameter are the problem.

    We have since about one year the following parameter in smb.conf:

    [code]

    nt pipe support=no
    [/code]

    after remove the parameter the speed are normal.

    We using SMB Vers. 2 as minimum and Vers. 3 with encryption as Maximum.

    So the problem was on the NAS Server Side with this parameter but what I'm not know is, do I need this parameter farther or can I remove it?

     

    Thank you Very much

    wrbrgds

    TBC

Reply
  • 0 in reply to BAlfson

    Hello Douglas and Bob,

     

    thanks for replay!

    I check some more things and figure out that one more SMB Parameter are the problem.

    We have since about one year the following parameter in smb.conf:

    [code]

    nt pipe support=no
    [/code]

    after remove the parameter the speed are normal.

    We using SMB Vers. 2 as minimum and Vers. 3 with encryption as Maximum.

    So the problem was on the NAS Server Side with this parameter but what I'm not know is, do I need this parameter farther or can I remove it?

     

    Thank you Very much

    wrbrgds

    TBC

Children
  • 0 in reply to RemoHehlert

    With your parameter question, you have moved from a question about how UTM works to how your SMB Emulation works.   This should be addressed to SAMBA support.

    General Considerations:

    You imply that you want to support both upload and download to your server from clients on the internet.   If this is the case:

    • You should implement 2-factor-authentication for all users.   This is a PCI DSS requirement and a practical necessity because of password guessing attacks.

    • You need to have a log review process to detect attacks against this target.   This requires a Syslog-parsing tool such as Splunk, or custom SQL database tools such as the ones that I have posted in the Management and Reporting topic area. 

    • I have only a rudimentary understanding of WebDAV, but somewhere I acquired the impression that it was not very secure and therefore not appropriate for use on the Internet.   I believe the main issue is that it is designed for changing website code, and therefore too powerful when the goal is simply to upload a reference document.   I suggest researching this issue to see if my perception is out of date.   Obviously, the risk will depend on the version of the protocol and the particulars of the implementation on your server.

    • If you use SMB, you should ensure encryption for both password exchange and data movement, which you imply is only handled if the protocol is SMBv3.   You still need to worry about two-factor authentication, which is not easily implemented for SMB logins.   Because of that, SMB really needs to be inside an SSL VPN connection.

    • Once you have it working, you have the ongoing challenge of ensuring that the uploaded content, whether files or URLs, does not deliver malware.
  • 0 in reply to DouglasFoster

    Thank you very much Douglas,

    the access what i discripted is not a Internet connection. It's a unidirectional connection from production LAN to safty Test LAN with AD Authentication for both SMB with encryption and WebDav.

     

    Our WebDav is more like a privat Cloud access without any access from Internet. For my Side, i like Webdav for access to files and Data.

    The Server is a Synology and both, our Sophos FW and the NAS Server has Virus Scanning active.

     

    Indeed your are right with all you points about security issues and i will do my very best to getting every day a little bit better :-).

    So thank you very much for your helping!

    With best regards

    TBC