Date: Thu, 19 Oct 2017 15:37:40 +0200 From: "WhiteWinterWolf (Simon)" <freebsd.lists@whitewinterwolf.com> To: Walter Parker <walterp@gmail.com>, freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 634, Issue 3 Message-ID: <26ffd1eb-d8c2-0fdd-da38-b9e3790144ad@whitewinterwolf.com> In-Reply-To: <CAMPTd_Cbniobvr_oyDYhGKibY%2B0MBuBkFaMA6QgrhF1crCV45g@mail.gmail.com> References: <mailman.37.1508328001.71205.freebsd-security@freebsd.org> <CAMPTd_Cbniobvr_oyDYhGKibY%2B0MBuBkFaMA6QgrhF1crCV45g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Walter, Le 18/10/2017 à 22:52, Walter Parker a écrit : > SMB has supported authentication signing for a long time (more than a > decade). That can be used for basic security. > SMB3 supports encryption. To work with SMB3 encryption you will need > at least Windows 8. > The Samba project supports SMB3 and many of the security features in > it, but not share level encryption. Password authentication works with > signing and encryption. Until Samba supports the new share encryption > in SMB3, you will need to use something like stunnel (or an encrypted > VPN) to enable the privacy features that come with encryption. > > What that means is that the newest versions of Samba can talk to newer > Windows boxes with the authentication pieces (the username/password > exchange) done with encryption to make exploitation much harder. I agree with you. However, puts it in the context: the current thread is a malicious user acting as man-in-the-middle between a user and a server storing potentially sensitive files (as I said in my previous answers, for non-sensitive files such as media files a read-only SMB/NFS/whatever is perfectly fine). The threat here is not someone attempting to login to the file server. In this case, end-to-end encryption seems required to me (I don't want the content of personal or business-related documents to fall in wrong hands). As a side note, it may worth to highlight that Samba actually offered SMB encryption *before* Microsoft, but Microsoft preferred to create its own solution that Samba must now copy. All details can be found in my answer to Benjamin in the the same thread. In this case, for a low-tech people, I would tend to suggest using SFTP (a password-based access is enough) instead of a stunneled SMB share as I personally find it is easier to setup and more efficient. > Encryption on NFS appears to be by using stunnel or SSH to encrypt the > data (or using a VPN). Regarding NFS, Benjamin and Gary rightly highlighted that NFSv4 supports end-to-end authentication and encryption and is suitable for use over untrusted networks. However, I don't know if end-users' (and in particular Ronald's) NAS offers any easy-to-use NFSv4 feature. If this is the case, this is indeed a very interesting choice based purely on open standards, but I fear that there is no such feature which leaves us again with SFTP. Regards, Simon. -- WhiteWinterWolf https://www.whitewinterwolf.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?26ffd1eb-d8c2-0fdd-da38-b9e3790144ad>