White Paper - File Sharing Security

1 Introduction

One of the most important aspects of serving data to clients over a network is the security mechanisms employed

by the server to protect the data from accidental or malicious tampering. The HP NetStorage 6000 is a (NAS)

Network Attached Storage Device with capabilities to serve files to Windows clients and UNIX/Linux clients

using the native file serving protocol of each client. The HP NetStorage 6000 server has extensive security

features built-in that leverage or extend the security mechanisms detailed in the specifications of each of these file

serving protocols. In addition, the HP NetStorage 6000 is capable of mapping the security features of one

protocol to the other. This feature allows files to be safely accessed through both protocols.

On a network of UNIX clients, the HP NetStorage 6000 provides a native interface to the files on the NAS

device through the Network File System (NFS). The NFS protocol is the native file serving protocol of UNIX

networks and integrates seamlessly with the established features of UNIX security and file locking. The HP

NetStorage 6000 is capable of serving files via NFS to a variety of UNIX and Linux clients.

On a network of Windows clients, the HP NetStorage 6000 provides a native interface to the data on the server

through the Common Internet File System (CIFS). This protocol is also commonly known as Server Message Block

(SMB). The HP NetStorage 6000 offers a mature and robust implementation of the CIFS protocol, complete with

the security mechanisms normally found on Windows servers. The HP NetStorage 6000 is capable of securing

file access to Windows clients in a variety of ways, depending on the security requirements of the network.

The HP NetStorage 6000 is capable of serving the same files over either the NFS or CIFS protocol. File servers

that can serve multiple protocols are commonly referred to as “Heterogeneous File Servers”. This capability adds

a new dimension to the security issue in the nature of mapping the security parameters from one file system

protocol to another. Although NFS and CIFS are both designed to serve files over a network, the methods by

which they protect their data from unauthorized access are very different. The HP NetStorage 6000 addresses

this issue by mapping the access information as needed, to determine the appropriate access to grant the user.

This document describes the general security aspects of the NFS and CIFS file serving protocols, including

special considerations on how they are implemented on the HP NetStorage 6000. In addition, the security

issues involved with offering files through both protocols on a server are covered in detail. Finally, the solutions

implemented on the HP NetStorage 6000 to address the multi-protocol security problems are presented.

2 Security on UNIX Networks

2.1 General Overview

UNIX users gain access to remote resources on a network by mounting remote file systems (using the ‘mount’

command). Accessing remote file systems is accomplished over the network via the Network File System (NFS)

protocol. Remote file systems attach themselves to the directory tree of the local file system at a specified

location. The user interacts with the remote file system in the same way as the local file system.

There are two methods for restricting access to remote file systems on UNIX Networks. The first method involves

restricting access to individual resources (files and directories) to specific users or groups of users on the network.

The second method involves restricting resources to specific hosts (computers) or groups of hosts on the network.