configuring safenet storagesecure in a cifs domain n.
Skip this Video
Loading SlideShow in 5 Seconds..
Configuring SafeNet StorageSecure in a CIFS Domain PowerPoint Presentation
Download Presentation
Configuring SafeNet StorageSecure in a CIFS Domain

Loading in 2 Seconds...

play fullscreen
1 / 43

Configuring SafeNet StorageSecure in a CIFS Domain - PowerPoint PPT Presentation

  • Uploaded on

Configuring SafeNet StorageSecure in a CIFS Domain. Module 2: Lesson 2 SafeNet StorageSecure Storage Security Course. Lesson Objectives. By the end of this lesson, you should be able to: Add CIFS domain, server, and shares Secure CIFS data using encryption

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Configuring SafeNet StorageSecure in a CIFS Domain' - agrata

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
configuring safenet storagesecure in a cifs domain

Configuring SafeNet StorageSecure in a CIFS Domain

Module 2: Lesson 2

SafeNet StorageSecure Storage Security Course

lesson objectives
Lesson Objectives
  • By the end of this lesson, you should be able to:
    • Add CIFS domain, server, and shares
    • Secure CIFS data using encryption
    • Use StorageSecure Access Control Lists (ACLs)
    • Configure SafeNet StorageSecure Security Settings
typical nas deployment
Typical NAS Deployment

Virtual Host

StorageSecure appliances are deployed in a NAS environment between the hosts and the storage appliance.

StorageSecure has two interfaces: one client interface where all clients connect, and a Storage interface where the actual Storage connect.

Clients are required to send their I/O requests to the StorageSecure client interface. The actual shares accessible from the file-server interface are virtualized on the client interface.

adding domain server share securing data
Adding Domain, Server & Share & Securing Data
  • To add SafeNet StorageSecure to a CIFS Environment:
    • Create a “Domain Access User” on the domain.
    • Add a CIFS domain
    • Add a CIFS file server
    • Add a virtual server (VIP)
    • Add a share
    • Virtualize the share to the VIP
    • Create a Storage Vault
domain access user
Domain Access User
  • The Domain Access User is a special user account in the SafeNet StorageSecure Management Console for accessing Windows or LDAP domains
    • In a Windows domain:
      • Discovers servers and shares
      • Syncs users and groups with domain controller
    • In an LDAP domain:
      • Syncs users and groups with LDAP server
  • Domain Access User cannot access data through the SafeNet StorageSecure Management Console
  • Can be any user in a Windows domain
adding a cifs domain access user
Adding a CIFS Domain – Access User

Enter a Domain Access user credentials.

The account will need full access control for all shares to be encrypted.

virtualizing shares
Virtualizing Shares

Virtual server – Vhost1

adding a storage vault
Adding a Storage Vault

Cross Mapping of share1

storage vault access through cifs
Storage Vault Access through CIFS

Real Share

Virtual Share – accessed via StorageSecure

additional notes and the storage vault
Additional Notes and the Storage Vault
  • StorageSecure can have up to 1500 Storage Vaults.
  • Nested Storage Vaults are not supported.
  • On Storage Vault creation a hidden system “.decru” file is written to the Storage Vault.
      • .decru file contains metadata relating to the key used for encryption.
      • Lost or deleted .decru file will leave data accessible until StorageSecure is rebooted.
      • Re-creation of .decru file is possible.
  • Each Storage Vault has an associated Storage Vault Key
  • Files within the Storage Vault have:
      • 512 bytes of metadata added to the file header.
      • Are associated with a unique R-Key.
        • R-Key processes the file before and after encryption to ensure that cipher text is different across files sharing the same content.
  • Storage Vaults can be multi-protocol - CIFS and NFS.
storage vault menu options
Storage Vault Menu Options
  • Access Control
  • IP Restriction
  • Rekey
  • Export Trustee Keys
  • Delete
safenet storagesecure and user or group memberships
SafeNet StorageSecure and User or Group Memberships
  • When adding a Storage vault, the share’s ACL is synchronized with StorageSecure
  • If there is a conflict between the SafeNet StorageSecure ACL and the Windows ACL, the more restrictive ACL applies.
user or group import
User or Group Import
  • SafeNet StorageSecure automatically imports user and group information from the Windows domain for:
    • Users who have initial access to shares
    • Users who are added to the ACL of a Storage Vault
    • Users who are members of a group added to the ACL of Storage Vault
    • Users who access a Storage Vault with the Everyone group in its ACL
    • Users who register with SafeNet StorageSecure
  • StorageSecure queries the domain controller every 30 minutes to check for changes
acl import
ACL Import
  • ACLs should be set on the share before creating a Storage Vault
    • SafeNet StorageSecure syncs the ACL with the file server when the Storage Vault is created
    • The ACL is then modified at the file server or SafeNet StorageSecure
  • Security settings affect the behavior of ACL
    • If the Local ACL option is disabled, only the storage server’s ACL is honored
    • If the Local ACL option is enabled, then the most restrictive permissions are used
local acls and safenet storagesecure
Local ACLs and SafeNet StorageSecure
  • CIFS ACLs are synchronized when a Storage Vault is created
  • Changes to an ACL at the direct share must be manually synchronized
  • ACLs at the StorageSecure appliance are always in effect for NFS exports
authentication process
Authentication Process
  • Authentication process when using CIFS and AD as the user repository
    • Client connects to a Storage Vault.
    • If Local ACL is enabled, the StorageSecure checks if the user has access to the StorageVault in its local ACL.
    • The StorageSecure will prompt the user for credentials or check if the user has a valid Kerberos ticket given by the Active Directory.
    • The StorageSecure checks if the user has permissions on the file server by using the users credentials / Kerberos ticket. If so, it will provide the user access to the Storage Vault.
storagesecure user registration for storage vault owners
StorageSecure User Registration for Storage Vault Owners
  • Use the WebUI to register:


  • Storage Vault owners must set up a SafeNet StorageSecure account.
management security settings
Management Security Settings

Security  Management Security

group review
Group Review
  • Allows the SafeNet StorageSecure administrator to review new group members
    • New members of Windows or UNIX® groups can be accepted or rejected
    • Users cannot be accepted or rejected individually
    • The Local ACL feature protects against attacks on the file server
    • The Group Review feature protects against attacks on the domain controller
user registration
User Registration
  • If User Registration is enabled
    • Storage vault owners can use the WebUI to manage their Storage vaults
    • End users must register once at the WebUI Login page before they can access a Storage vault
  • If StorageSecure Password is enabled
    • Users need a SafeNet StorageSecure-specific password (separate from Windows password) to register
    • When the Windows password is changed, the user must also change the StorageSecure password
    • Users can change their StorageSecure password at any time
webui storage vault management
WebUI Storage Vault Management
  • End users can log in to the SafeNet StorageSecure WebUI to view and manage the Storage Vaults they own.
configure ip restrictions
Configure IP Restrictions
  • Storage Vault access can be restricted to clients within a specified range of IP addresses
    • For example set IP Range of “”
end user access
End-User Access
  • Mounted as an ordinary share
  • ACL authentication allows immediate access
  • Use real server name for virtual server for invisible client-side mounting

HTTP Access

  • SafeNet StorageSecure supports storing and accessing data through the WebUI (HTTP), this includes WebDAV extensions (Future Version)
    • Web access and WebDAV are automatically enabled on all VIP addresses with virtual shares (Future Version)
    • Users can access only data for which their CIFS or NFS credentials are valid
    • Access data using a Web browser
    • Internet Explorer® 6.0 or later
    • Mozilla 1.4 or later
  • Secure Web Access to Storage Vaults is enabled (HTTPS://) (Future Version); WebDAV and FTP - (Future Version)
lesson summary
Lesson Summary
  • In this lesson, you should have learned to:
    • Add CIFS domain, server, and shares
    • Secure CIFS data using encryption
    • Use SafeNet StorageSecure ACLs
    • Configure SafeNet StorageSecure security settings
hands on exercise complete 04 configuring safenet storagesecure in a cifs domain
Hands on Exercise:Complete:04 Configuring SafeNetStorageSecure in a CIFS Domain