About SMB signing
When sharing files, Windows provides the ability to sign CIFS messages to prevent man-in-the-middle attacks. Each CIFS message has a unique signature that prevents tampering. This security feature is called Server Message Block (SMB) signing.
With secured traffic optimization enabled on a server-side appliance, SteelHead alleviates latency in file access while maintaining message security signatures. The appliance provides bandwidth optimizations (SDR and LZ), TCP optimizations, and latency optimizations, even when CIFS messages are signed.
SMB signing prevents the SteelHead from applying full optimization on CIFS connections and significantly reduces performance gains. Because many enterprises already take additional security precautions (such as firewalls, internal-only reachable servers, and so on), SMB signing adds minimal additional security at a significant performance cost.
Enable secure traffic optimization if Windows clients or servers uses any of these settings:
• SMB2/SMB3 signing set to required.
• SMB3 secure dialect negotiation is enabled.
• SMB3 encryption is enabled.
The secure traffic optimization works with Windows domain security and is fully compliant with the Microsoft SMB signing versions 1 through 3 protocols. Domain security in both native and mixed modes is supported. The server-side appliance in the path of the signed CIFS traffic becomes part of the Windows trust domain. The Windows domain is either the same as the domain of the user or has a trust relationship with the domain of the user. The trust relationship can be either a parent-child relationship or an unrelated trust relationship.
SteelHead accelerates signed CIFS traffic even when the logged-in user or client machine and the target server belong to different domains, provided these domains have a trust relationship with the domain the server-side appliance has joined. The trust relationships include:
• a basic parent and child domain relationship. Users from the child domain access CIFS/MAPI servers in the parent domain. For example, users in ENG.RVBD.COM accessing servers in RVBD.COM.
• a grandparent and child domain relationship. Users from grandparent domain access resources in the child domain. For example, users from RVBD.COM accessing resources in DEV.ENG.RVBD.COM.
• a sibling domain relationship. For example, users from ENG.RVBD.COM access resources in MARKETING.RVBD.COM.
SMB-signed traffic is only signed, not encrypted. For maximum security, we recommend that you configure the SteelHeads as SSL peers. As SSL peers, the appliances use a secure inner channel to send encrypted, signed CIFS traffic between them over the WAN.
SMB signing requires that the Windows domain functionality is at the Windows 2003 level or higher. If replication users are configured to use password replication policy (PRP), the domain functional level must be Windows 2008 or higher.