Dan McDonald writes: > > We have changes for the OpenSolaris CIFS client that > > implement SMB > > "signing". For an Overview of SMB signing, see: > > http://support.microsoft.com/kb/887429 > > You really should also put this on security-discuss. In fact, I think I'll > do that now!
[Added author back into cc-list.] > I won't even begin to discuss the merits of how secure CIFS signing may or > may not be, but given the deployment environment out there, I think you're > approaching this the right way. One of the things I mentioned in looking at this posting was that it'd be good to have something in the documentation that we supply to customers that provides some information about the relative security that this feature provides. Is it as good as running 256-bit AES and IPsec everywhere? Probably not. Is it better than rot13? Likely so. I don't know where it falls in that spectrum, though, and customers will need to know what to do with it. We probably don't need to tell customers not to deploy it, or run down MSFT's work here, but we will likely need to be able to say something like, "this provides only integrity protection, and with modern machines, and a small sample of protected traffic, it'd be trivial to brute-force the keys in a short period of time, so make sure you have firewalls and other guards in place, more so than you would for SSL, Kerberos, ssh, or IPsec." (Assuming some of that is true ... I have no idea whether it is.) -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
