SMB Most Important Features
SMB 3: What is SMB?
SMB, or Server Message Block, is one of the pillars of mass data transfers across networks. In the age of data centers and virtualized servers, this is the protocol that is doing the hard lifting, by moving, copying and modifying terabytes of user data, and keeping it secure and encrypted from hackers and ransom attacks.
The protocol itself has undergone a rapid evolution from its early days, and the latest Microsoft SMB 3.1.1 version is aimed at speed, flexibility and extreme security.
For virtualized data centers, the SMBv3.x family of dialects is the de-facto standard for high performance, offering a rich set of functions that weren’t available earlier.
💡 For an extensive introduction to the SMB protocol and learning what IT decision-makers need to know, check out What is SMB? by David Dynamicnet
How SMB works
Everyone knows how easy it is to map network drives on one’s own device, and then access files and folders as if they were kept locally. In the background, what makes this possible is the SMB protocol. SMB is a protocol, just like the http protocol we use to browse the web, a set of rules that defines how data access is to take place.
When two devices wish to share data with each other on a network, they do so with the help of network redirectors. All such connection and access requests are handled and completed by redirectors, and these are sent as “data packets”.
SMB Network details: What port does smb use?
SMB data packets come in three types: session control packets, file access packets and general message packets. SMB works at Layer 7, the application layer, and uses TCP/IP on port 445 (note: prior to Windows 2000 the SMB port number was 139).
SMB Servers, SMB Clients, and SMB shares
There are 3 basic components required in SMB communication:
- SMB server – What is an SMB server? It is the machine that hosts the SMB shares
- SMB client – What is an SMB client? It is the machine that accesses shares on an SMB server.
- SMB share/file share- What is an SMB file share? It is a shared resource — most often a directory or group of directories — SMB clients access on SMB servers.
The SMB versions: SMB1, SMB2, and SMB3
SMB1 also known as SMBv1 is the original implementation of SMB. It was created at IBM in the 1980s to enable network access to local DOS (Disk Operating System) file systems. SMB1 used 16-bit packet and small — by today’s standards — data buffers, which limited performance..
SMB1 is often associated with CIFS (Common Internet File System). This is because CIFS is a popular 1996 Microsoft SMB dialect that implemented SMB on many networks.
“💡Pro-tip: SMBv1 does not have any encryption, it doesn’t exist and that is why it is so unsecured. Therefore it shouldn’t be used today. The protocol is highly susceptible to MITM (man-in-the-middle) attacks, and SMBv1 is the protocol exploited by ransomware like WannaCry and NotPetya. Additionally, SMB1 is inefficient and creates a lot of network “chatter” when compared to newer SMB versions.”
SMB2 a.k.a. SMBv2 or SMB 2.0 was released by Microsoft in 2006 with Windows Vista. This Microsoft SMB2 protocol implementation improved performance and security when compared to SMB1. For example, SMB2 increased packet sizes to 32-bit — and even 128-bit for file handles — a significant improvement over SMB1’s 16-bits. Subcommands for the SMB protocol were reduced from over 100 in SMB1 to less than 20 in SMB2 which reduced the “chattiness” (network noise and bandwidth consumption) SMB1 was known for. Features such as caching and durable connections were added in SMB2 as well that further improve performance.
With Server 2008 R2 and Windows 7, Microsoft introduced SMB 2.1. The newer Windows SMB 2.1 implementation improved how opportunistic locking (oplocks) work and helped further improve performance.
The original name for SMB3 (a.k.a. SMB v3) was SMB 2.2. The initial release of SMB3 is now known as SMB 3.0. Server 2012 and Windows 8 were the first Microsoft operating systems to support it. SMB v3 adds more performance and security enhancements to the protocol. For example, SMB multichannel and end-to-end encryption were introduced in SMB3.
SMB 3.1.1 — the latest version of Windows SMB — was released along with Server 2016 and Windows 10. SMB 3.1.1 includes security enhancements such as: enforcing secure connections with newer (SMB2 and later) clients and stronger encryption protocols.
Key SMB features
With the basics of SMB out of the way, we can now take a technical deep-dive into the key SMB features.
- Secured Data Transfer
- Durability and Reliability
1. AuthenticationLike many other protocols, authentication is vital to SMB security. There are two aspects of SMB authentication:
- User-level authentication- Requires clients to provide a username and password. Once a client — such as an SMB client Windows 10 computer — successfully authenticates to gain access to a share on a server — such as a Server 2019 SMB file server — the SMB client gains access to all shares on the server not restricted by additional “share-level” security.
- Share-level authentication- Requires a share-specific password (no username) assigned to the share.
2. Secured Data Transfer
In addition to authentication, ensuring data integrity and encryption in transit are important parts of SMB security. In this section, we’ll look at the SMB features that enable secure data transfer.
SMB allows for digital signing of data packets. Thus users who receive data packets can be assured of their point of origin and authenticity. Digital signing has been introduced to prevent ‘man in the middle’ attacks and tampering.
SMB Signing can be activated on all supported Windows versions, and is a default feature for domain controllers. On domain controllers, all users can thus download authentic group policies.
A new hashing algorithm, HMAC SHA-256, makes SMB2.0 more secure compared to the earlier dialects. With SMB3.0, security has been further enhanced by the AES-CMAC algorithm, and with Windows 10, AES-128-GCM has been introduced. The new algorithms also improve performance, especially on WANs.
Abandoning the older SMB versions for the more secure SMB3.0 is a great advance in network security. Although there are solutions such as IPSec, high security can be achieved and costs reduced by simply implementing the SMB 3.x protocol, where one needs to only check a box.
Encryption has been introduced to protect data in transit from malicious ransomware and other hacking attempts. The SMB3.X protocols allow setting up encryption on either single shares or file servers as per need.
From SMB3 onwards, it is now possible to detect ‘man-in-the-middle’ attacks and simply disconnect the network. The feature can be activated using the File Server Manager or via the powershell.
SMB encryption is of great importance for mobile workers, who work from unsecured networks, and is valuable for protecting sensitive corporate data during transfer. The feature requires both the client and the server to use SMB3.x protocols.
SMB3.0 uses the AES-CCM algorithm for encryption. Data integrity validation is done by using AES-CMAC algorithm. The older HMAC-SHA256 used by SMB 2 is no longer in use. The new algorithms work fast on modern CPUs using AES instruction support.
In SMB3.1.1, data packet confidentiality has been further strengthened with the addition of AES-128-GCM in Windows 10 and Windows Server 2016. This also comes with a performance increase of up to two times. Security is now stronger against tampering and eavesdropping with the use of cipher negotiation when a connection is established.
SMB performance has improved significantly since SMB v1 and CIFS. In addition to reducing the “chattiness” of SMB v1, later SMB versions include many features that increase throughput and take advantage of modern high-speed network connections. In this section, we’ll look at the performance-enhancing features of SMB.
Users often work together and may require simultaneous access to files stored on servers. SMB allows locking files as well as giving concurrent access.
When a user wants access to a file that could be shared, the Lock feature is brought into action. Lock allows the user to perform some actions on a shared local file without notifying the server. It can also notify the server when only one client is present, or when only the read action is being performed on a shared file.
Concurrent operation lets a user ask for specific access, such as granting read-only or write-only access. The SMB server keeps track of all such requests.
Maximum Transmission Unit
Microsoft has introduced new features to increase performance of large networks such as a 10 gigabit Ethernet. In SMB 2.1, better network speed can be obtained with large, multi-credit operations, also called the Maximum Transmission Unit, or MTU. The MTU is the size of the biggest data unit that can be sent across the protocol on a network.
By increasing the size of MTU, the maximum data unit can be 1MB, which allows for faster file transfer, and reduces the number of packets sent. MTU was introduced with Windows 2008 R2 and Windows 7.
MTU enhance data usage performance when for example, query an SQL server Database, making copies of virtual hard disks (Hyper-V), back-up and restoring data.
Much faster file transfers are possible with the multi-channel feature of SMB3.x. This can be done by combining several NIC cards, and all it takes is plugging them into the network.
Multi-channeling works by combining the bandwidth of several networking cards, and allows CPU cores to split data streams for faster data transfers. For example, a client with several 1 gigabit cards can connect faster to a server with a large, 10 gigabit card, or vice versa. Both the client and server can be equipped with large NIC adapters, and thus utilize their CPU cored to the maximum.
Advantages of SMB multi-channel feature:
- Increased network performance outside Windows clustering
- Multiple data paths available
- Higher throughput and network fault tolerance
- Automatic configuration (dynamic addition of connections discovered automatically)
Multi-channel features are available only with SMB3.x, while older protocols can only use one SMB connection.
With the Windows 10 update of 2016, SMB multi-channeling is much easier, as there is no need to add machine names and IP addresses.
SMB Direct and Remote Direct Memory Access (RDMA) makes for a faster and more efficient clustered storage environment. RDMA allows for a quick, memory-to-memory transfer of data. All it takes is linking the servers using networking hardware such as InfiniBand, iWARP or RoCE.
In a typical SOFS system as described later, several Windows file servers are grouped together to share files to workload servers. A failure of one server is managed by quickly restoring the connection using transparent failover. A bottleneck that can constrict speed lies with how the storage devices connect to the servers.
Using Ethernet networks with even 10Gbps isn’t fast enough for enterprise data management requirements. Storage devices (SAN, FC, iSCSI) are commonly tied up into pools, and here virtual disks can be created for use as Hyper-V clusters, or in the case of SQL servers, file shares for accessing the database. These workload hosts receive their connection with SOFS servers via SMB3.x protocols.
With the RDMA feature of SMB3.x, a high-speed data network can be set up. These are also called high-performance computing (HPC) environments, often found in systems for processing financial or scientific data. With remote direct memory access, CPU load is minimized as well as latencies in networking.
With RDMA, a network file server can thus act as local storage when using Microsoft Hyper-V or SQL Server 2012. This feature is available only from SMB3.0 and above.
4. Durability and ReliabilityAvailability, scalability, and fault-tolerance are important aspects of file and resource sharing on modern networks. In this section, we’ll explore the key features that make SMB robust and reliable.
- Windows Server 2012 with at least two nodes on a failover cluster
- Clearing of the Validate Configuration wizard by servers, storage and network
- File server role available on all nodes of a cluster
- Cluster file server set for file shares with continuously available property
- A new VSS provider (File Share Shadow Copy Provider)
- A new VSS requestor (File Share Shadow Copy Agent)
- A new RPC (remote procedure call) protocol (FIle Server Remote VSS Protocol).
Please fill in your contact information and the product you would like to evaluate, and a Visuality representative will contact you shortly.