SMB over QUIC – Adoption Challenges
We have already listed the challenges QUIC faces for adoption. But when it comes to SMB over QUIC, one of the significant challenges in adopting SMB over QUIC right now is not technical or political. It is the lack of client operating systems that support it. At the time of writing, only Windows 11 and Windows Server 2022 Datacenter Azure edition support SMB over QUIC. The latter only runs on Azure or Azure Stack HCI. Azure Files will support SMB over QUIC soon, but that does not fix the limited number of clients that support it.
While some organizations are upgrading fast to Windows 11, most of the world still runs Windows 10 and will do so for some time. While Microsoft might backport SMB over QUIC to Windows 10, they have announced no such plans for now. Also, remember that servers are often an SMB client themselves, but even Windows Server 2022 does not support it, let alone Windows Server 2019.
However, SAMBA will undoubtedly support SMB over QUIC, both client and server. So that will offer a solution to a part of the Linux world when it becomes available.
That still leaves a significant void in the world of mobile clients and non-Linux operating systems. Many of these devices run either Apple iOS Android. Imagine the number of potential use cases and customers you gain by developing an SMB over QUIC client for mobile devices. In that context, the Ignite demo makes a lot of sense. Android represents many business users and applications using either smartphones or tablets. That is precisely the audience Visuality Systems is targeting. You will be able to leverage their JNQ™ library for this.
While REST APIs and object storage show tremendous opportunity and adoption, file systems are far from death. Quite the contrary, Azure’s ongoing investment in their Azure Files PAAS offering proves this. We also see SMB3 improving release after release.
QUIC has a bright future and is growing steadily. SMB over QUIC is precisely what the file system needs to keep delivering value in the cloud era.
Mobile applications and embedded systems are everywhere, and IoT is showing explosive growth in nearly every market segment across the globe. Cloud subscription-based solutions are growing and will only increase with the continued rollout of better internet connectivity via 5G. From manufacturing, monitoring, supply chain, robotics, and logistics to gaming, e-health, and autonomous systems for driving, and flying, they will benefit from ever better internet connectivity. Those ecosystems are enormous and growing. Secure and easy access to file shares without needing a VPN is of significant importance in this market, which is what SMB over QUIC delivers. Visuality Systems opens up the ability to use SMB over QUIC from any device or OS.
Let’s take a look at the offerings of Visuality Systems. While doing so, we will also show you some screenshots for our lab work with a CLI bases file manager demo Java app!
YNQ™ is Visuality Systems’ embedded SMB brand name. This library allows SMB Server and SMB Client connectivity developed for non-Windows embedded systems for interoperability with Windows-based machines. Both the YNQ™ client and the server will have SMB over QUIC support available. Now “embedded systems” are something you should interpret liberally. It also supports Apple iOS for its iPad tablets and iPhone smartphones. So this library allows developing client applications with SMB over QUIC that run on iOS. It also provides a system driver for non-Windows operating systems.
YNQ™ is designed with the flexibility to integrate into virtually any environment, be it an operating system, a CPU, or a compiler. YNQ™ file sharing enables multiple embedded devices to browse each other’s SMB shared folders remotely and to read, write, edit, copy, delete and update each other’s files. These operations do not require transferring the entire file to/from the device’s local disk or memory, which is highly efficient.
Several systems running in my lab do not support SMB over QUIC natively. For example, even the most recent versions of operating systems like Windows Server 2022 and 2019, Windows 10, and Ubuntu 20.04 and 21.04 have no SMB over QUIC support. Yet, thanks to a demo application Visuality Systems has built for demo purposes. I can access Windows file shares on Window Server Datacenter Azure Edition via SMB over QUIC from those client systems.
The demo application leverages its Java SMB Client
(JNQ SMB client library). You can use this library with all major Java implementations, such as Oracle’s Java, OpenJDK, and IBM’s Java). In addition, JNQ™ provides SMB file and data sharing client functionality to any Java application ( Java 1.5 or higher).
Take a look at the screenshots below. You can see me using file shares on a Windows Server 2022 Datacenter Azure edition via SMB over QUIC from any Linux and Windows operating systems that do not have native support for SMB over QUIC.
The screenshot below shows running a test app built with the JNQ SMB client library on Ubuntu ANY LINUX OS. 21.04 Desktop edition. I can create files and folders, read and write files and navigate to folders. I used Ubuntu in the lab, but it works with any Linux distro.
We have the same application running on Windows 10, allowing us to access the file share over SMB over QUIC. It would run on Windows 8 or Windows 7 and Windows 11, for that matter. The application uses the Visuality Systems library and is not dependent on the capabilities of the SMB client in the operating system.
Applications that leverage the SMB libraries from Visuality Systems open up many more operating systems and platforms to the benefits of secure file share access over the internet via SMB over QUIC. As a final example, let’s look at Android. Below you see screenshots from Visuality Systems’ File Manager. You can find the app yourself in the Google Play Store.
It works both with TCP and QUIC. That’s right; we have SMB over QUIC from Android phones or tablets. You can either use the system’s DNS or specify custom DNS settings.
Linux system driver
What if you could get an SMB client as a system driver?
One you can install on any Linux system, for example. What if that driver supports SMB over QUIC? Well, that would mean you could install it on a Linux host and access a file share via SMB over QUIC straight from your Ubuntu Nautilus file manager. Guess what? Visuality Systems are working on SMB over QUIC support for their driver. Imagine the possibilities!
NTLMv2 and Kerberos
Visuality Systems’ libraries support both NTLMv2 and Kerberos. In an Active Directory environment, like on a corporate network, when a domain controller is reachable, Kerberos is available, so that’s what the client uses to authenticate to the file server when accessing the file share. That is the preferred and safest way. When a domain controller and Kerberos are not available, NTLMv2 will be tried and used when possible (if not blocked/disabled).
For example, when a client on the internet has no line of sight to a domain controller, it leverages NTLMv2. That entire process is secured and encrypted inside the QUIC TLS 1.3 AES-128/256 encrypted tunnel. So it is safe from harvesting.
Tip: An easy way to see where and when NTLM comes into play is to audit it via a group policy. It allows you to see when NTLM authentication occurs from what client in the Microsoft-Windows-NTLM/Operational event log on your domain controllers.
Kerberos support & KDC Proxy Server Support
If you want to complicate a security discussion in a meeting with a Chief Information Security Officer, you should mention your solution requires NTLMv2. I’m sure many organizations still have it enabled in their environment, out of necessity. The sky won’t fall on your head when you set it up correctly. But from a technology debt perspective and in organizations that continuously raise the security bar, it is not a message that will make a CISO smile. As a result, many are working on reducing or, when possible, removing NTLMv2 in their environments. For SMB over QUIC to succeed in these environments, it needs to address this. Hence SMB over QUIC can leverage Kerberos not just on the corporate network when it has a line of sight to a domain controller. No, sir, it can use Kerberos over the internet when you leverage a KDC proxy. You can access that KDC proxy over HTTPS/443.
In Windows, you can configure a client to try and use a KDC proxy when it cannot find a domain controller. Additionally, custom-written applications leveraging a library from Visuality Systems can leverage a KDC proxy in the future, as they are working on implementing support for this. Awesome right? Secure SMB file share access over the internet thanks to QUIC, and you get to leverage Kerberos as well.
The future looks bright
An interesting thing to note is that Azure Files also support Kerberos authentication. When you can provide a KDC proxy yourself, either on-premises or as IAAS in Azure, it allows you to leverage Kerberos over the internet when accessing files shares in such use cases. When Azure Files supports SMB over QUIC in the future, you are ready to roll! As long as the device is supported, let’s see what becomes possible in the future. But with the tools we have right now, we can expose file shares via SMB over QUIC to any SMB client application that supports it. For this to work, the device needs to be Domain-join joined. That is possible with Linux. But even when your device is not AD DS domain joined, you may still be able to leverage AD credentials for authentication. If your machine has a line of sight to a domain controller or a KDC Proxy server is in place, and the client supports Kerberos.
When looking into the future, we should not forget what is possible already. SMB over QUIC in Windows Server 2022 Datacenter: Azure Edition can be combined with Azure Files and Azure File Sync to expose all your data in Azure files via SMB over QUIC. You can do the same on-premises when running Windows Server 2022 Datacenter: Azure Edition on Azure Stack HCI. It also allows for creative hybrid solutions. Via Azure File Sync, you can have all your on-premises file data stored and protected in Azure Files. By having Azure File Sync set up for Windows Server 2022 Datacenter: Azure Edition in Azure IAAS, you can expose all that file data, previously only available over a VPN to on-premises, safely over the internet via SMB over QUIC today. Look at the image below. In such a hybrid design, solutions built with Visuality Systems’ JNQ and YNQ libraries can access file data via SMB over QUIC from nearly any device!
On-premises, hybrid, or public cloud in Azure, Visuality Systems will add many more options for users, applications, and systems to consume file data via SMB over QUIC. As a result, just about any industry, from pharmaceutical to banking and insurance, over IoT and robotics in manufacturing and logistics, to autonomous systems, services/daemons, and end-users, can benefit from these solutions.
SMB over QUIC potential
There is a vast market and much potential for SMB over QUIC. However, developing and growing that market would be easier and faster if more SMB over QUIC clients were available. We need more clients within the Windows OS world and other platforms, especially mobile ones. That is precisely what Visuality Systems is offering. By doing so, they enable anyone to leverage SMB over QUIC in their applications and help grow that market. The only limit here is your imagination.
Just think about the possibilities for users and applications to access Azure file shares or file shares on Windows Server 2022 Datacenter Azure edition securely over the internet using SMB over QUIC. As we stated before, file shares are not dead. On the contrary, they are essential to many existing and new applications and solutions. For example, even containers, the development world’s current favorite poster child, leverages SMB file shares for access to storage needed to persist data. Opening up that data via SMB over QUIC, securely but more convenient, is precisely the aim and purpose of Visuality Systems’ products. In that sense, this is totally in line with Microsoft’s vision for SMB over QUIC. But even better, they are opening up SMB over QUIC outside of the limited number of supported Microsoft clients. They are the pioneers, blazing a path for others to use and create applications.