Kerberos and its place in NAS authentication

Kerberos security has been around since the 1980s, but many people are still unfamiliar with how Kerberos works, where it's used and how it may help improve security for users of network attached storage (NAS) resources.

Kerberos, derived from the name of the three-headed dog that guarded the gates to Hades in Greek mythology, was developed as a security project at MIT during the 1980s to help improve network security. Early password authentication and access control lists helped provide security for data within a machine, but passwords sent over a network as clear text for access to remote resources was not secure since it could be "sniffed" or "hacked" by malicious users.

Kerberos authentication:

• Provides "single sign on" for network resources.
• Provides strong authentication services for client/server applications by using key based authentication services rather than passing clear or encrypted passwords over the network.
• Provides a centralized security mechanism for network access.

Kerberos is used only for network-level security, and does NOT provide a mechanism to protect the actual stored files. Operating system level permissions are still required to control access to files. When a user logs onto a network that uses Kerberos security, that user is understood to be a trusted user, and uses that login credential to access all resources the user was granted. Kerberos is now the default network security mechanism used for Windows 2000 and 2003 active directory running in native mode. Traditional NTLM security (which is less secure) is used for "mixed-mode" security to support legacy Windows NT servers.

When using Kerberos security, passwords are never transmitted over the network. Instead, users contact the Ac...

Windows CIFS-based NAS Resources

If you are using Windows XP to access a NAS share on a Windows server that is using native mode active directory security, then you are probably using Kerberos without even knowing about it. If your network uses "mixed mode" security to provide backward compatibility for Windows NT networks, then you may be using the older and less secure CHAP protocol. If your NAS storage provider allows native active directory integration for security, then they should provide Kerberos security by default.

Unix-based NFS NAS resources

Unix NFS-based NAS resources are a different story. Unless your NAS provider uses NFSV4, it may not be integrated with Kerberos security. Although NFS versions 2 and 3 support Kerberos (version 2 supports Kerberos version 4, while NFSV3 and NFSV4 support Kerberos version 5), they must be integrated with an existing Kerberos server. Also, you need to make sure that your Unix clients (Linux, Solaris, HP-UX, AIX, Tru64, etc.) also support integrated Kerberos security. Contact your NAS provider to find out which Unix clients they support using Kerberos security.

Integrating Kerberos security for access to NAS resources provides an added layer of protection that assures users accessing the network are trusted. Since Kerberos uses keys rather than passwords, network resources are more secure. Kerberos may already be in place for Windows CIFS shares using native mode active directory security. NFS NAS shares need to be integrated with a Unix-based Kerberos server. For more information, visit this MIT Web site about Kerberos.

Do you know...

How to tame NAS sprawl?

The top NAS products on the market?

About the author: Christopher Poelker is the co-author of SAN for Dummies.

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip BROWSE BY TAG NAS management,   NAS (network attached storage),   Buying guide: NAS upgrades,   NAS management software,   Related information,   SAN/NAS Update,   Secure data storage,   Data Protection,   Advanced Data Storage,   Advanced network attached storage,   NAS management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >> VIEW ALL IN THIS CATEGORY RELATED CONTENT NAS management NFS 4.1's pNFS: Big NAS performance boost NetApp begins rollout of Data Ontap 8 Storage Decisions Chicago 2009 Session Downloads Isilon expands with transactional and archive systems Digital Reef aims for data classification scalability EMC adds file-level single instancing, Flash to Celerra Scale-out NAS poised for growth How to determine a NAS system's scalability Top five NAS tips of 2008 Storage Decisions San Francisco 2008 Session Downloads NAS management Research Related information Taming NAS sprawl and file management NAS permissions Creating NAS partitions Smart Shopper: Users voice concern over manageability of NAS NAS boom spells trouble for users SAN/NAS Update Tools for using your enterprise data storage resources more efficiently Factors to consider when implementing Fibre Channel over Ethernet (FCoE) Network-attached storage clusters for virtualized environments Storage-area networks to become increasingly object based Reducing storage network complexity with FCoE Clustered storage essentials: What to ask your vendor The value of easy-to-use SAN storage SAN storage consolidation checklist Pros and cons of using NAS NFS with VMware A case for 8 GB Fibre Channel RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary direct-attached storage  (SearchStorage.com) file transfer  (SearchNetworking.com) File Transfer Protocol  (SearchEnterpriseWAN.com) file virtualization  (SearchStorage.com) NAS accelerator  (SearchStorage.com) NDMP  (SearchStorage.com) Network File System  (SearchEnterpriseDesktop.com) network-attached storage  (SearchStorage.com) storage filer  (SearchStorage.com) unified storage  (SearchStorage.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.