Kerberos security has been around since the 1980s, but many people are still unfamiliar with how Kerberos works, where it's used and how it may help improve security for users of network attached storage
- Provides "single sign on" for network resources.
- Provides strong authentication services for client/server applications by using key based authentication services rather than passing clear or encrypted passwords over the network.
- Provides a centralized security mechanism for network access.
Kerberos is used only for network-level security, and does NOT provide a mechanism to protect the actual stored files. Operating system level permissions are still required to control access to files. When a user logs onto a network that uses Kerberos security, that user is understood to be a trusted user, and uses that login credential to access all resources the user was granted. Kerberos is now the default network security mechanism used for Windows 2000 and 2003 active directory running in native mode. Traditional NTLM security (which is less secure) is used for "mixed-mode" security to support legacy Windows NT servers.
When using Kerberos security, passwords are never transmitted over the network. Instead, users contact the Active Directory, a Kerberos server or the Kerberos Key Distribution Center (KDC) service, which stores and retrieves all information about security. Clients requesting access to services on another computer, such as a NAS share, contact the KDC directly to obtain their session credentials -- or "ticket" -- to gain access permissions to the network resource.
Windows CIFS-based NAS Resources
If you are using Windows XP to access a NAS share on a Windows server that is using native mode active directory security, then you are probably using Kerberos without even knowing about it. If your network uses "mixed mode" security to provide backward compatibility for Windows NT networks, then you may be using the older and less secure CHAP protocol. If your NAS storage provider allows native active directory integration for security, then they should provide Kerberos security by default.
Unix-based NFS NAS resources
Unix NFS-based NAS resources are a different story. Unless your NAS provider uses NFSV4, it may not be integrated with Kerberos security. Although NFS versions 2 and 3 support Kerberos (version 2 supports Kerberos version 4, while NFSV3 and NFSV4 support Kerberos version 5), they must be integrated with an existing Kerberos server. Also, you need to make sure that your Unix clients (Linux, Solaris, HP-UX, AIX, Tru64, etc.) also support integrated Kerberos security. Contact your NAS provider to find out which Unix clients they support using Kerberos security.
Integrating Kerberos security for access to NAS resources provides an added layer of protection that assures users accessing the network are trusted. Since Kerberos uses keys rather than passwords, network resources are more secure. Kerberos may already be in place for Windows CIFS shares using native mode active directory security. NFS NAS shares need to be integrated with a Unix-based Kerberos server. For more information, visit this MIT Web site about Kerberos.
Do you know...
About the author: Christopher Poelker is the co-author of SAN for Dummies.
This was first published in August 2006