Is SMB safer than iSCSI for connection to a NAS?
Recently one of our customers undertook an IT network audit from another (third party) IT audit firm. The results were generally good, although they pointed out that we had used iSCSI client on Windows Server as a means of connecting to the NAS, instead of creating an SMB share on the NAS. They suggested this was a bad idea:
"There is [also] a security risk with iSCSI and Ransomware attacks, where illicit encryption can be undertaken to the iSCSI disk leaving data unreadable. From a security perspective it is advised to retire this method of data sharing and adopt a share approach."
What do they mean by this? Is it referring to the fact that iSCSI operates on a lower OSI layer (session) than SMB does (application), and an iSCSI disk presents to the application layer the same way as a locally attached disk does, therefore easier to compromise?
If so, is that correct?
I am not an security forensics expert, although our work is often forensic in nature. My understanding is that ransomware is just as likely to attack data on an SMB share accessible to a given Win machine as it would be to attack an iSCSI disk.
Is my understanding correct, or have I missed something?
Additional context to the question
-
CHAP password is set on the iSCSI server, so I would presume the point they are making is related to a compromise of the Win Server that has the iSCSI client installed.
-
Only one iSCSI client is ever connected, and very strong "cyber hygiene" is adopted to ensure this password is not at any point entered into any other server or machine on or off the network.
-
Generally, our preference is to stick with iSCSI for making NAS disks available to the Windows Server We have found that when Windows takes care of the file system, we don't have any problems with advanced access control entries (ACEs) within the DACL. For example QNAP's implementation has in the past been buggy in relation to ACE ordering which can be problematic. We also found a bug with setting CONTAINER_INHERIT_ACE on child objects (communicated to QNAP, but to this day never resolved). This point is not strictly relevant to this question, but provides some context for why we prefer iSCSI.
-
Contrary to my above point, in the case of this particular customer, the iSCSI attached disk in question is formatted with ReFS, because it's used as a Veeam backup store. Although not technically required, Veeam recommends the use of ReFS over NTFS for performance reasons so we tend to prefer this option. (Here is a good article explaining ReFS vs NTFS for backup.) These gains are only possible if we use iSCSI, not if we moved the NAS to SMB.
-
I have read around this subject already a little bit, and have not been able to find any supporting evidence that iSCSI is more subject to ransomware than connecting over a network share, however I remain open-minded.
Any online writable disk can be corrupted by a malicious software or user. Underestimating them by assuming they cannot find a file share is a mistake.
Last line of defense for important data is always tested, cold offline backups. And in this case, the important data may include backups themselves! Think about the possible ways to make backup archives impossible to change. Removable media (tape), immutable cloud storage with credentials only used for backup, dedicate the NAS to backup and don't connect anything else, firewall everything but the backup software ports, disable file sharing.
Another control is allow listing software, significantly restricting running unknown things.
Context you provided indicates you have thought about this, explaining your use of the protocol is good. Think a bit higher level than this question and include in the response what protections exist in the business continuity plan.
- When was the last backup restore test, did it meet the recovery point and recovery time objectives?
- Has anyone proven the cold backups are not online and vulnerable, such as through a red team exercise?
- When was the last time you had problems with ransomware, and what was done to improve technical or process controls?
Leaving the question of iSCSI vulnerability when using it without a clustered file system but with multiple initiators aside, I can hardly find any clear reason why file sharing protocol would be more secure in terms of ransomware comparing to iSCSI. You get CHAP to strengthen authentication and IPSec to secure data transfer over the network. Here is a good overall reading of why iSCSI: https://www.starwindsoftware.com/blog/complete-an-infrastructure-project-for-your-organization-with-iscsi-san
Otherwise, it is more a question of backup server overall security like having it separated from your main production environment, outside the domain and with a separate account (not domain admin) and so on. Anyway, if you manage to get ransomware to the backup server, it won’t matter much if you are using, for example, SMB share as a backup repository (https://helpcenter.veeam.com/docs/backup/vsphere/smb_share.html?ver=100) or an iSCSI storage.