Is SMB safer than iSCSI for connection to a NAS?

Solution 1:

Any online writable disk can be corrupted by a malicious software or user. Underestimating them by assuming they cannot find a file share is a mistake.

Last line of defense for important data is always tested, cold offline backups. And in this case, the important data may include backups themselves! Think about the possible ways to make backup archives impossible to change. Removable media (tape), immutable cloud storage with credentials only used for backup, dedicate the NAS to backup and don't connect anything else, firewall everything but the backup software ports, disable file sharing.

Another control is allow listing software, significantly restricting running unknown things.

Context you provided indicates you have thought about this, explaining your use of the protocol is good. Think a bit higher level than this question and include in the response what protections exist in the business continuity plan.

  • When was the last backup restore test, did it meet the recovery point and recovery time objectives?
  • Has anyone proven the cold backups are not online and vulnerable, such as through a red team exercise?
  • When was the last time you had problems with ransomware, and what was done to improve technical or process controls?

Solution 2:

Leaving the question of iSCSI vulnerability when using it without a clustered file system but with multiple initiators aside, I can hardly find any clear reason why file sharing protocol would be more secure in terms of ransomware comparing to iSCSI. You get CHAP to strengthen authentication and IPSec to secure data transfer over the network. Here is a good overall reading of why iSCSI: https://www.starwindsoftware.com/blog/complete-an-infrastructure-project-for-your-organization-with-iscsi-san

Otherwise, it is more a question of backup server overall security like having it separated from your main production environment, outside the domain and with a separate account (not domain admin) and so on. Anyway, if you manage to get ransomware to the backup server, it won’t matter much if you are using, for example, SMB share as a backup repository (https://helpcenter.veeam.com/docs/backup/vsphere/smb_share.html?ver=100) or an iSCSI storage.

Solution 3:

Yes, any file-level network data access protocol is SAFER compared to the block (iSCSI, FC, FCoE etc) one due to inability to damage the volume with "network redirector", which is super-easy to do with an improperly configured clustered or any local file system (EXT3/4, ReFS, XFS etc). Whole story is covered well here:

https://forums.starwindsoftware.com/viewtopic.php?f=5&t=1392

Tags:

Ntfs

Refs

Iscsi

Ransomware

Veeam

Recent Posts