Network Attached Storage​

HNAS 13.9 introduced SMB-client-barring, a list where clients are automatically added if they generated enough unauthenticated requests to HNAS. Why is this functionality needed?

Other NAS products out there do not seem to have a need of similar blocking in place.
 

------------------------------
Abhishek Saxena
Systems Engineer
S&P Global Market Intelligence
------------------------------

Hi

I have the same question. Why is this really needed ? ( security ? , performance ?... maybe some sites
have so much bad pw activity that it consumes resources and saps performance ? )

Last month I wasted a day battling a "mystery problem" where all users on an important host
( a large Terminal server ) were un-able to access the NAS.

The cause of the "mystery problem" ( partial service outage ) was the new on-by-default "auto barring" feature.

Most of the auto-bars I have seen have been legit ( broken clients ...etc ) ;however,
it appears that multi-user terminal servers are frequent accidental ( not legit ) auto-bars.

Currently, I believe that the trigger for barring is:
"If , from a given IP Address, there are 21 bad logon attempts within 2 seconds,
THEN, that IP Address will be barred. "

The thresholds of this can be tuned ; however, this can be problematic since
de-sensitizing "auto-barring" to prevent non-legit auto-bars also
prevents legit "auto-bars".

The "auto-bar" feature needs a "do not bar" list .
It should be possible to add the following to the "do not bar" list
- IP Addresses
-IP Address ranges ( 142.205.0.0/16 .... etc )
- host names

The "auto-bar" feature also needs an auto-clear feature so that when the client-side issue is
resolved the bar is removed after N hours. ( the NAS admin should not have to babysit
this feature and be forced to manually remove the "bars" )

There may be an actual good reason for implementing this feature; however,
having it active-by-default was probably not a good idea since it results
in , partial, service outages. As currently implemented the feature causes some disruption
and causes some extra work for NAS admins.

Thanks

Andy






>
Original Message-----
> From: Abhishek Saxena via Hitachi Vantara <mail@connectedcommunity.org>
>

> HNAS 13.9 introduced SMB-client-barring, a list where clients are automatically added if they generated enough unauthenticated
> requests to HNAS. Why is this functionality needed?
>
> Other NAS products out there do not seem to have a need of similar blocking in place.
>
>

Also HNAS seems to be the only NAS solution out there implementing this. We have several DELL EMC NAS, along with few NetApps and Nasuni NAS. None of them seems to have this feature.
I understand there could be technical reasons behind this implementation with HNAS, but other systems seem to be handing this with a better implementation. Not sure how though?

------------------------------
Abhishek Saxena
Systems Engineer
S&P Global Market Intelligence
------------------------------

Original Message:
Sent: 05-16-2023 16:36
From: Andrew Romero
Subject: Why does HNAS need SMB-Client-Barring whereas other products in Market do not seem to have a need of the same functionality?

Hi

I have the same question. Why is this really needed ? ( security ? , performance ?... maybe some sites
have so much bad pw activity that it consumes resources and saps performance ? )

Last month I wasted a day battling a "mystery problem" where all users on an important host
( a large Terminal server ) were un-able to access the NAS.

The cause of the "mystery problem" ( partial service outage ) was the new on-by-default "auto barring" feature.

Most of the auto-bars I have seen have been legit ( broken clients ...etc ) ;however,
it appears that multi-user terminal servers are frequent accidental ( not legit ) auto-bars.

Currently, I believe that the trigger for barring is:
"If , from a given IP Address, there are 21 bad logon attempts within 2 seconds,
THEN, that IP Address will be barred. "

The thresholds of this can be tuned ; however, this can be problematic since
de-sensitizing "auto-barring" to prevent non-legit auto-bars also
prevents legit "auto-bars".

The "auto-bar" feature needs a "do not bar" list .
It should be possible to add the following to the "do not bar" list
- IP Addresses
-IP Address ranges ( 142.205.0.0/16 .... etc )
- host names

The "auto-bar" feature also needs an auto-clear feature so that when the client-side issue is
resolved the bar is removed after N hours. ( the NAS admin should not have to babysit
this feature and be forced to manually remove the "bars" )

There may be an actual good reason for implementing this feature; however,
having it active-by-default was probably not a good idea since it results
in , partial, service outages. As currently implemented the feature causes some disruption
and causes some extra work for NAS admins.

Thanks

Andy






>
Original Message-----
> From: Abhishek Saxena via Hitachi Vantara <mail@connectedcommunity.org>
>

> HNAS 13.9 introduced SMB-client-barring, a list where clients are automatically added if they generated enough unauthenticated
> requests to HNAS. Why is this functionality needed?
>
> Other NAS products out there do not seem to have a need of similar blocking in place.
>
>