Securely Optimize SMB Traffic with the Riverbed WinSec Controller

Server Message Block (SMB) traffic is a very common type of network traffic in most organizations, and it’s one of the most common types optimized by Riverbed’s application acceleration technology. For years we’ve been able to ensure optimal delivery of SMB traffic using our SteelHead WAN Optimization solution. However, dealing with SMB in a Windows domain poses some problems.

A security and administrative problem

SMB optimization requires the server-side SteelHead to interact with the domain controller as a Tier 0 device. Many domain admins consider this a security and operational concern.

The Microsoft Active Directory Administrative Tier Model (recently renamed the Enterprise Access Model) is used to organize domain elements. The framework is made up of three tiers:

• Tier 0 is made up of the most valued and secure elements of a Windows domain. Normally these are domain controllers, ADFS, and the organization’s PKI.
• Tier 1 devices are domain-joined servers and domain admin accounts with reduced privileges. These could be application and database servers, but they could also be a variety of cloud services as well.
• Tier 2 is comprised of the remaining domain-joined elements such as workstations and user accounts. Tier 2 elements are considered the least secure and by extension the least valuable in the operation of the domain.

For SMB optimization to function, the SteelHead appliance needs to interact with the domain controller as a Tier 0 device right alongside domain controllers.

SMB optimization also requires the SteelHead to use the replication user account to communicate with the domain controller. The replication user account has elevated privileges within a Windows domain compared to standard user and computer accounts or mundane utility accounts. It’s not best practice for a network device to use this type of account, especially when that device isn’t managed by domain administrators.

This leads to our second problem.

A SteelHead appliance is normally managed by the network operations team, not domain administrators.

This poses a problem for the overall IT operational workflow. Normally, Tier 0 devices are managed by domain administrators.

The solution

Riverbed solves these problems by introducing a proxy in between the domain controller and SteelHead appliance.

The WinSec Controller is a completely dedicated, non-network appliance that interacts with the domain controller as a Tier 0 entity. It isn’t used for unrelated daily network operations tasks, and it’s meant to be managed by a domain administrator.

To optimize SMB, the SteelHead intercepts the authorization request the client computer makes to the file server. Then the SteelHead interacts with the domain controller as a Tier 0 device using the replication user account to retrieve the server key from the file server. With the server key, the SteelHead can decrypt the user session key, the SMB flow, and ultimately optimize the traffic.

Sitting between the SteelHead appliance and the domain controller, the WinSec Controller proxies requests and responses between the server-side SteelHead and the domain controller. And, to secure communication between server-side SteelHead and the WinSec Controller, we use a standard IPsec tunnel.

Currently, the WinSec Controller has a physical form factor only, though there are plans to develop a virtual deployment option with complete feature parity.

SteelHead WAN Optimization appliances are the cornerstone of SMB traffic optimization. However, maintaining proper operational, administrative, and security workflows is also extremely important. The WinSec Controller gives us the opportunity to accommodate our Windows, systems, and security teams while at the same time providing the same level of optimization we’ve benefited from for years.

Watch the video below to learn more about Riverbed’s WinSec Controller solution.