dell emc isilon: smb 3 encryption in healthcare...one server hosted ®microsoft windows server®...
TRANSCRIPT
H17856
Technical White Paper
Dell EMC Isilon: SMB 3 Encryption in Healthcare
Abstract This document evaluates the performance of SMB 3 encryption and network-
attached Dell EMC™ Isilon™ storage in healthcare environments.
July 2019
Revisions
2 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
Revisions
Date Description
July 2019 Initial release
Acknowledgements
Author: James Fleming
The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this
publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its
subsidiaries. Other trademarks may be trademarks of their respective owners. [7/11/2019] [Technical White Paper] [H17856]
Table of contents
3 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
Table of contents
Revisions............................................................................................................................................................................. 2
Acknowledgements ............................................................................................................................................................. 2
Table of contents ................................................................................................................................................................ 3
Executive summary ............................................................................................................................................................. 4
1 Solution overview ......................................................................................................................................................... 5
2 Encryption configuration ............................................................................................................................................... 7
2.1.1 Encryption of all shares ...................................................................................................................................... 7
2.1.2 Encryption a single share ................................................................................................................................... 8
2.1.3 Validate encryption ............................................................................................................................................. 9
3 Testing ........................................................................................................................................................................ 10
4 Results ........................................................................................................................................................................ 12
A Technical support and resources ............................................................................................................................... 13
Executive summary
4 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
Executive summary
Securing patient information is a top requirement for every healthcare entity. Most healthcare technology
solution vendors seek to leverage secure, reliable methods of transferring data from server-to-server or
server-to-client. SMB 3.0 provides a solution which encrypts data between devices to directly address this
concern.
This document evaluates the performance of SMB 3 encryption and network-attached Dell EMC™ Isilon™
storage. It validates that encryption on shared storage has minimal impact on performance and availability. It
also includes test results with SMB 3.0 technology and a discussion of the increased overhead it can add to
data transfers.
The comprehensive testing of the SMB 3 encryption and Isilon configuration shows that this solution is ready
and future-proofed for high-volume production environments operated by healthcare providers. The tests
show acceptable performance and utilization results for the additional security that SMB 3 encryption offers.
With the results of these tests, healthcare technology partners can recognize the enhanced security of clinical
content that moves through Dell EMC solutions.
Solution overview
5 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
1 Solution overview In this document, SMB 3.0 testing was performed on a single host running VMware® ESXi™ 6.5. The host is
a 4-socket server using Intel® Xeon® E7 4870, 2.40GHz, 10-core CPUs with 150 GB of RAM. This server is
connected to the network through a single 10 GB link.
Two servers were created on the host with the same specifications. One server hosted Microsoft® Windows
Server® 2012 and the other hosted Windows Server 2016. Both servers were configured with 8 vCPUs and
32 GB of RAM. Both OS versions were loaded on the same datastore using 300 GB of capacity.
The dataset was designed to represent a normal image load for a healthcare environment. The dataset was a
single directory with 100,000 files, with a file size of 127 K. This testing was not used to measure the
performance of each Isilon system, but tested the additional time required when using SMB 3 encryption.
Details for the Isilon systems are as follows:
• H500: 4U-Single-128GB-1x1GE-2x10GE SFP+-30TB-1638GB SSD
- 4 nodes
- OneFS v8.1.2
10Gb
H400
H500
A200
A2000
VMware v6.5/[email protected] GHz
Microsoft Windows Server 2012
8 vCPU/32 GB
Microsoft Windows Server 2016
8vCPU/32 GB
Solution overview
6 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
• H400: 4U-Single-64GB-1x1GE-2x10GE SFP+-30TB-1638GB SSD
- 4 nodes
- OneFS v8.1.2
• A200: 4U-Single-16GB-2x1GE-2x10GE SFP+-30TB-400GB SSD
- 4 Nodes
- OneFS v8.1.2
• A2000: 4U-Single-16GB-2x1GE-2x10GE SFP+-200TB-800GB SSD
- 4 Nodes
- OneFS v8.1.2
Each Isilon system was configured with two SMB shares for each server. One share was for encrypted data
and the other share was for unencrypted data. Each share was then shared between the Isilon cluster and the
server, and the encrypted share was configured on the Isilon system. Isilon clusters were left in their default
configurations; there were no modifications done to the Isilon clusters for this testing.
Encryption configuration
7 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
2 Encryption configuration Isilon storage supports encryption of all SMB shares or a single SMB share. For the testing performed,
encryption of a single share was used. This section covers configuration steps for both types of encryption.
2.1.1 Encryption of all shares To apply encryption to all shares, perform the following:
isi smb settings shares modify --smb3-encryption-enabled=yes
To check that encryption is set to all shares, use the following command:
isi smb settings shares view
Verify SMB3 encryption enabled is set to Yes. When you set encryption at a single share, this will remain a
No output:
ilab-isilon05-1# isi smb settings shares view Access Based Enumeration: No Access Based Enumeration Root Only: No Allow Delete Readonly: No Allow Execute Always: No Ca Timeout: 120 Strict Ca Lockout: Yes Ca Write Integrity: write-read-coherent Change Notify: norecurse Create Permissions: default acl Directory Create Mask: 0700 Directory Create Mode: 0000 File Create Mask: 0700 File Create Mode: 0100 File Filtering Enabled: No File Filter Extensions: - File Filter Type: deny Hide Dot Files: No Host ACL: - Impersonate Guest: never Impersonate User: - Mangle Byte Start: 0XED00 Mangle Map: 0x01-0x1F:-1, 0x22:-1, 0x2A:-1, 0x3A:-1, 0x3C:-1, 0x3E:-1, 0x3F:-1, 0x5C:-1 Ntfs ACL Support: Yes Oplocks: Yes Smb3 Encryption Enabled: Yes Strict Flush: Yes Strict Locking: No
Encryption configuration
8 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
2.1.2 Encryption a single share Under Protocols in OneFS, create an SMB share by performing the following command. In this example, the
share name is smb.
isi smb shares modify smb --smb3-encryption-enabled=true
To confirm, use the following command:
isi smb shares view smb
Verify SMB3 encryption enabled is set to Yes. The output is as follows:
ilab-isilon05-1# isi smb shares view smb Share Name: smb Path: /ifs/data/smb Description: Client-side Caching Policy: manual Automatically expand user names or domain names: False Automatically create home directories for users: False Browsable: True Permissions: Account Type Run as Root Permission Type Permission ---------------------------------------------------------------- jim user False allow full Everyone wellknown False allow read ---------------------------------------------------------------- Total: 2 Access Based Enumeration: No Access Based Enumeration Root Only: No Allow Delete Readonly: No Allow Execute Always: No Ca Timeout: 120 Continuously Available: No Strict Ca Lockout: Yes Ca Write Integrity: write-read-coherent Change Notify: norecurse Create Permissions: default acl Directory Create Mask: 0700 Directory Create Mode: 0000 File Create Mask: 0700 File Create Mode: 0100 File Filtering Enabled: No File Filter Extensions: - File Filter Type: deny Hide Dot Files: No Host ACL: - Impersonate Guest: never Impersonate User: - Mangle Byte Start: 0XED00 Mangle Map: 0x01-0x1F:-1, 0x22:-1, 0x2A:-1, 0x3A:-1, 0x3C:-1, 0x3E:-1, 0x3F:-1, 0x5C:-1 Ntfs ACL Support: Yes Oplocks: Yes Smb3 Encryption Enabled: Yes Strict Flush: Yes Strict Locking: No
Encryption configuration
9 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
2.1.3 Validate encryption After setting up the share on the server, verify that the share is encrypted by following the PowerShell
command on the server. Locate the share that was created in the list and then verify encryption is set to yes.
Get-SmbConnection | Select-Object -Property *
This command will list all shares. Verify that that Encrypted is set to True for all encrypted shares. The
output is as follows:
SmbInstance : Default ContinuouslyAvailable : False Credential : ILAB-WIN2K12-01\jim Dialect : 3.02 Encrypted : True NumOpens : 1 Redirected : False ServerName : ilab-isilon05.hc.ilab.lab.emc.com ShareName : smb UserName : ILAB-WIN2K12-01\Administrator PSComputerName : CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemPropertiesBest practices
Testing
10 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
3 Testing The same testing was performed from each server, separately, and no other tests were running on the
servers or Isilon systems involved. The testing was designed to log into each Isilon system using SSH and
clear the cache. When the cache was cleared, 100,000 files were transferred from the server to the Isilon
system and deleted from the local server. When the transfer was complete, the cache was cleared again, and
the same files transferred back to the server and deleted from the Isilon system. This was completed on both
the encrypted and unencrypted shares mounted on the Isilon system. This was performed on each Isilon
system and repeated five times to calculate an average.
Testing was performed on both Windows Server 2012 and Windows Server 2016 to show the improvements
at the operating system as well as the SMB stack. The testing has proved SMB 3 encryption has less
overhead when used with Windows Server 2016.
The following script was used:
$i=0 while($i -lt 5) { cd c:\scripts\cloudpools $user = "root" $pass = ConvertTo-SecureString -String "password" -AsPlainText -Force $creds = new-object -typename System.Management.Automation.PSCredential -argumentlist $user,$pass New-SSHSession -ComputerName 10.228.92.85 -Credential $creds -acceptkey:$true # H400 New-SSHSession -ComputerName 10.228.93.17 -Credential $creds -acceptkey:$true # H500 New-SSHSession -ComputerName 10.228.93.22 -Credential $creds -acceptkey:$true # A200 New-SSHSession -ComputerName 10.228.92.20 -Credential $creds -acceptkey:$true # a2000 # H400 Invoke-SSHCommand -Index 0 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r y:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 0 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy y:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item y:\121r -recurse Invoke-SSHCommand -Index 0 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r z:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 0 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy z:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item z:\121r -recurse # H500 Invoke-SSHCommand -Index 1 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r w:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 1 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy w:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item w:\121r -recurse Invoke-SSHCommand -Index 1 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r x:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 1 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy x:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item x:\121r -recurse # A200 Invoke-SSHCommand -Index 2 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r u:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 2 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy u:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt
Testing
11 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
Remove-Item u:\121r -recurse Invoke-SSHCommand -Index 2 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r v:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 2 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy v:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item v:\121r -recurse # A2000 Invoke-SSHCommand -Index 3 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r s:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 3 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy s:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item s:\121r -recurse Invoke-SSHCommand -Index 3 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r t:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 3 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy t:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item t:\121r -recurse Remove-SSHSession -Index 0 Remove-SSHSession -Index 1 Remove-SSHSession -Index 2 Remove-SSHSession -Index 3 $i++ }
Results
12 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
4 Results This section includes the results of testing on both Windows Server 2012 and Windows Server 2016.
When reading these results, keep in mind that this is the additional time required to handle the encryption.
As an example, if it takes 3.0 seconds to write 100,000 images on an Isilon H500 cluster, with SMB
encryption it would take 3.39 seconds. If it was an Isilon A200 cluster, the same data may take 5.0 seconds,
and with encryption it would take 5.4 seconds.
The testing also proved the advantages protecting healthcare information by using SMB encryption with
Windows Server 2016 and the reduced overhead associated with encryption. For customers looking to
implement SMB 3 encryption, the efficiencies found in Windows Server 2016 are yet another compelling
reason to upgrade.
H400 H500 A200 A2000 H400 H500 A200 A2000
100K files to Isilon (Write) 100K files from Isilon (Read)
Windows 2012 22% 32% 13% 13% 31% 28% 25% 23%
Windows 2016 12% 13% 8% 8% 23% 19% 17% 17%
0%
5%
10%
15%
20%
25%
30%
35%
Perc
enta
ge
SMB3 encryption overhead on Windows Server 2012 and 2016
Technical support and resources
13 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856
A Technical support and resources
Dell.com/support is focused on meeting customer needs with proven services and support.
Storage technical documents and videos provide expertise that helps to ensure customer success on Dell
EMC storage platforms.