H17856

Technical White Paper

Dell EMC Isilon: SMB 3 Encryption in Healthcare

Abstract This document evaluates the performance of SMB 3 encryption and network-

attached Dell EMC™ Isilon™ storage in healthcare environments.

July 2019

Revisions

2 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

Revisions

Date Description

July 2019 Initial release

Acknowledgements

Author: James Fleming

The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this

publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.

Use, copying, and distribution of any software described in this publication requires an applicable software license.

Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its

subsidiaries. Other trademarks may be trademarks of their respective owners. [7/11/2019] [Technical White Paper] [H17856]

Table of contents

3 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

Table of contents

Revisions............................................................................................................................................................................. 2

Acknowledgements ............................................................................................................................................................. 2

Table of contents ................................................................................................................................................................ 3

Executive summary ............................................................................................................................................................. 4

1 Solution overview ......................................................................................................................................................... 5

2 Encryption configuration ............................................................................................................................................... 7

2.1.1 Encryption of all shares ...................................................................................................................................... 7

2.1.2 Encryption a single share ................................................................................................................................... 8

2.1.3 Validate encryption ............................................................................................................................................. 9

3 Testing ........................................................................................................................................................................ 10

4 Results ........................................................................................................................................................................ 12

A Technical support and resources ............................................................................................................................... 13

Executive summary

4 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

Executive summary

Securing patient information is a top requirement for every healthcare entity. Most healthcare technology

solution vendors seek to leverage secure, reliable methods of transferring data from server-to-server or

server-to-client. SMB 3.0 provides a solution which encrypts data between devices to directly address this

concern.

This document evaluates the performance of SMB 3 encryption and network-attached Dell EMC™ Isilon™

storage. It validates that encryption on shared storage has minimal impact on performance and availability. It

also includes test results with SMB 3.0 technology and a discussion of the increased overhead it can add to

data transfers.

The comprehensive testing of the SMB 3 encryption and Isilon configuration shows that this solution is ready

and future-proofed for high-volume production environments operated by healthcare providers. The tests

show acceptable performance and utilization results for the additional security that SMB 3 encryption offers.

With the results of these tests, healthcare technology partners can recognize the enhanced security of clinical

content that moves through Dell EMC solutions.

Solution overview

5 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

1 Solution overview In this document, SMB 3.0 testing was performed on a single host running VMware® ESXi™ 6.5. The host is

a 4-socket server using Intel® Xeon® E7 4870, 2.40GHz, 10-core CPUs with 150 GB of RAM. This server is

connected to the network through a single 10 GB link.

Two servers were created on the host with the same specifications. One server hosted Microsoft® Windows

Server® 2012 and the other hosted Windows Server 2016. Both servers were configured with 8 vCPUs and

32 GB of RAM. Both OS versions were loaded on the same datastore using 300 GB of capacity.

The dataset was designed to represent a normal image load for a healthcare environment. The dataset was a

single directory with 100,000 files, with a file size of 127 K. This testing was not used to measure the

performance of each Isilon system, but tested the additional time required when using SMB 3 encryption.

Details for the Isilon systems are as follows:

• H500: 4U-Single-128GB-1x1GE-2x10GE SFP+-30TB-1638GB SSD

- 4 nodes

- OneFS v8.1.2

10Gb

H400

H500

A200

A2000

VMware v6.5/E7-4870@2.40 GHz

Microsoft Windows Server 2012

8 vCPU/32 GB

Microsoft Windows Server 2016

8vCPU/32 GB

Solution overview

6 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

• H400: 4U-Single-64GB-1x1GE-2x10GE SFP+-30TB-1638GB SSD

- 4 nodes

- OneFS v8.1.2

• A200: 4U-Single-16GB-2x1GE-2x10GE SFP+-30TB-400GB SSD

- 4 Nodes

- OneFS v8.1.2

• A2000: 4U-Single-16GB-2x1GE-2x10GE SFP+-200TB-800GB SSD

- 4 Nodes

- OneFS v8.1.2

Each Isilon system was configured with two SMB shares for each server. One share was for encrypted data

and the other share was for unencrypted data. Each share was then shared between the Isilon cluster and the

server, and the encrypted share was configured on the Isilon system. Isilon clusters were left in their default

configurations; there were no modifications done to the Isilon clusters for this testing.

Encryption configuration

7 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

2 Encryption configuration Isilon storage supports encryption of all SMB shares or a single SMB share. For the testing performed,

encryption of a single share was used. This section covers configuration steps for both types of encryption.

2.1.1 Encryption of all shares To apply encryption to all shares, perform the following:

isi smb settings shares modify --smb3-encryption-enabled=yes

To check that encryption is set to all shares, use the following command:

isi smb settings shares view

Verify SMB3 encryption enabled is set to Yes. When you set encryption at a single share, this will remain a

No output:

ilab-isilon05-1# isi smb settings shares view Access Based Enumeration: No Access Based Enumeration Root Only: No Allow Delete Readonly: No Allow Execute Always: No Ca Timeout: 120 Strict Ca Lockout: Yes Ca Write Integrity: write-read-coherent Change Notify: norecurse Create Permissions: default acl Directory Create Mask: 0700 Directory Create Mode: 0000 File Create Mask: 0700 File Create Mode: 0100 File Filtering Enabled: No File Filter Extensions: - File Filter Type: deny Hide Dot Files: No Host ACL: - Impersonate Guest: never Impersonate User: - Mangle Byte Start: 0XED00 Mangle Map: 0x01-0x1F:-1, 0x22:-1, 0x2A:-1, 0x3A:-1, 0x3C:-1, 0x3E:-1, 0x3F:-1, 0x5C:-1 Ntfs ACL Support: Yes Oplocks: Yes Smb3 Encryption Enabled: Yes Strict Flush: Yes Strict Locking: No

Encryption configuration

8 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

2.1.2 Encryption a single share Under Protocols in OneFS, create an SMB share by performing the following command. In this example, the

share name is smb.

isi smb shares modify smb --smb3-encryption-enabled=true

To confirm, use the following command:

isi smb shares view smb

Verify SMB3 encryption enabled is set to Yes. The output is as follows:

ilab-isilon05-1# isi smb shares view smb Share Name: smb Path: /ifs/data/smb Description: Client-side Caching Policy: manual Automatically expand user names or domain names: False Automatically create home directories for users: False Browsable: True Permissions: Account Type Run as Root Permission Type Permission ---------------------------------------------------------------- jim user False allow full Everyone wellknown False allow read ---------------------------------------------------------------- Total: 2 Access Based Enumeration: No Access Based Enumeration Root Only: No Allow Delete Readonly: No Allow Execute Always: No Ca Timeout: 120 Continuously Available: No Strict Ca Lockout: Yes Ca Write Integrity: write-read-coherent Change Notify: norecurse Create Permissions: default acl Directory Create Mask: 0700 Directory Create Mode: 0000 File Create Mask: 0700 File Create Mode: 0100 File Filtering Enabled: No File Filter Extensions: - File Filter Type: deny Hide Dot Files: No Host ACL: - Impersonate Guest: never Impersonate User: - Mangle Byte Start: 0XED00 Mangle Map: 0x01-0x1F:-1, 0x22:-1, 0x2A:-1, 0x3A:-1, 0x3C:-1, 0x3E:-1, 0x3F:-1, 0x5C:-1 Ntfs ACL Support: Yes Oplocks: Yes Smb3 Encryption Enabled: Yes Strict Flush: Yes Strict Locking: No

Encryption configuration

9 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

2.1.3 Validate encryption After setting up the share on the server, verify that the share is encrypted by following the PowerShell

command on the server. Locate the share that was created in the list and then verify encryption is set to yes.

Get-SmbConnection | Select-Object -Property *

This command will list all shares. Verify that that Encrypted is set to True for all encrypted shares. The

output is as follows:

SmbInstance : Default ContinuouslyAvailable : False Credential : ILAB-WIN2K12-01\jim Dialect : 3.02 Encrypted : True NumOpens : 1 Redirected : False ServerName : ilab-isilon05.hc.ilab.lab.emc.com ShareName : smb UserName : ILAB-WIN2K12-01\Administrator PSComputerName : CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemPropertiesBest practices

Testing

10 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

3 Testing The same testing was performed from each server, separately, and no other tests were running on the

servers or Isilon systems involved. The testing was designed to log into each Isilon system using SSH and

clear the cache. When the cache was cleared, 100,000 files were transferred from the server to the Isilon

system and deleted from the local server. When the transfer was complete, the cache was cleared again, and

the same files transferred back to the server and deleted from the Isilon system. This was completed on both

the encrypted and unencrypted shares mounted on the Isilon system. This was performed on each Isilon

system and repeated five times to calculate an average.

Testing was performed on both Windows Server 2012 and Windows Server 2016 to show the improvements

at the operating system as well as the SMB stack. The testing has proved SMB 3 encryption has less

overhead when used with Windows Server 2016.

The following script was used:

$i=0 while($i -lt 5) { cd c:\scripts\cloudpools $user = "root" $pass = ConvertTo-SecureString -String "password" -AsPlainText -Force $creds = new-object -typename System.Management.Automation.PSCredential -argumentlist $user,$pass New-SSHSession -ComputerName 10.228.92.85 -Credential $creds -acceptkey:$true # H400 New-SSHSession -ComputerName 10.228.93.17 -Credential $creds -acceptkey:$true # H500 New-SSHSession -ComputerName 10.228.93.22 -Credential $creds -acceptkey:$true # A200 New-SSHSession -ComputerName 10.228.92.20 -Credential $creds -acceptkey:$true # a2000 # H400 Invoke-SSHCommand -Index 0 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r y:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 0 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy y:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item y:\121r -recurse Invoke-SSHCommand -Index 0 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r z:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 0 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy z:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item z:\121r -recurse # H500 Invoke-SSHCommand -Index 1 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r w:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 1 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy w:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item w:\121r -recurse Invoke-SSHCommand -Index 1 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r x:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 1 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy x:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item x:\121r -recurse # A200 Invoke-SSHCommand -Index 2 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r u:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 2 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy u:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt

Testing

11 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

Remove-Item u:\121r -recurse Invoke-SSHCommand -Index 2 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r v:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 2 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy v:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item v:\121r -recurse # A2000 Invoke-SSHCommand -Index 3 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r s:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 3 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy s:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item s:\121r -recurse Invoke-SSHCommand -Index 3 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy E:\121r t:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item e:\121r -recurse Invoke-SSHCommand -Index 3 -TimeOut 300 -Command "isi_for_array isi_flush" >>time.txt robocopy t:\121r e:\121r /MT:8 /e /NDL /NS /NC /NFL /log+:ECS_to_Isilon_SMB3_Robo_2.txt Remove-Item t:\121r -recurse Remove-SSHSession -Index 0 Remove-SSHSession -Index 1 Remove-SSHSession -Index 2 Remove-SSHSession -Index 3 $i++ }

Results

12 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

4 Results This section includes the results of testing on both Windows Server 2012 and Windows Server 2016.

When reading these results, keep in mind that this is the additional time required to handle the encryption.

As an example, if it takes 3.0 seconds to write 100,000 images on an Isilon H500 cluster, with SMB

encryption it would take 3.39 seconds. If it was an Isilon A200 cluster, the same data may take 5.0 seconds,

and with encryption it would take 5.4 seconds.

The testing also proved the advantages protecting healthcare information by using SMB encryption with

Windows Server 2016 and the reduced overhead associated with encryption. For customers looking to

implement SMB 3 encryption, the efficiencies found in Windows Server 2016 are yet another compelling

reason to upgrade.

H400 H500 A200 A2000 H400 H500 A200 A2000

100K files to Isilon (Write) 100K files from Isilon (Read)

Windows 2012 22% 32% 13% 13% 31% 28% 25% 23%

Windows 2016 12% 13% 8% 8% 23% 19% 17% 17%

0%

5%

10%

15%

20%

25%

30%

35%

Perc

enta

ge

SMB3 encryption overhead on Windows Server 2012 and 2016

Technical support and resources

13 Dell EMC Isilon: SMB 3 Encryption in Healthcare | H17856

A Technical support and resources

Dell.com/support is focused on meeting customer needs with proven services and support.

Storage technical documents and videos provide expertise that helps to ensure customer success on Dell

EMC storage platforms.