[jcifs] [OT] Can jCIFS be used to work over a secure tunnel?
Giampaolo at Tomassoni.biz
Wed Apr 13 11:37:24 MDT 2011
> From: jcifs-bounces at lists.samba.org [mailto:jcifs-
> Thanks Giampaolo, for the reply.
> I personally do not have much experience with the IPSec, I'm just a
> Java programmer. I was asked to find out if jCIFS can be used over a
> secure channel. I read somewhere that IPSec could the trick (because
> it works at the lower layers of the TCP stack, rather than the
> application layer), but I'm not aware of what setup it requires on the
> server and the clients.
> My little research on the Internet revealed
> that the Client system and Server system require some configuration
> changes for IPSec to work. Is this correct?
Ok. This is really OT here, since how to establish a secure channel at
packet level has nothing to do with jCIFS. Really.
But anyway, the short response is that it depends on where you put the IPSec
borders. If you configure two routers to have a secure channel between them,
in example, you may have to change absolutely nothing at the client and
If you mean instead you want to use the IPSec implementation offered by
Microsoft and Linux systems, well, you do have to configure something in the
two nodes involved in the communication (besides, IPSec is a peer-to-peer
protocol, not a client/server one) and you may have a lot of
interoperability problems if the two nodes are not homogeneous (either MS/MS
> I also read some posts on
> the Internet where some people were using SSH tunnels. I think this
> also requires special configuration/apps on server and client systems.
This is not different from the IPSec case (except ssh is a client/server
protocol and often easier to setup).
> At this point, I'm trying to determine if any one has successfully
> used jCIFS over IPSec or any other secure channel. Eventually, I will
> have to try this out, but if some one already tried this, I'm curious
> to know the results.
I used IPSec over CIFS (samba and MS) and didn't find any problem, apart the
fact that latency increases and transfer rate and such decreases...
The only thing you may care of is that IPSec and ssh tunnels are generally
used to securely transfer packets between different networks (say
192.168.x.0/24 <--> 192.168.y.0/24), so you can't rely on netbeui or other
broadcast-based means to "discover" the peer's IP address by name. You'd
better use wins or dns instead.
> Any feedback is greatly appreciated.
> Sai Pullabhotla
More information about the jCIFS