In a world of API’s don’t forget WebDav

WebDav is often a forgotten protocol in the world of REST API’s that we live in but it still has a lot to offer and should not be forgotten.

About WebDav:

WebDav is an acronym for Web Distributed Authoring and Versioning and can also be referred to as just plain old DAV.

WebDav is an extension of the HTTP protocol that was originally designed by Jim Whitehead from the University of California at Santa Cruz in 1996 when he was working at the World Wide Web consortium and it later became an Internet Engineering Task Force (IETF) standard.

WebDav was built as an interoperable standard to support remote collaborative authoring of Web sites and individual documents, as well as remote access to document based systems.

Today it It is the most popular network file-system protocol for use across the Internet, and although it has been integrated as a interoperable layer into many existing product implementations it is also notably missing as an interoperable API standard from many, such as DropBox, Google Drive, Amazon S3 and more.

The Storage Made Easy WebDav Gateway:

SME provide a way to access any mapped storage cloud by secure WebDav irrespective of whether the underlying Cloud Supports the WebDav protocol natively. As WebDav is so well supported in many desktop and mobile Apps this means that Cloud Data can easily be integrated and accessible without having to move the data to access the features of a particular Application that is WebDav enabled.

Connecting to WebDav Servers and Windows Shares:

Storage Made Easy can also be configured to connect to servers that support the WebDav protocol. This use of WebDav from a SME perspective is using WebDav as a back end cloud to store data rather than exposing existing clouds to be accessible using the WebDav protocol.

Many existing NAS or SAN devices such as those as the NetGear ReadyNAS and the Synology devices range already provide WebDav as an access protocol to access data. Also existing web servers such as Apache can also be configured to use WebDav using the Mod Dav extension.

Many users of SME want to expose windows file shares and make them directly available through the SME service to all devices. The most appropriate and secure way to do this is not to expose such shares directly but to configure Microsoft Internet Information Server (or another WebDav compliant Server) to expose these shares over WebDav.

 

Advantage of WebDav for Windows File Sharing:

WebDav for Windows file sharing has the following advantages:

  • Seamless integration with the IIS Manager.
  • A secondary protocol provides a security DMZ with regards to direct access to windows shares.
  • IIS WebDAV can be enabled at the site level, allowing IT administrators to restrict WebDAV access to specific sites on a server.
  • IIS WebDAV supports per-URL authoring rules, allowing administrators to specify custom WebDAV security settings on a per-URL basis. This fine-grained control gives administrators the ability to maintain one set of security settings for normal HTTP requests and a separate set of security settings for WebDAV.
  • IIS WebDAV supports both shared and exclusive locks to prevent lost updates due to overwrites.
  • WebDAV supports secure connection as well. By enabling HTTPS over all WebDAV connections, security is fortified. SSL certificates can also be installed to increases security measures.

Why WebDav as a Cloud Connector ?

WebDAV is an optimized protocol for document access over http. It is proven as being latency independent and is efficient over wide area networks especially in contrast to file protocols such as NFS and CIFS.

Using secure WebDAV ensures the data is encrypted during transmission and due to the optimizations that data is stored efficiently and quickly .

Why not the Common Internet File System (CIFS) ?

CIFS is the standard way that windows users share files across corporate intranets and the Internet with a secure VPN connection.

To expose such shares directly to the internet or to other none windows PC’s it is needed to use a bridging technology. Samba is often used as such as technology. With Samba, the ports 139/tcp and 445/tcp are exposed over a public IP Address. Once this is done such shares are accessible.

The drawbacks of this are:

– The CIFS protocol used by Windows file sharing does not provide data encryption

  • The protocol itself is quite chatty.
  • No level of security indirection

CIFS is an optimized protocol for access to data over a network that has been extended by VPN and has been used in this context by many companies for a long time. The disadvantage of this is that all devices have to support, be setup, and work with the VPN. preventing access by some devices and Apps and making Adhoc ‘on the fly’ access difficult.

Securing WebDav Servers:

It is beyond the scope of this post to go into great detail on the steps required to secure WebDav servers but Microsoft has a very good guide on how to secure the IIS WebDav Service. This can be accessed at:

http://technet.microsoft.com/en-us/library/cc778809%28v=ws.10%29.aspx

In addition to this you should note the following best practices:

Folder Permissions: Use non-anonymous authentication. Modify the NTFS permissions on the folder to only allow the access necessary to the users who require such access

Prevent File Execution: If you are only using WebDAV as a file store and not using it to display web pages, then execute permissions should be removed from that site or folder.

Apache WebDav servers can be configured to use LDAP authentication and also two factor authentication and any deployments should consider implementing these.

This post can be downloaded as a whitepaper at:

http://jiml.me/T2G1kz

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s