.SAN design reference guide Vol. 1-5 785350-001

ManualsBrandsHP ManualsStorageHP B-Series Remote Replication Solutions

371

372

373

374

375

376

377

378

379

380

Hardware requirements

SME requires a minimum of one MDS 9222i switch or one MSM-18/4 module in each cluster.

The SME engines on the switch or module provide transparent encryption and compression to hosts

and storage devices. A smart card reader is required to take advantage of all of the standard and

advanced security levels.

Software requirements

Table 193 (page 376) lists the software requirements for switches and modules in the SME cluster.

Table 193 SME software requirements

Software versionComponent

Fabric Manager 3.2(3) (or later)Fabric Manager web client

SAN-OS 3.2(3) (or later)

MDS switches attached to tape devices

MDS 9222i switches and switches that include the

MSM-18/4 module

C-series SAN-OS security

This section describes the C-series SAN-OS security features.

Simple Network Management Protocol

SNMP is an application-layer protocol that facilitates the exchange of management information

between network devices. C-series switches support the following SNMP versions:

• SNMP v1 and SNMP v2c—Use a community-string match for user authentication.

• SNMP v3—Provides secure access to devices by using the following:

Message integrity—Ensures that a packet has not been tampered with while in transit◦

◦ Authentication—Confirms that the message comes from a valid source

◦ Encryption—Scrambles the packet contents, which prevents unauthorized viewing

Remote Authentication Dial-In User Service

RADIUS is a distributed client-server protocol that protects networks against unauthorized access.

RADIUS clients run on C-series switches and send authentication requests to a central RADIUS

server, which contains all user authentication and network service information.

Terminal Access Controller Access Control System

TACACS+ is a client-server protocol that uses TCP for transport. All C-series switches provide

centralized authentication using TACACS+, which provides:

• Independent, modular AAA facilities

• Reliable transfers by using TCP to send data between the AAA client and server

• Encryption of all data between the switch and AAA server, which ensures data confidentiality

(RADIUS encrypts passwords only)

FC-SP and Diffie-Hellman CHAP

FC-SP provides switch-to-switch and host-to-switch authentication, which provides security challenges

for large SAN fabrics. DHCHAP provide authentication between C-series switches and other

devices.

376 Storage security