Manualshelf

HP StorageWorks 1510i Modular Smart Array iSCSI concepts and deployment guide (431338-002, July 2008)

ManualsBrandsHP ManualsStorageHP StorageWorks MSA1510i Controller Module
41424344454647484950
Table Of Contents
6Security
Several types of security should be considered when establishing any system. The lack of any one level of
securitycouldleadtoafailureinthedatasecurityofthesystem.
Types of security include:
•Physicalsecurity
•Networksecurity
System security
•Datasecurity
Each type of security should be used when establishing the network topology of the MSA1510i. For
example, use physically separate networks where possible, use VLANs to separate out management and
storage/data trafc that share ports on the MSA1510i, and use separate IP subnets for all interfaces
to further segment the trafc.
Physical se
curity
Physical s
ecurity is the most obvious type of system security. Access to the physical devices must be limited
to protect against unauthorized or unintentional physical changes or sabotage.
Network security
Network security involves the separation of the various network segments to prevent intrusion by a variety
of potential attacks. Network segmentation can take many forms which include:
Physically separate LANs — The separation of the MSA1510i management and storage functions onto
separate physical networks (separate from the rest of the infrastructure) is one of the primary ways of
protecting the MSA from intrusion. HP recommends creating separate VLANs for both storage and
management. The VLANs can then be linked to separate switches on the storage and management
networks. In addition, servers accessing the MSA1510i should have separate network interface cards:
one for accessing the management network and one for accessing the storage network.
Switch-based separate VLANs — While physically separate networks provide the most secure method
for blocking access between various segments of the network, most environments and congurations
do not allow for separate physical networks. VLANs provide a method of creating virtual LANs off
of a single switch. Trafc destined for one VLAN may not enter any other VLAN. All participants,
including the switch, must identify the packets that are being sent as part of a particular VLAN. For
more information on VLANs, see Virtual LANs (VLANs).
Separate IP subnets Separate IP subnets can help separate the various networks. This is the
weakest approach to securing the network, but does provide for separation of the trafc.
Routing across LANs — Because of the potential for latency and security compromises, routing across
a wide area network is not advised. In wide area LANs, HP recommends using external IP-SEC
encryption. Enabling header and data digests during login negotiation is also recommended.
System security
The primary method of protecting access to the MSA is to assign and periodically change management
username and password settings. Rotate these settings on a monthly basis to ensure the proper
condentiality of the account information. In addition, to keep account information encrypted when
co
mmunicating to the unit over the network, always make use of the secure port for web trafcand
SS
H for the command line interface.
1510i Modular Smart Array iSCSI concepts and deployment guide
45