McDATA® 4Gb SAN Switch for HP p-Class BladeSystem Installation Guide (AA-RW1XA-TE, June 2005)
McDATA® 4Gb SAN Switch for HP p-Class BladeSystem installation guide 23
• Embedded GUI — provides for access to the McDATA Web Server. The web server enables you to
point at a switch with an internet browser and run switch management application through the browser.
The default is enabled.
• Simple Network Management Protocol (SNMP) — provides for the management of the switch through
third-party applications that use the Simple Network Management Protocol (SNMP). Security consists
of a read community string and a write community string that serve as passwords that control read and
write access to the switch. These strings are set at the factory to these well-known defaults and should
be changed if SNMP is to be enabled. Otherwise, you risk unwanted access to the switch. The default
is enabled.
• Network Time Protocol (NTP) — provides for the synchronizing of switch and workstation dates and
times with an external NTP server. This helps to prevent invalid SSL certificates and timestamp confusion
in the event log. The default is disabled.
• Common Information Model (CIM) — provides for the management of the switch through third-party
applications that use CIM. The default is enabled.
• File Transfer Protocol (FTP) — provides for transferring files rapidly between the workstation and the
switch. The default is enabled.
• Management Server (MS) — enables or disables the management of the switch through third-party
applications that are compliant with the FC GS-3 Management Server Specification. The default is
disabled.
Fabric security
An effective security profile begins with a security policy that states the requirements. A threat analysis is
needed to define the plan of action followed by an implementation that meets the security policy
requirements. Internet portals, such as remote access and E-mail, usually present the greatest threats. Fabric
security should also be considered in defining the security policy.
Most fabrics are located at a single site and are protected by physical security, such as key-code locked
computer rooms. For these cases, security methods such as user passwords for equipment and zoning for
controlling device access are satisfactory.
Fabric security is needed when security policy requirements are more demanding: for example, when
fabrics span multiple locations and traditional physical protection is insufficient to protect the IT
infrastructure. Another benefit of fabric security is that it creates a structure that helps prevent unintended
changes to the fabric.
Fabric security consists of the following:
• Connection security, page 23
• Device security, page 24
• User account security, page 24
Connection security
Connection security provides an encrypted data path for switch management methods. The switch supports
the Secure Shell (SSH) protocol for the Command Line Interface and the Secure Socket Layer (SSL) protocol
for management applications such as McDATA Web Server and Common Information Module (CIM).
The SSL handshake process between the workstation and the switch involves the exchanging of certificates.
These certificates contain the public and private keys that define the encryption. When the SSL service is
enabled, a certificate is automatically created on the switch. The workstation validates the switch certificate
by comparing the workstation date and time to the switch certificate creation date and time. For this
reason, it is important to synchronize the workstation and switch with the same date, time, and time zone.
The switch certificate is valid 24 hours before its creation date and 365 days after its creation date. If the
certificate should become invalid, refer to the Create command in the McDATA 4Gb SAN Switch for HP
p-Class BladeSystem user guide for information about creating a certificate.
Consider your requirements for connection security: for the Command Line Interface (SSH), management
applications such as McDATA Web Server (SSL), or both. If SSL connection security is required, also
consider using the Network Time Protocol (NTP) to synchronize workstations and switches.