Manualshelf

McDATA® 4Gb SAN Switch for HP p-Class BladeSystem Installation Guide (AA-RW1XC-TE, November 2006)

ManualsBrandsHP ManualsStorageMcDATA 4Gb SAN Switch
21222324252627282930
24 Planning
Fabric security
An effective security profile begins with a security policy that states the requirements. A threat analysis is
needed to define the plan of action, followed by an implementation that meets the security policy
requirements. Internet portals, such as remote access and e-mail, usually present the greatest threats. Fabric
security should also be considered when defining the security policy.
Most fabrics are located at a single site and are protected by physical security, such as key-code locked
computer rooms. For these cases, security methods such as user passwords for equipment and zoning for
controlling device access are satisfactory.
Fabric security is important when security policy requirements are demanding–for example, when fabrics
span multiple locations and traditional physical protection is insufficient to protect the IT infrastructure.
Another benefit of fabric security is that it creates a structure that helps prevent unintended changes to the
fabric.
Fabric security consists of the following:
Connection security, page 24
Switch and port binding, page 25
Device security, page 25
User account security, page 26
Connection security
IMPORTANT: The SSL and SSH services are available only with the McDATA SANtegrity™ Enhanced PFE
key. SeeInstalling Product Features Enablement keys” on page 35 for more information about installing a
PFE key. To obtain the McDATA 4Gb SAN Switch serial number and PFE key, follow the step-by-step
instructions on the firmware feature entitlement request certificate for the PFE key. You can obtain a PFE key
from the web at: www.webkey.external.hp.com
.
Connection security provides an encrypted data path for switch management methods. The switch supports
the SSH protocol for the Command Line Interface (CLI) and the SSL protocol for management applications
such as McDATA Web Server, Element Manager, and CIM.
The SSL handshake process between the workstation and the switch involves the exchanging of certificates.
These certificates contain the public and private keys that define the encryption. When the SSL service is
enabled, a certificate is automatically created on the switch. The workstation validates the switch certificate
by comparing the workstation date and time to the switch certificate creation date and time. For this
reason, it is important to synchronize the workstation and switch with the same date, time, and time zone.
The switch certificate is valid 24 hours before its creation date and 365 days after its creation date. If the
certificate should become invalid, see the Create command in the McDATA 4Gb SAN Switch for HP
p-Class BladeSystem command line interface guide for information about creating a certificate.
Consider your connection security requirements for the CLI, and management applications such as
McDATA Web Server. If SSL connection security is required, also consider using NTP to synchronize
workstations and switches.
See the Set Setup System command in the McDATA 4Gb SAN Switch for HP p-Class BladeSystem
command line interface guide for information about enabling the NTP client on the switch and
configuring the NTP server.
See the Set Timezone command in the McDATA 4Gb SAN Switch for HP p-Class BladeSystem
command line interface guide for information about setting the time zone.