Fabric Security; Connection Security - HP McDATA 4Gb SAN Switch Installation Manual

Fabric security

An effective security profile begins with a security policy that states the requirements. A threat analysis is
needed to define the plan of action followed by an implementation that meets the security policy
requirements. Internet portals, such as remote access and E-mail, usually present the greatest threats. Fabric
security should also be considered in defining the security policy.
Most fabrics are located at a single site and are protected by physical security, such as key-code locked
computer rooms. For these cases, security methods such as user passwords for equipment and zoning for
controlling device access are satisfactory.
Fabric security is needed when security policy requirements are more demanding: for example, when
fabrics span multiple locations and traditional physical protection is insufficient to protect the IT
infrastructure. Another benefit of fabric security is that it creates a structure that helps prevent unintended
changes to the fabric.
Fabric security consists of the following:
• Connection
• Device
security, page 25
• User account

Connection security

Connection security provides an encrypted data path for switch management methods. The switch supports
the SSH protocol for the CLI and the SSL protocol for management applications such as McDATA Web
Server, McDATA Element Manager, and CIM.
The SSL handshake process between the workstation and the switch involves the exchanging of certificates.
These certificates contain the public and private keys that define the encryption. When the SSL service is
enabled, a certificate is automatically created on the switch. The workstation validates the switch certificate
by comparing the workstation date and time to the switch certificate creation date and time. For this
reason, it is important to synchronize the workstation and switch with the same date, time, and time zone.
The switch certificate is valid 24 hours before its creation date and 365 days after its creation date. If the
certificate should become invalid, see the Create command in the McDATA 4Gb SAN Switch for HP
p-Class BladeSystem user guide for information about creating a certificate.
Consider your connection security requirements for the CLI, and management applications such as
McDATA Web Server. If SSL connection security is required, also consider using NTP to synchronize
workstations and switches.
•
See System operand of the Set Setup command in the McDATA 4Gb SAN Switch for HP p-Class
BladeSystem user guide for information about enabling the NTP client on the switch and configuring the
NTP server.
•
See the Set command in the McDATA 4Gb SAN Switch for HP p-Class BladeSystem user guide for
information about setting the time zone.
24 Planning
security, page 24
security, page 26