Ensuring Network Security - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

The security protocols are designed with the four main usage cases described in
Table 18 Main security scenarios
Fabric
Nonsecure
Nonsecure
Secure
Secure

Ensuring network security

To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions in v4.1.x and later. SSH
encrypts all messages, including the client's transmission of password during login. The SSH package
contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of encryption
algorithms, such as Blowfish-CBC and AES.
NOTE: To maintain a secure network, you should avoid using telnet (you can use secTelnet if you are
using FOS 2.6 or later, or 3.1 or later) or any other unprotected application when you are working on the
switch. For example, if you use telnet to connect to a machine, and then start an SSH or secure telnet
session from that machine to the switch, the communication to the switch is in clear text and therefore is not
secure.
The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are
in clear text. This includes the remote FTP server's login and password. This limitation affects the following
commands: saveCore, configUpload, configDownload, and firmwareDownload.
Commands that require a secure login channel must be issued from an original SSH session. If you start an
SSH session, and then use the login command to start a nested SSH session, commands that require a
secure channel will be rejected.
90 Configuring standard security features
Management Comments
interfaces
Nonsecure No special setup is needed to use telnet or HTTP.
An HP switch certificate must be installed if
sectelnet is used.
Secure Secure protocols may be used. An SSL switch
certificate must be installed if SSH/HTTPS is used.
Secure Secure protocols are supported on Fabric OS
4.4.0 (and later) switches. Switches running
earlier Fabric OS versions can be part of the
secure fabric, but they do not support secure
management.
Secure management protocols must be configured
for each participating switch. Nonsecure protocols
may be disabled on nonparticipating switches.
If SSL is used, then certificates must be installed.
Nonsecure You must use sectelnet because telnet is not
allowed in secure mode.
Nonsecure management protocols are necessary
under these circumstances:
•
•
•
The fabric contains switches running
Fabric OS 3.2.0.
The presence of software tools that do not
support Secure protocols: for example, Fabric
Manager 4.0.0.
The fabric contains switches running Fabric OS
versions earlier than 4.4.0. Nonsecure
management is enabled by default.
Table 18.