C-Series Ip San Security - HP StorageWorks 4000/6000/8000 - Enterprise Virtual Arrays Reference Manual

Simple Network Management Protocol
SNMP is an application-layer protocol that facilitates the exchange of management information
between network devices. C-series switches support the following SNMP versions:
SNMP v1 and SNMP v2c—Use a community-string match for user authentication.
SNMP v3—Provides secure access to devices by using the following:
Message integrity—Ensures that a packet has not been tampered with while in transit
Authentication—Confirms that the message comes from a valid source
Encryption—Scrambles the packet contents, which prevents unauthorized viewing
Remote Authentication Dial-In User Service
RADIUS is a distributed client-server protocol that protects networks against unauthorized access.
RADIUS clients run on C-series switches and send authentication requests to a central RADIUS server,
which contains all user authentication and network service information.
Terminal Access Controller Access Control System
TACACS+ is a client-server protocol that uses TCP for transport. All C-series switches provide centralized
authentication using TACACS+, which provides:
Independent, modular AAA facilities
Reliable transfers by using TCP to send data between the AAA client and server
Encryption of all data between the switch and AAA server, which ensures data confidentiality
(RADIUS encrypts passwords only)
FC-SP and Diffie-Hellman CHAP
FC-SP provides switch-to-switch and host-to-switch authentication, which provides security challenges
for large SAN fabrics. DHCHAP provide authentication between C-series switches and other devices.
Port security
C-series port security features prevent unauthorized access to a switch port by:
Rejecting login requests from unauthorized Fibre Channel devices or switches
Reporting all intrusion attempts to the SAN administrator through system messages
Using the CFS infrastructure for configuration, distribution, and restricting it to CFS-enabled switches
Fabric binding
C-series switches in a fabric binding configuration ensure that ISLs are enabled between authorized
switches only. This feature prevents unauthorized switches from disrupting traffic or joining the fabric.
The EFMD protocol compares the list of authorized switches on each switch in the fabric.

C-series IP SAN security

This section describes the C-series IP SAN security features.
IPsec
C-series IPsec features ensure secure transmissions at the network layer. IPsec protects and authenticates
IP packets between participating devices (peers) over unprotected networks. IPsec provides the following
security services:
SAN Design Reference Guide 409