New Features; Ensuring A Secure Operating System; Secure Shell (Ssh) - HP StorageWorks MSA 2/8 - SAN Switch User Manual

Hp storageworks fabric os procedures v3.1.x/4.1.x user guide (aa-rs23c-te, june 2003)

Hide thumbs Also See for StorageWorks MSA 2/8 - SAN Switch:

Reference manual (982 pages)

User manual (267 pages)

Installation manual (72 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

Table of Contents

New Features

Ensuring a Secure Operating System

Fabric OS v4.1 uses Linux as the operating system in the switch. Therefore,

securing the switch includes securing the underlying operating system as well.

Fabric OS uses the Berkeley r-commands facility to transfer data between control

processors in the Core Switch 2/64 platform. The primary security concern is the

use of the .rhosts file. All hosts listed in the.rhosts file are trusted, meaning they

can log in to the switch without any authentication such as a password. The .rhosts

file on the switch contains the IP address 10.0.0.5 and 10.0.0.6, which are the IP

address of each CP in a Core Switch 2/64 chassis. To prevent the use of these

facilities except from the internal network, an iptables firewall has been

implemented. This firewall isolates the external network from internal network

and does not allow execution of r-commands on the switch from external hosts.

However, if you logged in to a switch of CP as root, you can issue r-commands to

the other CP.

In addition, various proprietary protocols are also used over the internal CP-to-CP

Ethernet. The internal Ethernet interface is considered a "trusted" interface over

which arbitrary communications may occur. To address these security concerns,

the internal Ethernet interfaces were disconnected from the public Ethernet

interfaces.

A packet filter is used to isolate the internal Ethernet interface. The packet filter:

Secure Shell (SSH)

An SSH (Secure Shell) is used to support encrypted telnet sessions to the switch

(DES encryption is not supported). The default out-of-band Telnet mechanism for

managing switches was deemed insecure because the passwords are sent over the

wire in clear text. It is relatively easy for any network-connected system to sniff

and reap these passwords for use in subsequent intrusions. In a complex enterprise

network that aggregates device management into a backbone, it is difficult to

Fabric OS Procedures Version 3.1.x/4.1.x User Guide

Prevents routing of packets to and from internal network.

Protects against spoofing of internal network addresses.

The packet filter blocks all incoming packets from 10.0.0.0 to 10.0.0.255.

Closes network services intended only for the internal network without

changing the source code.

Basic Security in FOS

Table of Contents

New Features; Ensuring A Secure Operating System; Secure Shell (Ssh) - HP StorageWorks MSA 2/8 - SAN Switch User Manual

New Features

Ensuring a Secure Operating System

Secure Shell (SSH)

Troubleshooting

Related Manuals for HP StorageWorks MSA 2/8 - SAN Switch

Related Content for HP StorageWorks MSA 2/8 - SAN Switch

Table of Contents