Security; User Account Security; Ip Security; Port Binding - HP StorageWorks SN6000 Installation And Reference Manual

Security

Security is available at the following levels:
• User account
• IP security, page 30
• Port binding, page 30
• Connection
• Device security, page 31

User account security

User account security consists of the administration of account names, passwords, expiration date, and
authority level. If an account has Admin authority, all management tasks can be performed by that account
in the CLI, QuickTools, and Simple SAN Connection Manager. Otherwise only monitoring tasks are
available. The default account name, Admin, is the only account that can create or add account names
and change passwords of other accounts. All users can change their own passwords. Account names and
passwords are always required when connecting to a switch.
Authentication of the user account and password can be performed locally using the switch's user account
database or it can be done remotely using a RADIUS server such as Microsoft RADIUS. Authenticating user
logins on a RADIUS server requires a secure management connection to the switch. For information about
securing the management connection, see
be used to authenticate devices and other switches as described in
Consider your management needs and determine the number of user accounts, their authority needs, and
expiration dates. Also consider the advantages of centralizing user administration and authentication on a
RADIUS server. Use the CLI to configure RADIUS servers. For more information about RADIUS server
configuration, see the HP StorageWorks SN6000 Fibre Channel Switch Command Line Interface Guide.
NOTE: If the same user account exists on a switch and its RADIUS server, that user can login with either
password, but the authority and account expiration will always come from the switch database.

IP security

IP Security provides encryption-based security for IP version 4 and IP version 6 communications through the
use of security policies and associations. Policies can define security for host-to-host, host-to-gateway, and
gateway-to-gateway connections; one policy for each direction. For example, to secure the connection
between two hosts, you need two policies: one for outbound traffic from the source to the destination, and
another for inbound traffic to the source from the destination.
A security association defines which encryption algorithm and encryption key to apply when called by a
security policy. A security policy may call several associations at different times, but each association is
related to only one policy. When planning IP security, consider the connections to be secured and the
encryption methods to be used.

Port binding

Port binding provides authorization for a list of up to 32 switch and device WWNs that are permitted to
log in to a particular switch port. Switches or devices that are not among the 32 are refused access to the
port. Consider what ports to secure and the set of switches and devices that are permitted to log in to those
ports. Use the CLI to configure port binding. For more information about port binding configuration, see
the HP StorageWorks SN6000 Fibre Channel Switch Command Line Interface Guide.

Connection security

Connection security provides an encrypted data path for switch management methods. The switch supports
the Secure Shell (SSH) protocol for the command line interface and the Secure Socket Layer (SSL) protocol
for management applications such as QuickTools and SMI-S. Use the CLI to configure SSH and SSL. For
more information about SSH and SSL configuration, see the HP StorageWorks SN6000 Fibre Channel
Switch Command Line Interface Guide.
30
security, page 30
security, page 30
"Connection security" on page 30. A RADIUS server can also
"Device security" on page 31.