HP StorageWorks 2/24 FW 07.00.00/HAFM SW 08.06.00 McDATA Products in a SAN Env - Page 222
SANtegrity Authentication, Password safety, Management server CHAP authentication
View all HP StorageWorks 2/24 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 222 highlights
Physical Planning Considerations 5 SANtegrity Authentication System administrators can use the SAN management application to assign remote workstation access to directors and switches. Remote sessions are allowed for anyone on a customer intranet, disallowed completely, or restricted to specific workstations. Remote users must log into the SAN management application with a user name and password, just as when logging in to the local management server. Passwords are encrypted when sent across the network. By entering workstation IP addresses at the SAN management application, administrators can allow access from all user workstations or from only specific workstations. For access through the SANpilot interface, the system administrator provides IP addresses of products to authorized users, assigns access usernames, and controls associated passwords. SANtegrity Authentication enhances SAN security by providing a set of user-configurable, software-enforced features that restrict access to Fibre Channel fabric elements. Features protect against accidental or intentional attacks to fabric elements by not allowing connection of devices or management interfaces that cannot be identified. Security features are independent from one another and may be individually enabled or disabled by an administrator. SANtegrity Authentication features include: • Password safety - When accessing a director or fabric switch for the first time through the command line interface (CLI) or SANpilot interface, the password must be changed. When accessing a director or switch for the first time through the maintenance port (enhanced serial authentication enabled), the password must be changed. Upon user login, the password is checked against the original default password. If the password and default password match, the user must change the password. This functionality addresses a common security defect where the default password is never changed. • Management server CHAP authentication - Enhanced login security between a fabric element (director, fabric switch, or SAN router) and the management server is provided through challenge handshake authentication protocol (CHAP). A fabric element uses CHAP to authenticate any management server that attempts a connection. 5-16 McDATA Products in a SAN Environment - Planning Manual