HP A7533A HP StorageWorks Fabric OS 6.x administrator guide (5697-0015, May 20 - Page 86
Ensuring network security
UPC - 829160830858
View all HP A7533A manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 86 highlights
The security protocols are designed with the four main usage cases described in Table 17. Table 17 Main security scenarios Fabric Management interfaces Comments Nonsecure Nonsecure No special setup is needed to use Telnet or HTTP. Nonsecure Secure Secure Secure Secure protocols may be used. An SSL switch certificate must be installed if HTTPS is used. Secure protocols are supported on Fabric OS v4.1.0 and later switches. Switches running earlier Fabric OS versions can be part of the secure fabric, but they do not support secure management. Secure management protocols must be configured for each participating switch. Nonsecure protocols may be disabled on nonparticipating switches. If SSL is used, then certificates must be installed. Secure Nonsecure You must use SSH because Telnet is not allowed with some features, such as RADIUS. Nonsecure management protocols are necessary under these circumstances: The fabric contains switches running Fabric OS v3.2.0. The presence of software tools that do not support secure protocols: for example, Fabric Manager v4.0.0. The fabric contains switches running Fabric OS versions earlier than v4.4.0. Nonsecure management is enabled by default. Ensuring network security To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions in 4.1.x and later. SSH encrypts all messages, including the client's transmission of password during login. The SSH package contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of encryption algorithms, such as Blowfish-CBC and AES. NOTE: To maintain a secure network, you should avoid using Telnet or any other unprotected application when you are working on the switch. The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are in clear text. This includes the remote FTP server's login and password. This limitation affects the following commands: saveCore, configUpload, configDownload, and firmwareDownload. Commands that require a secure login channel must originate from an SSH session. If you start an SSH session, and then use the login command to start a nested SSH session, commands that require a secure channel will be rejected. Fabric OS 4.1.0 and later supports SSH protocol version 2.0 (ssh2). For more information on SSH, refer to the SSH IETF website: http://www.ietf.org/ids.by.wg/secsh.html For more information, refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman. 86 Configuring standard security features