HP StorageWorks 64 FW 07.00.00/HAFM SW 08.06.00 McDATA Products in a SAN Envir - Page 236
Security Best Practices, SANtegrity Authentication
View all HP StorageWorks 64 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 236 highlights
Physical Planning Considerations 5 Security Best Practices • Each server HBA is explicitly bound to a storage volume or LUN, and access is explicitly authorized (access is blocked by default). • The process is compatible with OSI standards. The following are transparently supported: - Different operating systems and applications. - Different storage volume managers and file systems. - Different fabric devices, including disk drives, tape drives, and tape libraries. • If the server is rebooted, the server-to-storage connection is automatically re-established. • The connection is bound to a storage port WWN. If the fiber-optic cable is disconnected from the storage port, the server-to-storage connection is automatically re-established when the port cable is reconnected. The connection is automatically re-established if the storage port is cabled through a different director or switch port. Access control can also be implemented at the storage device as an addition or enhancement to redundant array of independent disks (RAID) controller software. Data access is controlled within the storage device, and server HBA access to each LUN is explicitly limited (access is blocked by default). Storage-level access control: • Provides control at the storage port and LUN level and does not require configuration at the server. • Supports a heterogeneous server environment and multiple server paths to the storage device. • Is typically proprietary and protects only a specific vendor's storage devices. Storage-level access control may not be available for many legacy devices. When implementing a enterprise data security policy, establish a set of best practice conventions using methods described in this section in the following order of precedence (most restrictive listed first): 1. SANtegrity Authentication - The SANtegrity Authentication feature is recommended for high-security SANs to provide user-configurable, software-enforced password protection and encrypted authentication for the management server, directors, and fabric switches. These features significantly restrict access to Fibre Channel fabric elements. 5-30 McDATA Products in a SAN Environment - Planning Manual