HP StorageWorks 8/20q HP StorageWorks 8/20q Fibre Channel Switch Installation - Page 26

Security Security is available at the following levels: • User account security, page 26 • IP security, page 26 • Port binding, page 26 • Connection security, page 26 • Device security, page 27 User account security User account security consists of the administration of account names, passwords, expiration date, and authority level. If an account has Admin authority, all management tasks can be performed by that account in the CLI, QuickTools, and Simple SAN Connection Manager. Otherwise only monitoring tasks are available. The default account name, Admin, is the only account that can create or add account names and change passwords of other accounts. All users can change their own passwords. Account names and passwords are always required when connecting to a switch. Authentication of the user account and password can be performed locally using the switch's user account database or it can be done remotely using a RADIUS server such as Microsoft RADIUS. Authenticating user logins on a RADIUS server requires a secure management connection to the switch. For information about securing the management connection, see "Connection security" on page 26. A RADIUS server can also be used to authenticate devices and other switches as described in "Device security" on page 27. Consider your management needs and determine the number of user accounts, their authority needs, and expiration dates. Also consider the advantages of centralizing user administration and authentication on a RADIUS server. Use the CLI to configure RADIUS servers. For more information about RADIUS server configuration, see the HP StorageWorks 8/20q Fibre Channel Switch Command Line Interface Guide. NOTE: If the same user account exists on a switch and its RADIUS server, that user can login with either password, but the authority and account expiration will always come from the switch database. IP security IP Security provides encryption-based security for IP version 4 and IP version 6 communications through the use of security policies and associations. Policies can define security for host-to-host, host-to-gateway, and gateway-to-gateway connections; one policy for each direction. For example, to secure the connection between two hosts, you need two policies: one for outbound traffic from the source to the destination, and another for inbound traffic to the source from the destination. A security association defines which encryption algorithm and encryption key to apply when called by a security policy. A security policy may call several associations at different times, but each association is related to only one policy. When planning IP security, consider the connections to be secured and the encryption methods to be used. Port binding Port binding provides authorization for a list of up to 32 switch and device WWNs that are permitted to log in to a particular switch port. Switches or devices that are not among the 32 are refused access to the port. Consider what ports to secure and the set of switches and devices that are permitted to log in to those ports. Use the CLI to configure port binding. For more information about port binding configuration, see the HP StorageWorks 8/20q Fibre Channel Switch Command Line Interface Guide. Connection security Connection security provides an encrypted data path for switch management methods. The switch supports the Secure Shell (SSH) protocol for the command line interface and the Secure Socket Layer (SSL) protocol for management applications such as QuickTools and SMI-S. Use the CLI to configure SSH and SSL. For more information about SSH and SSL configuration, see the HP StorageWorks 8/20q Fibre Channel Switch Command Line Interface Guide. 26