background image

Sun Datacenter InfiniBand Switch 36 Security Guide

3

Store spare replaceable components in a locked cabinet. Allow access to the
locked cabinet by authorized personnel only.

Record serial numbers

Security-mark all significant items including replaceable components. Use
special ultraviolet pens or embossed labels.

Keep a serial number record of all your hardware.

Keep copies of invoices, purchasing records, and licenses in a secure location
that is easily accessible to the system manager during system emergencies.
These printed documents might be the only proof of ownership.

Software Security

Most hardware security is implemented through software measures.

Refer to the switch documentation for additional guidelines to implement security
features within the firmware.

Implement port security to limit access based upon MAC addresses. Disable
auto-trunking on all ports.

Manage the switch out-of-band on a separate dedicated network. This
management network is separate from data traffic and the general network.

If out-of-band management is not feasible, then dedicate a unique VLAN number
solely for in-band management.

Change all default passwords when installing a new switch. The switch has four
default user accounts and respective passwords:

ilom-admin

– The

ilom-admin

user has administrator privileges for the CLI,

web, and IPMI interfaces. The default password is

ilom-admin

. Change the

password with the Oracle ILOM

set /SP/users/ilom-admin password

command.

ilom-operator

– The

ilom-operator

user has read-only privileges for the

CLI and web interfaces. The default password is

ilom-operator

. Change the

password with the Oracle ILOM

set /SP/users/ilom-operator

password

command.

root

– The

root

user has superuser privileges. The default password is

changeme

. Change the password with the

passwd

command.

nm2user

– The

nm2user

has read-only privileges for the CLI interface. The

default password is

changeme

. Change the password with the

passwd

command.

Schedule and regularly change every password on the switch, especially when
configured with additional user accounts.

Summary of Contents for Sun Datacenter InfiniBand Switch 36

Page 1: ...Sun Datacenter InfiniBand Switch 36 Hardware Security Guide Part No E26701 02 March 2013 ...

Page 2: ... sont concédés sous licence et soumis à des restrictions d utilisation et de divulgation Sauf disposition de votre contrat de licence ou de la loi vous ne pouvez pas copier reproduire traduire diffuser modifier breveter transmettre distribuer exposer exécuter publier ou afficher le logiciel même partiellement sous quelque forme et par quelque procédé que ce soit Par ailleurs il est interdit de pro...

Page 3: ...1 Planning a Secure Environment 2 Hardware Security 2 Software Security 3 Oracle ILOM Firmware 4 VLAN Security 4 Infiniband Security 4 User Accounts 5 System Logs 5 Maintaining a Secure Environment 5 Asset Tracking 5 Updates for Software and Firmware 6 Network Access 6 Data Protection 6 Log Security 7 ...

Page 4: ...iv Sun Datacenter InfiniBand Switch 36 Hardware Security Guide March 2013 ...

Page 5: ...otect your hardware or data from intrusion For hardware access limits usually mean physical access limits For software access is limited through both physical and virtual means Firmware cannot be changed except through the Oracle update process Authentication Set up the authentication features such as a password system in your switch to ensure that users are who they say they are Ensure that your ...

Page 6: ...stallation and configuration of the switch Hardware Security on page 2 Software Security on page 3 Oracle ILOM Firmware on page 4 VLAN Security on page 4 Infiniband Security on page 4 User Accounts on page 5 System Logs on page 5 Hardware Security Physical hardware can be secured simply by limiting access to the hardware and recording serial numbers Restrict access Install the switch in a locked r...

Page 7: ...work This management network is separate from data traffic and the general network If out of band management is not feasible then dedicate a unique VLAN number solely for in band management Change all default passwords when installing a new switch The switch has four default user accounts and respective passwords ilom admin The ilom admin user has administrator privileges for the CLI web and IPMI ...

Page 8: ...a unique native VLAN number to trunk ports Limit the VLANs that can be transported over a trunk to only those that are strictly required Disable VLAN Trunking Protocol VTP if possible Otherwise set the following for VTP management domain password and pruning Then set VTP into transparent mode Infiniband Security Keep Infiniband hosts and switches secure An Infiniband fabric is only as secure as it...

Page 9: ...authorized access is prohibited System Logs Enable logging and send logs to a dedicated secure log host Configure logging to include accurate time information using NTP and timestamps Maintaining a Secure Environment After the initial installation and setup use Oracle hardware and software security features to continue controlling hardware and tracking system assets Asset Tracking on page 5 Update...

Page 10: ...g SSH instead of Telnet Telnet passes user names and passwords in clear text potentially allowing everyone on the LAN segment to see login credentials Set a strong password for SSH Configure and use version 3 v3 of SNMP to provide secure transmissions Versions v1 and v2c of SNMP are not secure and transmit authentication data in unencripted text Change the default SNMP community string PUBLIC to a...

Page 11: ...to a system hard drive When replacing an old management controller physically destroy the controller or completely erase all the data in the controller s filesystem Use disk wiping software to completely erase all data on the filesystem Log Security Inspect and maintain your log files on a regular schedule Review both system and Oracle ILOM logs for possible incidents and archive them in accordanc...

Page 12: ...8 Sun Datacenter InfiniBand Switch 36 Hardware Security Guide March 2013 ...

Reviews: