84
Configuring standard security features
The security protocols are designed with the four main usage cases described in
Table 18
.
Ensuring network security
To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions in v4.1.x and later. SSH
encrypts all messages, including the client’s transmission of password during login. The SSH package
contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of encryption
algorithms, such as Blowfish-CBC and AES.
NOTE:
To maintain a secure network, you should avoid using telnet (you can use secTelnet if you are
using FOS 2.6 or later, or 3.1 or later) or any other unprotected application when you are working on the
switch. For example, if you use telnet to connect to a machine, and then start an SSH or secure telnet
session from that machine to the switch, the communication to the switch is in clear text and therefore is not
secure.
The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are
in clear text. This includes the remote FTP server's login and password. This limitation affects the following
commands:
saveCore
,
configUpload
,
configDownload
, and
firmwareDownload
.
Commands that require a secure login channel must be issued from an original SSH session. If you start an
SSH session, and then use the login command to start a nested SSH session, commands that require a
secure channel will be rejected.
Table 18
Main security scenarios
Fabric
Management
interfaces
Comments
Nonsecure
Nonsecure
No special setup is needed to use telnet or HTTP.
An HP switch certificate must be installed if
sectelnet is used.
Nonsecure
Secure
Secure protocols may be used. An SSL switch
certificate must be installed if SSH/HTTPS is used.
Secure
Secure
Secure protocols are supported on Fabric OS
4.4.0 (and later) switches. Switches running
earlier Fabric OS versions can be part of the
secure fabric, but they do not support secure
management.
Secure management protocols must be configured
for each participating switch. Nonsecure protocols
may be disabled on nonparticipating switches.
If SSL is used, then certificates must be installed.
Secure
Nonsecure
You must use sectelnet because telnet is not
allowed in secure mode.
Nonsecure management protocols are necessary
under these circumstances:
•
The fabric contains switches running
Fabric OS 3.2.0.
•
The presence of software tools that do not
support Secure protocols: for example, Fabric
Manager 4.0.0.
•
The fabric contains switches running Fabric OS
versions earlier than 4.4.0. Nonsecure
management is enabled by default.
Содержание AE370A - Brocade 4Gb SAN Switch 4/12
Страница 1: ...HP StorageWorks Fabric OS 5 2 x administrator guide Part number 5697 0014 Fifth edition May 2009 ...
Страница 18: ...18 ...
Страница 82: ...82 Managing user accounts ...
Страница 102: ...102 Configuring standard security features ...
Страница 126: ...126 Maintaining configurations ...
Страница 198: ...198 Routing traffic ...
Страница 238: ...238 Using the FC FC routing service ...
Страница 260: ...260 Administering FICON fabrics ...
Страница 280: ...280 Working with diagnostic features ...
Страница 332: ...332 Administering Extended Fabrics ...
Страница 414: ...398 Configuring the PID format ...
Страница 420: ...404 Configuring interoperability mode ...
Страница 426: ...410 Understanding legacy password behaviour ...
Страница 442: ...426 ...
Страница 444: ......
Страница 447: ......