Administrators Guide (Supporting Fabric OS v7.3.0) Manual

ManualsBrandsBrocade ManualsComputer AccessoriesWeb Tools

221

222

223

224

225

226

227

228

229

230

DH group choices are 1(modp768), 2(modp1024), 14(modp2048), and 18(modp8192). Each group

provides an incrementally more secure key exchange by providing more bits (768, 1024, 2048, 8192).

Authentication methods

The methods used to authenticate the IKE peer are preshared key (psk), DSS digital signature (dss),

and RSA digital signature (rsasig):

• A Preshared key (PSK) is a shared secret that is shared between two parties over a secure channel

before it is used. Typically, the PSK is a password or pass phrase. PSKs are created in the end

systems used by the two parties. There are several tools available to help select a strong key that

will work with various operating systems. When choosing a tool and creating a PSK, keep in mind

that the cryptographic strength of a key generally increases with length.

• The Digital Signature Standard (DSS) makes use of a private key to generate a digital signature.

Each user possesses a private and public key pair. Signature generation can be performed only by

the possessor of the user's private key. The digital signature is sent to the intended verifier in a

message. The verifier of the message and signature verifies the signature by using the sender's

public key.

• The RSA digital signature process uses a private key to encrypt only the message digest. The

encrypted message digest becomes the digital signature and is attached to the original data. To

verify the contents of digitally signed data, the recipient generates a new message digest from the

data that was received, decrypts the original message digest with the originator's public key, and

compares the decrypted digest with the newly generated digest. If the two digests match, the

integrity of the message is verified. The identity of the originator also is confirmed because the

public key can decrypt only data that has been encrypted with the corresponding private key.

IPsec over management ports

IPsec can be applied to the management port on a switch or a CP blade to establish a secure

connection between a PC or workstation and Web Tools. The connection can be used as a virtual

private network (VPN) interface to Web Tools.

At a high level, the steps to take are:

• Access the Ethernet IPsec Policies dialog box.

• Enable IPsec.

• Create an IKE policy for authentication.

• Create an security association (SA).

• Create an SA proposal.

• Add a IPsec Transform policy, referencing the IKE policy and the SA proposal.

• Add an IPsec selector that allows you to apply a Transform policy to a specific IP flow.

Enabling the Ethernet IPsec policies

To access the Ethernet IPsec Policies dialog box, perform the following steps.

1. Open the Switch Administration window.

2. Select Show Advanced Mode.

3. Select the Security Policies tab.

4. Under Security Policies, select Ethernet IPsec.

Authentication methods

228 Web Tools Administrator's Guide

53-1003169-01