Manualshelf

User Manual

ManualsBrandsHP ManualsStorageBrocade 4Gb SAN Switch for HP BladeSystem p-Class
31323334353637383940
Fabric OS 5.0.0 procedures user guide 39
3 Configuring standard security features
This chapter provides information and procedures for standard Fabric OS security features. Standard
Fabric OS features include account and password management. Additional security is available when
secure mode is enabled. For information about licensed security features available in Secure Fabric OS,
refer to the HP StorageWorks Secure Fabric OS user guide.
This chapter contains the following sections:
Ensuring network security, page 39
Configuring the telnet interface, page 40
Blocking listeners, page 41
Accessing switches and fabrics, page 42
Creating and maintaining user-defined accounts, page 43
Changing an account password, page 45
Setting up RADIUS AAA service, page 46
Configuring for the SSL protocol, page 54
Configuring for SNMP, page 60
Configuring secure file copy, page 69
Setting the boot PROM password, page 70
Recovering forgotten passwords, page 73
Ensuring network security
To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions. SSH encrypts all messages,
including the client’s transmission of password during login. The SSH package contains a daemon (sshd),
which runs on the switch. The daemon supports a wide variety of encryption algorithms such as
Blowfish-CBC and AES.
NOTE: To maintain a secure network, you should avoid using telnet or any other unprotected
application when you are working on the switch. For example, if you use telnet to connect to a machine,
then start an SSH or secure telnet session from that machine to the switch, the communication to the
switch is in clear text, and therefore is not secure.
The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are
in clear text. This includes the remote FTP server's login and password. This limitation affects the following
commands: savecore, configupload, configdownload, and firmwaredownload.
Commands that require a secure login channel must be issued from an original SSH session. If you start
an SSH session, use the login command to start a nested SSH session, commands that require a secure
channel are rejected.