Manualshelf

.Part 5 Storage Security Best Practices and Support Information HP SAN Design Reference Guide 785355-001

ManualsBrandsHP ManualsStorageHP B-Series Remote Replication Solutions
12345678910
Port security
C-series port security features prevent unauthorized access to a switch port by:
Rejecting login requests from unauthorized Fibre Channel devices or switches
Reporting all intrusion attempts to the SAN administrator through system messages
Using the CFS infrastructure for configuration, distribution, and restricting it to CFS-enabled
switches
Fabric binding
C-series switches in a fabric binding configuration ensure that ISLs are enabled between authorized
switches only. This feature prevents unauthorized switches from disrupting traffic or joining the
fabric. The EFMD protocol compares the list of authorized switches on each switch in the fabric.
C-series IP SAN security
This section describes the C-series IP SAN security features.
IPsec
C-series IPsec features ensure secure transmissions at the network layer. IPsec protects and
authenticates IP packets between participating devices (peers) over unprotected networks. IPsec
provides the following security services:
Data confidentiality—Packets are encrypted by the sending device before transmitting them
over the network.
Data integrity—Packets are authenticated by the receiving device to ensure that data has not
been altered during transmission.
Data-origin authentication—The packet source can be authenticated by the receiving device.
Anti-replay protection—Replayed packets can be detected and rejected by the IPsec receiver.
CHAP authentication
C-series IP modules support CHAP, which uses a three-way handshake to ensure that validity of
remote clients. C-series CHAP requires that you configure a password. which the switch presents
to the iSCSI initiator. This password is used to calculate a CHAP response to a CHAP challenge
sent to the IP port by the initiator.
B-series Encryption Switch and Encryption FC Blade security
This section describes the security features for the B-series Encryption Switch and Encryption FC
Blade. For switch models and fabric rules, see “B-series switches and fabric rules” (page 91).
The B-series Encryption Switch is a high-performance, 32-port autosensing 8 Gb/s Fibre Channel
switch with data encryption/decryption and data compression capabilities. The switch is a
network-based solution that secures data-at-rest for tape and disk array LUNs using IEEE standard
AES 256-bit algorithms. Encryption and decryption engines provide in-line encryption services with
up to 96 Gb/s throughput for disk I/O (mix of ciphertext and cleartext traffic).
For more information about the B-series Encryption Switch, including deployment scenarios, see
the Fabric OS Encryption Administrator's Guide, available at http://h18006.www1.hp.com/
storage/saninfrastructure/switches/encrypt_sanswitch.html.
Features
High-performance, scalable fabric-based encryption to enforce data confidentiality and privacy
requirements
Unparalleled encryption processing at up to 96 Gb/s to support heterogeneous enterprise
data centers
HP storage security solutions 377