Manualshelf

.Part 5 Storage Security Best Practices and Support Information HP SAN Design Reference Guide 785355-001

ManualsBrandsHP ManualsStorageHP B-Series Remote Replication Solutions
11121314151617181920
Fabric OS uses RBAC to determine which commands are supported for each user.
Secure Shell
Fabric OS supports SSH encrypted sessions to ensure security. SSH encrypts all messages, including
client transmission of passwords during login. SSH includes a daemon (sshd), which runs on the
switch and supports many encryption algorithms, such as Blowfish-CBC and AES.
Commands that require a secure login channel must be issued from an original SSH session. Nested
SSH sessions will reject commands that require a secure channel.
NOTE: Fabric OS 4.1.0 (or later) supports SSH V2.0 (ssh2).
To ensure a secure network, avoid using Telnet or any other unprotected applications to communicate
with switches.
Hypertext Transfer Protocol over SSL
B-series WebTools support the use of HTTPS.
The SSL protocol provides secure access to a fabric through web-based management tools like
B-series WebTools. Switches configured for SSL grant access to the management tools through
HTTPS links. SSL uses PKI encryption to protect data. PKI is based on digital certificates obtained
from an Internet CA, which acts as the trusted agent. These certificates are based on the switch IP
address or fully qualified domain names.
NOTE: If you change the switch IP address or domain name after activating its digital certificate,
you may need to obtain and install a new certificate.
Browser and Java support
Fabric OS 4.4.0 (or later) supports the following browsers for SSL connections:
Internet Explorer (Microsoft Windows)
Mozilla (Oracle Solaris and Red Hat Linux)
NOTE: In countries that allow the use of 128-bit encryption, use the current version of the browser.
Upgrade to the Java 1.5.0_06 plug-in on the management station.
SNMP
B-series switches have an SNMP agent and MIB, which allow the administrator to program tools
to set up switch variables and enterprise-level management processes. The SNMP ACL allows the
administrator to restrict SNMP get and set operations to particular hosts and IP addresses, which
provides enhanced security for the SAN.
NOTE: B-series switches support SNMP v3 and SNMP v1.
Secure Copy
SCP uses SSH to securely transfer files between systems. The administrator can set the Fabric OS
configure command to use SCP for uploads and downloads.
NOTE: FTP is not a secure protocol. File contents are in clear text during transfer, including remote
login information. This limitation affects the following commands: saveCore, configUpload,
configDownload, and firmwareDownload.
HP storage security solutions 379