Manualshelf

.Part 5 Storage Security Best Practices and Support Information HP SAN Design Reference Guide 785355-001

ManualsBrandsHP ManualsStorageHP B-Series Remote Replication Solutions
11121314151617181920
IPFilter policy
The B-series IPFilter policy applies a set of rules to IP management interfaces as a packet filtering
firewall. The firewall permits or denies traffic through the IP management interfaces according to
policy rules.
Consider the following when setting IPFilter policies:
Fabric OS supports multiple IPFilter policies, which can be defined at the same time. Each
policy is identified by name and has an associated IPFilter type (IPv4 or IPv6). Do not mix
IPFilter and IP address types. You can have up to six IPFilter policies defined, but only one
IPFilter policy for each IPFilter type can be activated on the management IP interface.
Audit messages are generated for changes to the IPFilter policies.
The IPFilter policy rules are examined one by one in a list until the end of the list is reached.
To ensure optimal performance, the most important rules should be listed first.
Data protection
This section describes features for data protection with B-series Fabric OS.
Fibre Channel ACLs
B-series Fabric OS uses ACLs to restrict access to data resources based on defined policies.
Fabric OS provides the following policies:
FCS policy—Determines which switches can change fabric configurations
DCC policies—Determines which Fibre Channel device ports can connect to which switch ports
SCC policy—Determines which switches can join with another switch
IPFilter policy—Filters traffic based on IP addresses
Each supported policy is identified by name; only one policy of each type can exist (except for
DCC policies).
Table 194 (page 380) describes the methods for identifying policy numbers.
Table 194 Methods for identifying policy numbers
Switch nameDomain IDSwitch port WWNDevice port WWNPolicy
YesYesYesNoFCS_POLICY
YesYesYesYesDCC_POLICY_nnn
YesYesYesNoSCC_POLICY
Authentication policy
By default, Fabric OS uses DHCHAP or FCAP for switch authentication. These protocols use shared
secrets and digital certificates, based on switch WWN and PKI technology. Authentication
automatically defaults to FCAP if both switches are configured for FCAP.
Consider the following when configuring authentication with Fabric OS:
Fabric OS 5.3.0 (or later) is required for DHCHAP.
DHCHAP requires the definition of a pair of shared secrets, known as a secret key pair. Each
switch can share a secret key pair with any other switch or host in the fabric.
PKI certificates must be installed on both switches to use FCAP.
DHCHAP and FCAP are not compatible with SLAP, which is the only protocol supported in
Fabric OS 3.1 and 4.2.
Fabric OS 5.3.0 switch-to-switch authentication is backward compatible with 3.2, 4.2, 4.4,
5.0, 5.1, and 5.2.
380 Storage security