Manualshelf

.Part 5 Storage Security Best Practices and Support Information HP SAN Design Reference Guide 785355-001

ManualsBrandsHP ManualsStorageHP B-Series Remote Replication Solutions
11121314151617181920
Zoning
This section describes configuration recommendations for:
“Zoning enforcement (page 387)
“Zoning guidelines (page 387)
“EBS zoning (page 389)
“Zone naming” (page 389)
Zoning enforcement
To protect against unauthorized access, Fibre Channel switches provide three types of zoning
enforcement (listed here in order of enforcement):
Access authorization
Access authorization provides frame-level access control in hardware and verifies the SID-DID
combination of each frame. The frame is delivered to the destination only if specified as a
valid combination in the zone definition. This method offers a high level of security and is
classified as hard zoning because it requires hardware resources at the ASIC level.
Discovery authentication
Discovery authentication occurs during access to the NS directory. The fabric presents only a
partial list of authorized devices from the NS directory. This method may be enforced by
software or hardware, depending on the switch model. When enforced by software, this
method is susceptible to security threats from unauthorized devices that violate Fibre Channel
protocols.
Soft-plus zoning by login authentication
In addition to discovery authentication, some switches enforce authentication at the Fibre
Channel protocol login frame level. For example, if a host sends a PLOGI frame to a device
that is not a member of its zone, the frame is dropped. Login authentication provides more
protection than discovery authentication but is not as secure as access authorization.
The zone configuration and the switch model determine the type of zoning enforcement you can
implement in your SAN fabric. For information about the relationship of zone configuration with
zoning enforcement, see the following tables:
Table 36 (page 121) (B-series)
Table 50 (page 138) (C-series)
Table 58 (page 150) (H-series)
Some system restrictions affect the movement of devices within the fabric, regardless of zoning
type. For example, some operating systems, such as HP-UX, create device file names based on the
24-bit fabric address and do not allow moving the device to a different port. A change in the
address causes the device to be treated as a different device.
Zoning guidelines
Use one of the following zoning methods:
Operating system (minimum level required)
HBA
HBA port
NPIV port
3PAR persistent ports
Zoning 387