Manualshelf

.Part 5 Storage Security Best Practices and Support Information HP SAN Design Reference Guide 785355-001

ManualsBrandsHP ManualsStorageHP B-Series Remote Replication Solutions
12345678910
5. To ensure the validity of the peer, the server sends challenge messages at random intervals
and changes the CHAP identifiers frequently.
IPsec
IPsec uses an open-standards framework to protect data transmission over IP networks. It uses
cryptographic security services.
IPsec supports:
Network-level peer authentication
Data-origin authentication
Data integrity
Data encryption
Replay protection
Microsoft bases its IPsec implementation on the standards developed by the IETF IPsec working
group.
Fibre Channel SAN security technologies
Fibre Channel SAN security is achieved through the FC-SP.
FC-SP
FC-SP protects in-transit data—It does not protect data stored on the Fibre Channel network. FC-SP
is a project of the Technical Committee T11, within the International Committee for Information
Technology Standards, which is responsible for developing Fibre Channel interfaces (see http://
www.t11.org).
FC-SP uses:
Authentication of Fibre Channel devices (device-to-device authentication)
Cryptographically secure key exchange
Cryptographically secure communication between Fibre Channel devices
Encryption security technologies
Encryption security is achieved through the DES, AES, and key management.
Data Encryption Standard
DES is a block cipher designed for use in symmetric cryptography, which encrypts data in 64-bit
blocks and uses a key length of 56 bits. It uses a 64-bit key, but every eighth bit is ignored. These
extra bits can be used for other purposes, such as a parity check to ensure that the key is error
free.
The DES cipher consists of the following process:
1. Performing an initial permutation
2. Breaking the block into right and left halves (32 bits each, followed by 16 key-dependent
rounds on each half)
3. Rejoining of the halves
4. Performing the final permutation (reverse of the initial permutation)
Two common DES cipher modes are as follows:
ECB—Each block of the message is encrypted independently.
CBC—Each plaintext block uses an Exclusive–OR operation with the previous cipher text block
before encryption.
Security technologies 371