HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)

ManualsBrandsHP ManualsStorageHP DC04 SAN Director Switch

131

132

133

134

135

136

137

138

139

140

132 Configuring advanced security features

b. Add a rule to the IP Filter policy, see ”To add a rule to an IP Filter policy:” on page 120. You can

use the following modifications to the rule:

ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp

<dest_port> -proto <protocol> -act <deny>

• -sip option can be given as any

•

-dp option for the port numbers for Telnet, HTTP, and RPC are 23, 80, and 898 respectively

•

-proto option should be set to tcp

c. Activate the IP Filter policy, see ”To activate an IP Filter policy:” on page 117.

d. Save the IP Filter policy, see ”To save an IP Filter policy:” on page 117.

Example

ipfilter --createrule http_block_v4 --type ipv4

ipfilter --addrule http_block_v4 -rule 2 -sip any -dp 80 -proto tcp -act deny

ipfilter --activate http_block_v4

ipfilter --save http_block_v4

5. Type the following command to block access to the boot PROM:

fipscfg –-disable bootprom

Block boot PROM access before disabling root account.

6. Enable signed firmware by typing the configure command and respond to the prompts as follows:

Example

switch:admin> configure

Not all options will be available on an enabled switch.

To disable the switch, use the "switchDisable" command.

Configure...

System services (yes, y, no, n): [no]

…

cfgload attributes (yes, y, no, n): [no] yes

Enforce secure config Upload/Download (yes, y, no, n): [no]

Enforce firmware signature validation (yes, y, no, n): [no] yes

7. Type the following command to block access to root:

userconfig --change root -e no

By disabling the root account, RADIUS and LDAP users with root roles are also blocked in FIPS mode.

8. Verify your switch is FIPS ready:

fipscfg --verify fips

9. Type the command fipscfg --enable fips.

10. Reboot the switch.

To disable FIPS mode:

1. Log in to the switch using an account assigned the admin or securityAdmin role.

2. Type the command fipscfg

--disable fips.

3. Reboot the switch.

4. Enable the root account by following the bootprom:

userconfig --change root -e yes

5. Enable access to the bootprom:

fipscfg –-enable bootprom

System services No

cfgload attributes Yes

Enforce secure config Upload/Download Press enter to accept default.

Enforce firmware signature validation Yes