Manualshelf

HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)

ManualsBrandsHP ManualsStorageHP DC04 SAN Director Switch
81828384858687888990
84 Configuring standard security features
The security protocols are designed with the four main usage cases described in Table 17.
Ensuring network security
To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions in 4.1.x and later. SSH
encrypts all messages, including the client’s transmission of password during login. The SSH package
contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of encryption
algorithms, such as Blowfish-CBC and AES.
NOTE: To maintain a secure network, you should avoid using Telnet or any other unprotected application
when you are working on the switch.
The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are
in clear text. This includes the remote FTP server's login and password. This limitation affects the following
commands: saveCore, configUpload, configDownload, and firmwareDownload.
Commands that require a secure login channel must originate from an SSH session. If you start an SSH
session, and then use the login command to start a nested SSH session, commands that require a secure
channel will be rejected.
Fabric OS 4.1.0 and later supports SSH protocol version 2.0 (ssh2). For more information on SSH, refer to
the SSH IETF website:
http://www.ietf.org/ids.by.wg/secsh.html
For more information, refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard
Silverman.
Table 17 Main security scenarios
Fabric Management
interfaces
Comments
Nonsecure Nonsecure No special setup is needed to use Telnet or HTTP.
Nonsecure Secure Secure protocols may be used. An SSL switch certificate must be
installed if HTTPS is used.
Secure Secure Secure protocols are supported on Fabric OS v4.1.0 and later
switches. Switches running earlier Fabric OS versions can be
part of the secure fabric, but they do not support secure
management.
Secure management protocols must be configured for each
participating switch. Nonsecure protocols may be disabled on
nonparticipating switches.
If SSL is used, then certificates must be installed.
Secure Nonsecure You must use SSH because Telnet is not allowed with some
features, such as RADIUS.
Nonsecure management protocols are necessary under these
circumstances:
The fabric contains switches running Fabric OS v3.2.0.
The presence of software tools that do not support secure
protocols: for example, Fabric Manager v4.0.0.
The fabric contains switches running Fabric OS versions earlier
than v4.4.0. Nonsecure management is enabled by default.