HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch

90 Configuring standard security features

For details on Brocade MIB files, naming conventions, loading instructions, and information about using

Brocade's SNMP agent, see the Fabric OS MIB Reference.

Table 16 describes additional software or certificates that you must obtain to deploy secure protocols.

The security protocols are designed with the four main usage cases described in Table 17.

The SSH protocol

To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions in 4.1.x and later. SSH

encrypts all messages, including the client’s transmission of password during login. The SSH package

contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of encryption

algorithms, such as Blowfish-CBC and AES.

NOTE: To maintain a secure network, you should avoid using Telnet or any other unprotected application

when you are working on the switch.

The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are

in clear text. This includes the remote FTP server's login and password. This limitation affects the following

commands: saveCore, configUpload, configDownload, and firmwareDownload.

Table 16 Items needed to deploy secure protocols

Protocol Host side Switch side

SSHv2 Secure shell client None

HTTPS No requirement on host

side except a browser that

supports HTTPS

Switch IP certificate for SSL

Secure File Copy (SCP) SSH daemon, scp server None

SNMPv1, SNMPv2,

SNMPv3

None None

Table 17 Main security scenarios

Fabric Management

interfaces

Comments

Nonsecure Nonsecure No special setup is needed to use Telnet or HTTP.

Nonsecure Secure Secure protocols may be used. An SSL switch certificate must be

installed if HTTPS is used.

Secure Secure Switches running earlier Fabric OS versions can be part of the

secure fabric, but they do not support secure management.

Secure management protocols must be configured for each

participating switch. Nonsecure protocols may be disabled on

nonparticipating switches.

If SSL is used, certificates must be installed. For more

information on installing certificates, see ”Installing a switch

certificate” on page 97.

Secure Nonsecure You must use SSH because Telnet is not allowed with some

features, such as RADIUS.

Nonsecure management protocols are necessary under these

circumstances:

The fabric contains switches running Fabric OS v3.2.0.

The presence of software tools that do not support secure

protocols: for example, Fabric Manager v4.0.0.

The fabric contains switches running Fabric OS versions earlier

than v4.4.0. Nonsecure management is enabled by default.