Table 6 main security scenarios, Ensuring network security, 6 main security scenarios – HP StorageWorks 2.128 SAN Director Switch User Manual

40

Configuring standard security features

Ensuring network security

To ensure security, Fabric OS supports SSH encrypted sessions. SSH encrypts all messages, including the

client’s transmission of password during login. The SSH package contains a daemon (sshd), which runs

on the switch. The daemon supports a wide variety of encryption algorithms, such as Blowfish-CBC

and AES.

NOTE:

To maintain a secure network, avoid using telnet or any other unprotected application when you

are working on the switch. For example, if you use telnet to connect to a machine, and then start an SSH

or secure telnet session from that machine to the switch, the communication to the switch is in clear text

and, therefore, is not secure.

Nor is the FTP protocol secure. When you use FTP to copy files to or from the switch, the contents are in

clear text. When you use FTP to copy files to or from

the switch, the contents, including the remote FTP server’s

login and password, are in clear text

. This limitation affects the following commands:

saveCore

,

configUpload

,

configDownload

, and

firmwareDownload

.

Table 6

Main security scenarios

Fabric

Management

interfaces

Comments

Nonsecure

Nonsecure

No special setup is need to use telnet or HTTP. An

HP switch certificate must be installed if sectelnet

is used.

Nonsecure

Secure

Secure protocols may be used. An SSL switch

certificate must be installed if SSH/HTTPS is used.

Secure

Secure

Secure protocols are supported on Fabric OS

4.4.0 (and later) switches. Switches running

earlier Fabric OS versions can be part of the

secure fabric, but they do not support secure

management.
Secure management protocols must be

configured for each participating switch.

Nonsecure protocols may be disabled on

nonparticipating switches.
If SSL is used, certificates must be installed.

Secure

Nonsecure

You must use sectelnet because telnet is not

allowed in secure mode.
Nonsecure management protocols are necessary

under these circumstances:

•

The fabric contains switches running

Fabric OS 3.2.0.

•

The presence of software tools that do not

support Secure protocols: for example, Fabric

Manager 4.0.0.

•

The fabric contains switches running Fabric

OS versions earlier than 4.4.0. Nonsecure

management is enabled by default.