McDATA 4416 manual Fabric Security, Connection Security

Fabric Security

Fabric Security

An effective security profile begins with a security policy that states the requirements. A threat analysis is needed to define the plan of action followed by an implementation that meets the security policy requirements. Internet portals, such as remote access and E-mail, usually present the greatest threats. Fabric security should also be considered in defining the security policy.

Most fabrics are located at a single site and are protected by physical security, such as key-code locked computer rooms. For these cases, security methods such as user passwords and zoning are satisfactory.

Fabric security is needed when security policy requirements are more demanding: for example, when fabrics span multiple locations and traditional physical protection is insufficient to protect the IT infrastructure. Another benefit of fabric security is that it creates a structure that helps prevent unintended changes to the fabric.

Fabric security consists of the following:

•Connection Security

•Device Security

•User Account Security

Connection Security

Connection security provides an encrypted data path for switch management methods. The switch supports the Secure Shell (SSH) protocol for the command line interface and the Secure Socket Layer (SSL) protocol for management applications such as McDATA Embedded Web Server, McDATA Element Manager, and Common Information Module (CIM).

The SSL handshake process between the workstation and the switch involves the exchanging of certificates. These certificates contain the public and private keys that define the encryption. When the SSL service is enabled, a certificate is automatically created on the switch. The workstation validates the switch certificate by comparing the workstation date and time to the switch certificate creation date and time. For this reason, it is important to synchronize the workstation and switch with the same date, time, and time zone. The switch certificate is valid 24 hours before its creation date and 365 days after its creation date. If the certificate should become invalid, refer to the Create command in the McDATA 4416 Command Line Interface Guide for information about creating a certificate.

Consider your requirements for connection security: for the command line interface (SSH), management applications such as McDATA Embedded Web Server (SSL), or both. If SSL connection security is required, also consider using the Network Time Protocol (NTP) to synchronize workstations and switches.

•Refer to System keyword of the Set Setup command in the McDATA 4416 Command Line Interface Guide for information about enabling the NTP client on the switch and configuring the NTP server.

•Refer to the Set command in the McDATA 4416 Command Line Interface Guide for information about setting the time zone.