Q-Logic 5800V IP Security, Port Binding

2–Planning

Security

59265-02 B 2-19

IP Security

IP security provides encryption-based security for IPv4 and IPv6 communications

through policies and associations. Policies define security for host-to-host and

host-to-gateway connections; one policy for each direction. For example, to

secure the connection between two hosts, you need two policies: one for

outbound traffic from the source to the destination, and another for inbound traffic

to the source from the destination. A security association defines the encryption

algorithm and encryption key (public key or secret) to apply when called by a

security policy. A security policy can call several associations at different times,

but each association is related to only one policy.

You must configure matching security associations on the switch and on the

connected devices (peers) that require secure IP communication. To simplify the

IP security configuration process, the switch supports the Internet key exchange

(IKE). IKE is a protocol that automates the configuration of matching IP security

associations on the switch and on the connected device (or peer). The IKE peer

defines the IKE security association connection through which the IKE policy

configures the IP security associations.The IKE policy defines the type of data

traffic to secure between the switch and the peer, and how to encrypt that data.

You must create the same IKE peer and IKE policy configurations on the switch

and the peer device.

Public key encryption requires a public key, a corresponding private key, and the

necessary certificates to authenticate them. Public key infrastructure (PKI)

provides support for the creation and management of public/private key pairs,

signed certificates, and certificate authority (CA) certificates when using IKE. You

can create a public/private key and combine it with one or more device identities

to generate a certificate request. Submit the certificate request to a CA to obtain a

signed certificate, which contains the authenticated public/private key pair. In

addition to the signed certificate, you must also obtain a CA certificate to

authenticate the CA. After downloading the signed certificate and a CA certificate

to the switch and importing them into the PKI database, the signed certificate

(which contains the authenticated public key) can then be used to complete the

IKE peer configuration.

Consider your IP security requirements and the type of encryption you want to use

(public key or secret). Also consider which of the connected devices support IKE,

and how you will configure IP security on both the switch and connected devices.

Port Binding

Port binding provides authorization for a list of up to 32 switch and device WWNs

that are permitted to log in to a specific switch port. Switches or devices that are

not among the 32 are refused access to the port. Consider what ports to secure

and the set of switches and devices that are permitted to log in to those ports. For

information about port binding, refer to the QLogic 5800V Series Fibre Channel

Switch Command Line Interface Guide.