2–Planning
Security
59229-05 A 2-13
IP Security
IP Security provides encryption-based security for IP version 4 and IP version 6
communications through the use of security policies and associations. Policies
can define security for host-to-host, host-to-gateway, and gateway-to-gateway
connections; one policy for each direction. For example, to secure the connection
between two hosts, you need two policies: one for outbound traffic from the
source to the destination, and another for inbound traffic to the source from the
destination.
A security association defines the encryption algorithm and encryption key to
apply when called by a security policy. A security policy may call several
associations at different times, but each association is related to only one policy.
Consider your IP security requirements.
Port Binding
Port binding provides authorization for a list of up to 32 switch and device WWNs
that are permitted to log in to a particular switch port. Switches or devices that are
not among the 32 are refused access to the port. Consider what ports to secure
and the set of switches and devices that are permitted to log in to those ports. For
information about port binding, refer to the SANbox 9000 Series Stackable
Chassis Switch Command Line Interface Guide.
Connection Security
Connection security provides an encrypted data path for switch management
methods. The switch supports the Secure Shell (SSH) protocol for the command
line interface and the Secure Socket Layer (SSL) protocol for management
applications such as Enterprise Fabric Suite 2007 and SMI-S.
The SSL handshake process between the workstation and the switch involves the
exchanging of certificates. These certificates contain the public and private keys
that define the encryption. When the SSL service is enabled, a certificate is
automatically created on the switch. The workstation validates the switch
certificate by comparing the workstation date and time to the switch certificate
creation date and time. For this reason, it is important to synchronize the
workstation and switch with the same date, time, and time zone. The switch
certificate is valid 24 hours before its creation date and 365 days after its creation
date. If the certificate should become invalid, create a new certificate using the
Create Certificate command. Refer to the SANbox 9000 Series Stackable Chassis
Switch Command Line Interface Guide for information about the Create Certificate
CLI command.