Q-Logic 59229-05 A TV Video Accessories User Manual


 
2–Planning
Security
2-14 59229-05 A
Consider your requirements for connection security: for the command line
interface (SSH), management applications such as Enterprise Fabric Suite 2007
(SSL), or both. Access to the device security menu selections in Enterprise Fabric
Suite 2007 requires an SSL connection. If an SSL connection security is required,
also consider using the Network Time Protocol (NTP) to synchronize workstations
and switches.
Device Security
Device security provides for the authorization and authentication of devices that
you attach to a switch. You can configure a switch with a group of devices against
which the switch authorizes new attachments by devices, other switches, or
devices issuing management server commands. Device security is configured
through the use of security sets and groups.
A group is a list of device worldwide names that are authorized to attach to a
switch. There are three types of groups: one for other switches (ISL), another for
devices (port), and a third for devices issuing management server commands
(MS). ISL groups can be enabled for fabric binding. Fabric binding defines a list of
switch domain IDs that are permitted to join the fabric.
A security set is a set of up to three groups with no more than one of each group
type. The security configuration is made up of all security sets on the switch. The
security database has the following limits:
Maximum number of security sets is 4.
Maximum number of groups is 16.
Maximum number of members in a group is 1000.
Maximum total number of group members is 1000.
In addition to authorization, the switch can be configured to require authentication
to validate the identity of the connecting switch, device, or host. Authentication
can be performed locally using the switch’s security database, or remotely using a
Remote Authentication Dial-In User Service (RADIUS) server such as Microsoft
RADIUS. With a RADIUS server, the security database for the entire fabric
resides on the server. In this way, the security database can be managed
centrally, rather than on each switch. You can configure up to five RADIUS servers
to provide failover.
You can configure the RADIUS server to authenticate just the switch or both the
switch and the initiator device if the device supports authentication. When using a
RADIUS server, every switch in the fabric must have a network connection. A
RADIUS server can also be configured to authenticate user accounts as
described in “User Account Security” on page 2-12. A secure connection is
required to authenticate user logins with a RADIUS server. Refer to “Connection
Security” on page 2-13 for more information.