Planning
2-9
Fabric Security
Fabric Security
An effective security profile begins with a security policy that states the
requirements. A threat analysis is needed to define the plan of action followed
by an implementation that meets the security policy requirements. Internet
portals, such as remote access and E-mail, usually present the greatest threats.
Fabric security should also be considered in defining the security policy.
Most fabrics are located at a single site and are protected by physical security,
such as key-code locked computer rooms. For these cases, security methods
such as user passwords and zoning are satisfactory.
Fabric security is needed when security policy requirements are more
demanding: for example, when fabrics span multiple locations and
traditional physical protection is insufficient to protect the IT infrastructure.
Another benefit of fabric security is that it creates a structure that helps
prevent unintended changes to the fabric.
Fabric security consists of the following:
• Connection Security
• Device Security
• User Account Security
Connection Security
Connection security provides an encrypted data path for switch management
methods. The switch supports the Secure Shell (SSH) protocol for the
command line interface and the Secure Socket Layer (SSL) protocol for
management applications such as McDATA Embedded Web Server, McDATA
Element Manager, and Common Information Module (CIM).
The SSL handshake process between the workstation and the switch involves
the exchanging of certificates. These certificates contain the public and private
keys that define the encryption. When the SSL service is enabled, a certificate
is automatically created on the switch. The workstation validates the switch
certificate by comparing the workstation date and time to the switch
certificate creation date and time. For this reason, it is important to
synchronize the workstation and switch with the same date, time, and time
zone. The switch certificate is valid 24 hours before its creation date and 365
days after its creation date. If the certificate should become invalid, refer to
the Create command in the McDATA 4416 Command Line Interface Guide for
information about creating a certificate.
Consider your requirements for connection security: for the command line
interface (SSH), management applications such as McDATA Embedded Web
Server (SSL), or both. If SSL connection security is required, also consider
using the Network Time Protocol (NTP) to synchronize workstations and
switches.
• Refer to System keyword of the Set Setup command in the McDATA 4416
Command Line Interface Guide for information about enabling the NTP
client on the switch and configuring the NTP server.
• Refer to the Set command in the McDATA 4416 Command Line Interface
Guide for information about setting the time zone.