Q-Logic 5800V Switch User Manual


 
3 – Planning
Security
3-16 59265-02 A
S
Device Security
Connection security and device security require the Fabric Security license key,
which is available from your authorizied maintenance provider.
User Account Security
User account security consists of the administration of account names,
passwords, expiration date, and authority level. If an account has Admin authority,
all management tasks can be performed by that account in the CLI, QuickTools,
and Enterprise Fabric Suite 2007™. Otherwise only monitoring tasks are
available. The default account name, Admin, is the only account that can create or
add account names and change passwords of other accounts. All users can
change their own passwords. Account names and passwords are always required
when connecting to a switch.
Authentication of the user account and password can be performed locally using
the switch’s user account database or it can be done remotely using a RADIUS
server such as Microsoft
®
RADIUS. Authenticating user logins on a RADIUS
server requires a secure management connection to the switch. Refer to
“Connection Security” on page 3-17 for information about securing the
management connection. A RADIUS server can also be used to authenticate
devices and other switches as described in “Device Security” on page 3-18.
Consider your management needs and determine the number of user accounts,
their authority needs, and expiration dates. Also consider the advantages of
centralizing user administration and authentication on a RADIUS server.
IP Security
IP Security provides encryption-based security for IP version 4 and IP version 6
communications through the use of security policies and associations. Policies
can define security for host-to-host, host-to-gateway, and gateway-to-gateway
connections; one policy for each direction. For example, to secure the connection
between two hosts, you need two policies: one for outbound traffic from the
source to the destination, and another for inbound traffic to the source from the
destination.
A security association defines the encryption algorithm and encryption key to
apply when called by a security policy. A security policy may call several
associations at different times, but each association is related to only one policy.
Consider your IP security requirements.
NOTE:
If the same user account exists on a switch and its RADIUS server, that user
can login with either password, but the authority and account expiration will
always come from the switch database.