User's Guide Command Line Interface - QLogic

3–Network Configuration
Managing IP Security
Policies can define security for host-to-host and host-to-gateway connections; one
policy for each direction. For example, to secure the connection between two
hosts, you need two policies: one for outbound traffic from the source to the
destination, and another for inbound traffic to the source from the destination. You
can specify sources and destinations by IP addresses (version 4 or 6) or DNS
host names. If a host name resolves to more than one IP address, the switch
creates the necessary policies and associations. You can recognize these
dynamic policies and associations because their names begin with DynamicSP_
and DynamicSA_ respectively.
A security association defines the encryption algorithm and encryption key (public
key or secret) to apply when called by a security policy. A security policy may call
several associations at different times, but each association is related to only one
policy. The security association database is the set of all security associations.
You can apply IP security to all communication between two systems, or to
selected protocols, such as ICMP, TCP, or UDP. Furthermore, instead of applying
IP security, you can choose to discard all inbound or outbound traffic, or allow all
traffic without encryption. Both the AH and ESP security protocols provide source
authentication, ensure data integrity, and protect against replay.
IKE Peers and Policies
IKE is a protocol that automates the configuration of matching IP security
associations on the switch and on the connected device (or peer). The IKE peer
defines the IKE security association connection through which the IKE policy
configures the IP security associations.The IKE policy defines the type of data
traffic to secure between the switch and the peer, and how to encrypt that data.
You must create the same IKE peer and IKE policy configurations on the switch
and the peer device.
Public Key Infrastructure
Public key encryption requires a public key, a corresponding private key, and the
necessary certificates to authenticate them. Public key infrastructure (PKI)
provides support for the creation and management of public/private key pairs,
signed certificates, and certificate authority (CA) certificates when using IKE. You
can create a public/private key and combine it with one or more device identities
to generate a certificate request. Submit the certificate request to a CA to obtain a
signed certificate, which contains the authenticated public/private key pair. In
addition to the signed certificate, you must also obtain a CA certificate to
authenticate the CA. After downloading the signed certificate and a CA certificate
to the switch and importing them into the PKI database, the signed certificate
(which contains the authenticated public key) can then be used to complete the
IKE peer configuration.
3-8 59263-02 B