12.07.2015 Views

SECURING FIBRE CHANNEL FABRICS - Brocade

SECURING FIBRE CHANNEL FABRICS - Brocade

SECURING FIBRE CHANNEL FABRICS - Brocade

SHOW MORE
SHOW LESS
  • No tags were found...

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Securing Management InterfacesFiltering IP TrafficThe concept of a “firewall” has existed for quite some time in the conventionalLAN world but is a relatively recent feature in FC-based SANs.The IP filter (IPF) feature, introduced in FOS 5.3.0, behaves as a firewalland replaces the MAC policy found in Secure Fabric OS. Using anIPF, a TCP/IP port can be either allowed or denied and a SAN administratorcan define a specific IP address or range of IP addresses thatare allowed to access a specific TCP/IP port.There are two IP filter policy types: one for IPv4 and one for IPv6.Table 10 identifies a few well-known ports used with <strong>Brocade</strong> switchesthat can be controlled using IPF.Table 1. Well-known ports and servicesService NameWell-Known Port NumberFTP 20, 21SSH 22SCP (uses SSH) 22telnet 23HTTP 80SNMP 161, 162HTTPS 443SYSLOG 514The IPF is often used to deny the use of an unsecure service, such astelnet, when its equivalent secure version, such as SSH, must beutilized.Password and User ManagementAs explained previously in “Chapter 6: FC Security Best Practices”starting on page 91, it is important to be able to associate each userwith legitimate access to the SAN by their unique user name. Toaccomplish this, SAN administrators can create up to 255 customizeduser accounts. Each account can also have specific roles definedusing the RBAC features. Doing so not only improves security but alsoimproves troubleshooting and change tracking, while still clearly definingeach administrator's appropriate role and authorization rights.Securing Fibre Channel Fabrics 137

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!