Professional Documents
Culture Documents
for SANs
BRKSAN-2892
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
audit mechanisms
SNMP
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
RFC-1492) Server
(Oracle,
is authorized by
RADIUS/TACACS+
populated into
MDS 9000
mySQL,
servers switches
Widely used and supported by Cisco etc)
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
172.19.48.87,net-adm-1,10/3/2007,11:51:08,IAS,IBM305S1,32,login,61,5,5,3001,6,8,31,sjc-1.cisco.com,4108,172.19.48.87,4116,
9,4128,core3,4129,IBM305S1\net-adm-1,4130,IBM305S1\net-adm-1,4127,1,25,311 1 172.19.48.54 10/3/2007 18:44:03 1,4136,1,4142,0
172.19.48.87,net-adm-1,10/3/2007,11:51:08,…,shell:roles=network-admin,MDS Policy,172.19.48.87,core3,IBM305S1\net-adm-1,…
172.19.48.87,net-adm-1,10/3/2007,11:51:34,…,accounting:accountinginfo=vsan:4001 values updated interoperability mode:1,…
172.19.48.87,net-adm-1,10/3/2007,11:51:56,…,accounting:accountinginfo=vsan:4001 values updated loadbalancing:src-id/dst-id/oxid,…
172.19.48.87,net-adm-1,10/3/2007,11:52:02,…,accounting:accountinginfo=Interface fc3/1 state updated to down,…
172.19.48.87,net-adm-1,10/3/2007,11:52:05,…,accounting:accountinginfo=Interface fc3/1 state updated to up,…
172.19.48.87,net-adm-1,10/3/2007,11:52:16,…,accounting:accountinginfo=vsan:4001 deleted,…
172.19.48.87,net-adm-1,10/3/2007,11:52:20,…,accounting:accountinginfo=vsan:4000 deleted,… Some of these records have been
172.19.48.87,net-adm-1,10/3/2007,11:52:23,…,accounting:accountinginfo=shell terminated,… shortened to fit them on this slide ‘…’
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13
4. Enable NTP across all switches for consistent time stamping of events
5. Log and archive everything
Enable centralized SYSLOG
Take regular copies of MDS 9000 configurations (can use CiscoWorks RME)
Turn on Cisco MDS 9000 “Call Home” feature to alert of anomalies
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Both
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18
sWWN—Switch WWN
sw-1
Port_ID—Port identifier fWWN-2 fWWN-1
Port_ID-2 Port_ID-1
on switch (i.e. fc1/2) pWWN-1 pWWN-3
sWWN-1 fWWN-5
Port_ID-5
nWWN-1
fWWN-6
Port_ID-6
pWWN-2 pWWN-4
sw-2
sWWN-2
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
authentication mechanism - CH
AP
New host
wanting to
DH join the
DH-CHAP
Switch-to-switch authentication fabric
New switch
FCIP
wanting to join
Device-to-switch authentication (when the fabric
Network Equipped with
HBA supporting
adopting HBA supporting DH-CHAP) DH-CHAP
(Emulex, Qlogic)
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
DHCHAP_Challenge / T_ID=Q
(NameM, hash=MD5, DiffieHelmanGroupID=2, challenge C1, g^x mod p)
DHCHAP_Reply / T_ID=Q
(NameM, response R1, g^y mod p, challenge C2)
DHCHAP_Success / T_ID=Q
(response R2)
DHCHAP_Success / T_ID=Q
BRKSAN-2892
Note: common DH key is g^xy mod p
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Device Visibility
Zoning is very complementary to VSANs pWWN-3 FCID-3
Device Visibility
pWWN-3 FCID-3
pWWN-4 FCID-4
One active zoneset per VSAN
Name server visibility
Multiple configured zonesets per VSAN restricted based on active
2
2
11 zone definitions
Non-disruptive zoneset activation to other VSANs
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24
switch access
Works well for interop with non-Cisco switches
*Best*
Port-based zoning in ‘native mode’ interoperability Need full Ok, add DH-
in SANOS v1.2 authentication CHAP
to gain access
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Fabric Protocols
Security
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
CA
Keys
Without certificates the
CA will distribute the public
keys used for secure
key exchange
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33
IP Storage Security
IP Storage Security
iSCSI leverages many of the security
features inherent in Ethernet and IP
Ethernet Access Control Lists (ACLs) iQN2 is mapped to
↔ FC zones an allocated pWWN
and registered in the
RADIUS server fabric
Ethernet VLANs ↔ FC VSANs used to centralize
iSCSI accounts iQN1 =
Ethernet 802.1x port security ↔ FC port security pWWN1 iSCSI
pWWN1/
nWWN1
iSCSI
iSCSI authentication ↔ FC DH-CHAP RAD
RAD
authentication iSCSI Login
registering iQN
Cisco Catalyst® using CHAP
iSCSI offers LUN masking/mapping 6500 Multilayer
LAN Switches
authentication
Network
High speed encryption services in specialized HW
Can also be run through a firewall
FCIP tunnel is a virtual ISL—Can
leverage FC-based FC-SP switch-to-
switch authentication
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
MDS 9222i
MDS 9000
Family
Systems
MDS 9216A
MDS 9216i MDS 9506 MDS 9509 MDS 9513
MDS 9000
Modules
18/4-Port Multiprotocol Services Module (MPS)
Mgmt. Cisco Fabric Manager w/Key Management Center
OS Cisco MDS 9000 Family SAN-OS
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Tape
Integrates with Cisco FM server
Libraries No additional software to install
Intuitive provisioning and management
with Cisco FM Web client
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Cons The catalog contains an entry for each tape, If a Tape Volume Group Key is
so it could be very large. compromised, the hacker can decrypt the
Tape Volume Key and the data of all
tapes in the group.
Recovery Procedure Key export is required only when a tape Key export is required only when a new tape
volume is labeled volume group is created, either manually
or by the auto grouping
Virtual Shredding Can be at the individual tape level Only a tape group
Implications
Tape Recycling The key catalog contains a new entry every The key catalog size remains constant
time a tape is re-labeled, unless the
recycle option is selected
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47
Advanced
Smart cards with Recovery Shares for each
Master Key where M of N Recovery Officers
Level of Security
Standard
Smart Cards with all Master Keys
No Recovery Shares
Basic
• USB Drive with all Master Keys
• A file with all Master Keys
• Master keys encrypted with a password
• Regular backup & archive.
Simplicity
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Maintain a Vulnerability
Management Program
Requirement 5: Anti-virus
Cisco MDS9000 SAN:
Not applicable to SANOS
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63
Recommended Reading
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66