BCSM IN A NUTSHELL 2008
© 2008 Brocade Communications Systems, Incorporated.
Page 5 of 44
1 SECURITY
1.1 MANAGING SAN SECURITY
PROTECTING YOUR MANAGEMENT INTERFACES
A goal is to minimize threats by limiting access to the management interfaces. This can be achieved by:
• Employing IP network security best practices
• Disabling unused management interfaces like telnet, SNMP and HTTP
• Using secure protocols like SSL, SMNPv3 and SSHv2
BEST PRACTICES
Best-practice IT security strives to maintain five basic objectives that provide a foundation for protecting
against threats and attacks that can be executed against a storage environment:
• Availability
o Data must always be available to authorized users whenever it is needed
• Integrity
o In order to maintain its integrity, data must not be modified in any way
• Authentication
• Confidentiality
3
o Sensitive data such as personal information, intellectual property, and data pertaining to
national security must remain strictly confidential
• Non-repudiation of data
o Non-repudiation is the ability to ensure that a party to a contract or a communication cannot
deny the authenticity of their signature on a document or the sending of a message that they
originated. On the Internet, the digital signature is used not only to ensure that a message or
document has been electronically signed by the person that purported to sign the document,
but also, since a digital signature can only be created by one person, to ensure that a person
cannot later deny that they furnished the signature.
When implementing SAN-attached servers located in a DMZ, Brocade recommends the following to protect
the SAN from the Internet:
• Use a VLAN for the management network
• Create a separate zone for the devices in the DMZ
• Implement LUN masking at the disk storage controller
Comments to this Manuals