BCSM IN A NUTSHELL 2008
© 2008 Brocade Communications Systems, Incorporated.
Page 6 of 44
ADDITIONAL BEST PRACTICES
• Implement the Track Changes feature in Fabric OS to see who logged in and when, and it reports
them as messages in the RASlog
• Restrict responsibilities by assigning a different user name to each SAN administrator and a
specific role using Role-Based Access Controls (RBAC)
• Use Virtual Fabrics and Fibre Channel routing
• Use a login banner to provide legal support
• Manage multiple user accounts with RADIUS for centralized login management
RBAC IN FABRIC OS V5.3
• user – view only privileges
• zoneadmin - can perform zone operations only
• basicswitchadmin - can do mostly monitoring with very limited switch (local) command capability
• operator - can perform operations typically required during “off-hours” when an Admin is not
present
• switchadmin – can perform most operations not involving security
• fabricadmin - can perform all operations except user and Virtual Administrative Domain (AD)
• securityadmin – grants permission for all security-related configuration operations only
• admin – the only role that can manage all features
SECURE PROTOCOLS
• SCP for firmware downloads and also for configuration file uploads/downloads
• HTTPS (requires a digital certificate) for Web Tools
• SSL in lieu of telnet
• SNMPv3 (but does not use a reliable transport protocol)
• IPsec for FCIP tunnels
PASSWORD STRENGTHENING POLICIES
• Account lockout
• Password expiration
• Password strength
• Password history
Comments to this Manuals