Enterprise data centers contain assets, applications, and data that are often the target of electronic attacks. Endpoints such as data center servers are important objectives of malicious attacks and must be protected. Attacks against server farms can result in lost business for e-commerce and business-to-business applications and theft of confidential or proprietary information. Both LANs and storage area networks (SANs) need to be secured to reduce the likelihood of these occurrences.
SANs have traditionally been considered "secure" primarily because of the fact that SAN deployments have been limited to a subset of a single data center-in essence, an isolated network. This view is simplistic at best; a single compromised host has the potential to disrupt other hosts attached to the SAN, access unauthorized data within the SAN, or bypass existing firewalls and intrusion detection systems if IP over Fibre Channel is being used.
Today it is not uncommon to find a SAN that spans outside a data center for business continuance and disaster recovery purposes. The adoption of technologies such as Small Computer System Interface over IP (iSCSI) and Fibre Channel over IP (FCIP), which use TCP/IP for the transport, emphasizes the need for SAN security as sensitive information passes over common data networks.
This paper will discuss techniques that are available in premiere Cisco data center switching products (Cisco Catalyst 6500 Series switches and Cisco MDS 9000 family switches) and solutions to make server farms less vulnerable to these threats whether they are related to the LANs or SANs.
ANATOMY OF A NETWORK ATTACK
Note: CAIDA provides information on the propagation of recent worms through the Internet: http://www.caida.org/research/security/
WHO TO PROTECT AGAINST?
• Controlled access to the server farm-Most applications today are deployed in a multiple-tier architecture. The multiple-tier model consists of using separate server machines that provide different functions: presentation, business logic, and database. Multiple-tier server farms provide added security because a client can compromise a Web server without having access to the application itself, nor to the database. The segregation between the tiers can be achieved by using VLANs. Client-to-server and server-to-server access is limited to the legitimate traffic by using technologies such as access control lists (ACLs), VLANs, and private VLANs all applied in hardware at wire speed.
• Distributed denial-of-service (DDoS) protection-The Cisco Guard module and Cisco Traffic Anomaly Detector module for the Cisco Catalyst 6500 Series deliver automated detection and mitigation of the broadest range of DDoS attacks that threaten businesses today. With these integrated security capabilities, the network infrastructure can withstand even the most massive DDoS attacks, protecting the data center and its critical applications.
• TCP/IP protocols hardening-Many IP protocols were not designed with security in mind and make spoofing very easy. As a protocol, TCP provides some safeguards to prevent spoofing, but is still vulnerable to more sophisticated attacks. The Cisco Catalyst 6500 Series hardens all these protocols with features such as ARP inspection, TCP SYN-COOKIEs, Initial Sequence Number (ISN) randomization, routing protocol authentication, and so on.
• Client and server authentication, data integrity, and confidentiality-Secure Sockets Layer (SSL) and IP Security (IPSec) encryption can provide authentication for access to server applications as well as data integrity and confidentiality. The Cisco Catalyst 6500 Series can provide cryptographic operations offloading from the servers and Public Key Distribution functions.
• Intrusion detection and prevention-Intrusion detection solutions such as the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM2) services module, and intrusion prevention solutions such as the Cisco Security Agent protect the server farm from attacks exploiting OS and application vulnerabilities. This technology is complemented by the use of the Catalyst 6500 Series mirroring technologies such as virtual ACL (VACL) capture, Remote Switched Port Analyzer (RSPAN). and NetFlow.
• Network devices security-The management of network devices in a data center needs to be secured to avoid unauthorized access and to prevent DoS attacks against the network. Secure management access is deployed using technologies such as ACLs, Authentication, Authorization, and Accounting (AAA), Secure Shell (SSH) Protocol, and syslog. The Cisco Catalyst 6500 Series Supervisor Engine 720 rate limiters protect the switch and router CPU from becoming overloaded in the event of a DoS attack.
Access Control and Segmentation
• ACLs-The Cisco Catalyst 6500 Series switches provide wire-speed packet filtering with Cisco IOS® Software ACLs and VLAN ACLs (VACLs). ACLs and VACLs allow granular traffic filtering at Layer 4 (port level), thus preventing access to services that have been left accidentally open on the servers. The Catalyst 6500 Series FWSM provides packet-filtering capabilities similar to the Catalyst 6500 Series Switch, allowing designs where the traffic from the client to the server has to pass through several layers of ACLs. Firewalls can open Layer 4 ports dynamically based on the control session negotiation, commonly referred to as fixups.
• VLANs-A Layer 2 switch is a device capable of grouping subsets of its ports into virtual broadcast domains isolated from each other. These domains are commonly known as virtual LANs (VLANs). The Cisco Catalyst 6500 Series works in accordance with popular VLAN-tagging technologies Inter-Switch Link (ISL) or 802.1Q across physical links (sometimes referred to as trunks) and employs advanced tagging techniques to preserve the VLAN information. VLANs can be used to segregate server farms and can be combined with the FWSM to filter VLAN-to-VLAN traffic.
• Private VLANs (PVLANs)-PVLANs provide isolation of ports from one another within the same VLAN. With private VLANs you can use a single subnet and force all the server-generated traffic to go to a promiscuous or upstream port, which typically is a router port, or a VLAN interface on a FWSM. By doing so, servers can be protected from Layer 2 attacks such as ARP spoofing, even where other devices in the same VLAN may be compromised. The Cisco Catalyst 6500 Series supports hardware-based PVLAN segregation.
• MPLS VPNs-Using MPLS to build VPNs provides network segmentation with address transparency. This facilitates an identity-aware network in the most scalable way while taking advantage of the benefits and flexibility of IP. MPLS VPNs provide privacy and security equal to that provided by Layer 2 VPNs by limiting the distribution of a VPN routes to only those routers that are members of the VPN. The Cisco Catalyst 6500 Series Supervisor Engine 720 in conjunction with the Cisco Policy Feature card 3B (PFC3BXL) provides hardware-based MPLS VPN support. MPLS VPNs can be combined with FWSM virtual firewalls for VPN-specific stateful inspection.
• Port security-Cisco data centers feature a fully switched topology, where no hub is present, and all links are full duplex. Layer 2 Flooding should only be used during topology changes to allow fast convergence of the Layer 2 network. Technologies that are based on flooding introduce performance degradation besides being a security concern. Flooding can also be the result of a security attack and that is why port security should be configured on the access ports. To prevent MAC flooding, port security is used, whereby specify MAC addresses are assigned to each port or to permit a limited number of MAC addresses. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or learned on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port shuts down permanently (the default), shuts down for a specified length of time, or drops incoming packets from the insecure host.
• IEEE 802.1X-The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a switch port and assigns the port to a VLAN before making available any services offered by the switch or the LAN. Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
TCP/IP Protocols Security
• ARP inspection-ARP inspection provides a mapping between a default gateway IP address and its MAC address. If the switch sees a gratuitous ARP carrying an invalid mapping, the switch drops the packet, thereby preventing ARP spoofing attacks.
• Unicast Reverse Path Forwarding (URPF)-URPF checks each packet to ensure it is coming from the intended sources and expected interfaces, helping mitigate source-address spoofing. The check consists of verifying that there is a routing-table entry for the source address matching the interface that the packet arrived on. The Cisco Catalyst 6500 Series switches and the Catalyst 6500 Series FWSM implement URPF checking in hardware. The Catalyst 6500 Series Supervisor Engine 720 supports URPF on up to six parallel paths.
• Fragment filtering-The Cisco Catalyst 6500 Series switches allow Cisco IOS Software ACLs and VACLs to be constructed to either permit or deny forwarding of fragments. Fragment filtering can be used to prevent fragment attacks (such as the ones described in RFC 1858). Fragment filtering can be further complemented with the stateful capabilities of the Cisco Catalyst 6500 Series FWSM, which provides fragment reassembly and validation (virtual reassembly) before forwarding the fragments.
• ISN randomization-The TCP/IP stack implementation of some operating systems generates TCP ISNs in a predictable fashion, making it possible to hijack TCP sessions. In the past this vulnerability has been identified on multiple operating systems (see CERT Advisory CA-1995.01, CERT Advisory CA-1998.13, CERT Advisory CA-2001-09, US CERT Vulnerability Note VU#498440). The Cisco Catalyst 6500 Series FWSM can randomize the ISN used by servers' TCP connections.
• TCP SYN cookies-SYN cookies are particular choices of initial TCP sequence numbers by TCP servers, SYN cookies can be used to protect the SYN queue of the TCP/IP stack of a device (either a network device or a server) from filling up by selecting an ISN (the cookie value) based on a Message Digest Algorithm 5 (MD5) of the source and destination IP addresses and port numbers. When a certain threshold in the queue is reached, a SYN/ACK response (the second part of the TCP three-way handshake) is still sent, but with no connection-state information kept. If the final ACK for the three-way handshake is received, the server recalculates the original information that had come with the initial SYN. SYN cookies are an effective mechanism to protect the server farm from DoS attacks. By using this technology the Cisco CSM can withstand attacks of hundreds of thousands of connections per second while preserving legitimate user connections.
• TCP Connection State Tracking-The Cisco Catalyst 6500 Series FWSM and the Cisco CSM keep connection-state information of the traffic that flows through them. As an example, a forged TCP segment sent to a router is subject to forwarding as any other IP packet. The Catalyst 6500 Series FWSM and the Cisco CSM will not forward this segment because there is no existing TCP connection for the forged segment.
• VLAN Trunking Protocol (VTP) authentication-VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and naming of VLANs on a network-wide basis. VTP authentication helps ensure authentication and integrity of switch-to-switch VTP messages. VTP Version 3 introduces an additional mechanism to authenticate the primary VTP server as the only device allowed to change the VLAN configuration on a network-wide basis.
• Routing Protocol Authentication-Neighbor router authentication, sometimes called "route authentication," certifies the neighbors' authenticity and the integrity of routing updates for router-to-router (Layer 3 switch-to-Layer 3 switch) communication and for host-to-router (Layer 3 switch) communication. Hosts can be Layer 3 multiple-homed servers or mainframes. Routing protocols that support authentication include Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Intermediate System-to-Intermediate System (IS-IS), and Border Gateway Protocol (BGP).
Client and Servers Authentication Data Integrity and Confidentiality
• SSL encryption-SSL provides authentication, data confidentiality, integrity, and nonrepudiation for client-to-server and server-to-server communications. Virtually any application that uses TCP/IP as the transport protocol can use the services provided by SSL and create SSL connections by using SSL sockets. The Cisco Catalyst 6500 Series SSL Services Module offloads servers from decrypting strong ciphers (like Triple Data Encryption Standard [3DES]) while still maintaining end-to-end encryption. The module also simplifies the management of digital certificates and can enforce a trust model that gives control on who is allowed to use a given application.
• IPSec encryption-IPSec helps ensure confidentiality, integrity, authentication, and anti-reply protection. The IPSec protocol operates between the network layer and the transport layer of the TCP/IP protocol stack. IPSec is completely transparent to the applications which, as a consequence, do not need to be IPSec-aware. IPSec is often used to build secured tunnels between data centers.
Traffic Analysis, Intrusion Detection, and Prevention
• Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN)-SPAN is a technology for mirroring traffic from one or more ports on a Cisco Catalyst 6500 Series switch (the SPAN source) to another port on the same switch (the SPAN destination). This is frequently called "local SPAN." RSPAN allows the scope of analysis to be extended to encompass multiple switches interconnected in the same Layer 2 domain. RSPAN and VACLs can be combined for very granular traffic analysis by differentiating mirrored traffic across up to 64 groups.
• VACL capture-The VACL capture technology provided by the Cisco Catalyst 6500 Series allows ACLs to be defined to provide granular control over what traffic is captured.
• NetFlow-NetFlow is a technology to efficiently collect and export statistics from traffic that flows through switches and routers. In the context of security, NetFlow is used for its DoS, Distributed Dos (DDoS), and worm detection. The Cisco Catalyst 6500 Series switches support NetFlow export in NetFlow versions 5, 7, and 8 formats. Sampled NetFlow and NetFlow aggregation can be used to reduce the volume of statistics collected.
• Multigigabit IDS analysis-IDS sensors can detect malicious activity in a server farm based on protocol or traffic anomalies, or based on the stateful matching of events described by signatures. An IDS sensor can detect an attack from its very beginning by identifying the probing activity, or it can identify the exploitation of well known vulnerabilities.
• Host intrusion prevention-Cisco Security Agent software executes on a server and is capable of preventing buffer overflow, malicious registry, file system, and TCP/IP stack operations. In brief, the host-based intrusion-prevention software prevents servers from being infected by new worms and from being manipulated by an attacker, thereby eliminating known and unknown (Day Zero) security risks.
Network Devices Security
• Authentication, Authorization, and Accounting (AAA)-AAA is an architecture that can be used to control the access to sensitive resources such as servers and network devices, based on users and groups. AAA can use the username/password database local to the switch or can use protocols such as TACACS+ or RADIUS to access an authentication server.
• Secure Shell (SSH) Protocol Version 2-SSHv2 provides secure remote access through the use of authentication and encryption. SSH Protocol should be used as an alternative to insecure protocols such as telnet and rlogin. SSHv2 can be used in conjunction with TACACS+ and RADIUS. The Cisco Catalyst 6500 Series switches support SSHv2.
• SNMP Version 3 (SNMPv3)-SNMP is an application-layer protocol that facilitates the exchange of management information between network devices. The Cisco Catalyst 6500 Series switches support SNMPv1, v2c, and v3. SNMPv3 (RFC 2271-2275) provides authentication, integrity, and encryption. SNMPv3 traffic is encrypted with Data Encryption Standard (DES), and carries an MD5 HMAC or a SHA HMAC algorithm for authentication and integrity purposes.
• Syslog-Syslog messages are unsolicited notification that a network device can save in a log file or direct to a syslog server such as CiscoWorks2000 Resource Manager Essentials (RME). Syslog messages include a timestamp from the syslog server, a device name, a sequence number, the timestamp from the network device and the message itself. Syslog types are categorized as facilities. A complete list of the available syslog messages available on the Catalyst 6500 is available at http://www.cisco.com/en/US/products/hw/switches/ps708/products_system_message_guide_chapter09186a0080163dbe.html
• Network Time Protocol Version 3 (NTPv3)-This protocol (RFC1305) is used to synchronize system clocks in network devices and it is fundamental to be able to use syslog messages coming from multiple sources, whose timestamp allows to correlate the events that have been logged.
• Cisco Express Forwarding-Threats such as worms look for vulnerable devices by continuously generating connection requests for random destination IP addresses. Flow-based Layer 3 switches can be easily overwhelmed by the amount of traffic, because they process the first packet of a flow in software. Hardware-based Cisco Express Forwarding, which is supported on the Cisco Catalyst 6500 Series supervisor engines II and 720, solves this problem by keeping all forwarding in hardware, separate to the software-based control plane.
• Hardware rate limiters-Layer 3 switches typically forward and filter traffic in hardware. Some traffic types require software processing (Internet Control Message Protocol [ICMP] unreachable, ICMP redirect, or to manage IP packet maximum transmission unit [MTU] or time-to-live (TTL) failures for the purpose of generating ICMP packet too big or ICMP time exceeded messages). The Cisco Catalyst 6500 Series Supervisor Engine II provides predefined rate limiters, while the Catalyst 6500 Series Supervisor Engine 720 provides additional control with 12 special-case rate limiters.
• Control Plane Policing (CoPP)-Control Plane Policing allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of the switch against reconnaissance and DoS attacks. This helps maintain packet forwarding and protocol states despite an attack or heavy traffic load on the switch.
• Address Resolution Protocol (ARP) throttling-ARP throttling limits the rate at which packets destined to a connected network are forwarded to the route processor in case their MAC address has not been resolved yet (glean adjacency). The Cisco Catalyst 6500 Series Supervisor Engine II provides preconfigured rate limiting to the router processor, and Catalyst 6500 Series Supervisor Engine 720 provides configurable rate limiting.
• Fabric access-Secure fabric access to fabric services
• Target access-Secure access to targets and logical unit numbers (LUNs)
• SAN protocol-Secure switch-to-switch communication and authorization
• IP storage access-Secure FCIP and iSCSI services
• Data integrity and secrecy-Encryption of data in transit
• SAN management access-Secure access to management services
Figure 1. Areas of Focus for SAN Security
Fabric and Target Access
• Fibre Channel zoning-Zoning is the security mechanism within Fibre Channel used to restrict communication between devices within the same Fibre Channel fabric. With many different types of servers and storage devices on the network, a host could gain access to a disk being used by another host, potentially with a different OS, and corrupt the data on this disk. Zoning can be of two types: soft zoning and hard zoning. Soft zoning refers to software-based zoning; that is, zoning enforced through control-plane software on Fibre Channel switches in the Fibre Channel Name Server service. Hard zoning refers to hardware-based zoning, enforced through hardware ACLs which are applied to every Fibre Channel frame that is switched.
• Logical unit number (LUN) zoning and read-only zones-The Cisco MDS 9000 family can provide more detailed zoning than is generally available today. Based on deep frame inspection, hard zoning within Cisco MDS 9000 family switches can restrict access to explicit LUNs within a storage array and can even restrict write SCSI I/O operations, enforcing read-only access.
• Virtual SANs (VSANs)-VSANs can be used to create multiple logical SANs over a common physical infrastructure. Each VSAN runs its own set of fabric services, providing for absolute partitioning between virtual fabrics.
• Inter-VSAN Routing (IVR)-IVR can be used to securely create a path from a device in one VSAN to one or multiple devices in a different VSAN, without merging the individual VSAN fabrics (that is, without creating a single merged fault domain). Inter-VSAN Routing effectively provides Network Address Translation (NAT) for data traffic only (Fibre Channel Class 2 and 3).
• Port security-Port security allows access to Fibre Channel fabric based on the device identity attributes. Port security prevents unauthorized access to a switch port by binding specific worldwide names (WWNs) as having access to one or more switch ports. When port security is enabled on a switch port, all devices connecting to that port must be in the port-security database and must be listed in the database as bound to the given port. In the case of a storage device or host, the port name (pWWN) or node name (nWWN) can be used to lock authorized storage devices to a specific switch port. In the case of an E_Port/TE_Port, the switch name (sWWN) is used to bind authorized switches to a given switch port.
• Port mode security-Port mode security can be used to restrict the function of a port. For example, the port mode may be configured to prevent edge ports inadvertently being used for ISLs.
• Fibre Channel Security Protocol-Fibre Channel Security Protocol (FCSP) Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) can be used to help ensure data integrity (tamper-proof) and authentication (non-repudiation) for both host-to-switch and switch-to-switch communication. Authentication can be performed locally in the switch or remotely through a centralized RADIUS or TACACS+ server.
SAN Protocol Security
• Disruptive Reconfigure Fabric Rejection-Ability to reject disruptive fabric-reconfiguration requests from rogue misconfigured or new unconfigured switches being attached to an existing fabric. Without this rejection, a rogue misconfigured or new unconfigured switch could cause a fabric outage.
• IBM Fiber Connection (FICON) Fabric Binding-Ability to limit what switches and domain IDs may participate in a FICON fabric.
• Fibre Channel ID Caching, Persistent Fibre Channel ID Allocation, and Static Fibre Channel ID Assignment-Ability to limit what Fibre Channel IDs are assigned to given pWWNs as well as offer persistent Fibre Channel IDs across system restarts.
IP STORAGE SECURITY
• iSCSI authentication-Incoming iSCSI sessions from iSCSI initiators are authenticated using Challenge Handshake Authentication Protocol (CHAP) prior to the iSCSI session being established.
• iSCSI-initiator persistent dynamic WWN and static WWN allocation-iSCSI initiators may be dynamically or statically mapped to virtual Fibre Channel initiators with a unique nWWN and pWWN per initiator, per VSAN (conceptually, each iSCSI initiator becomes a "virtual" N_Port). Both nWWNs and pWWNs can be assigned in a persistent manner dynamically from a range of WWNs stored within the switch, or may be assigned a static nWWN or pWWN.
• iSCSI access controls-There are various forms of access controls that may be applied to iSCSI initiators. Firstly, an iSCSI initiator is only allowed to access Fibre Channel targets (virtual iSCSI targets) that they have been explicitly permitted to access. Secondly, an iSCSI initiator (virtual N_Port) is explicitly configured to be an initiator within a single VSAN. Standard Fibre Channel zoning can be used to zone the virtual N_Port(s) and storage devices. Finally, per-interface restrictions can be used to limit individual iSCSI targets to being advertised either globally (on all Gigabit Ethernet interfaces) or only on specific Gigabit Ethernet interfaces, subinterfaces, or VLANs.
• Fibre Channel over IP (FCIP)-FCIP transports Fibre Channel data across an IP network by tunneling the Fibre Channel frames across a pair of TCP connections between two switches. The raw Fibre Channel frames (including the complete Fibre Channel header) are encapsulated into TCP segments at the sending end of the tunnel and reconstructed into Fibre Channel frames at the receiving end.
Data Integrity and Secrecy
SAN Management Access
• Authentication, Authorization, and Accounting (AAA)-AAA is an architecture that can be used to control the access to sensitive resources such as servers and network devices, based on users and groups. AAA can use the username/password database local to the switch or can use protocols such as TACACS+ or RADIUS to access an authentication server.
• Role-Based Access Control (RBAC)-RBAC allows different users to have different roles, responsibilities, management capabilities, and restrictions. Up to 64 roles may be defined within the system, with users allocated to roles either locally within the configuration of a switch or in a centralized manner through AAA.
• VSAN-Based Roles Access-Storage administrators may be granted access and rights selectively per VSAN, providing for further restrictions on the privileges and capabilities granted to an administrator.
• Secure Shell (SSH) Protocol Version 2-SSHv2 provides secure remote access through the use of authentication and encryption. SSHv2 should be used as an alternative to insecure protocols such as telnet, rlogin, and FTP. SSHv2 can be used in conjunction with TACACS+ and RADIUS. SSHv2 can also be used to securely transfer images, log files, and switch configuration through Secure Copy or Secure FTP.
• SSL Version 2 and transparent LAN services (TLS) 1.0-The Storage Management Initiative Specification (SMI-S) is the common interfaces based on Common Information Model (CIM) to allow multiple-vendor interoperability in a SAN environment. SMI-S allows SAN management clients to link with CIM servers to manage large numbers of storage resources with a unified interface.
• SNMPv3-SNMP is an application-layer protocol that facilitates the exchange of management information between network devices. All Cisco MDS 9000 family switches support SNMPv1, v2c, and v3. SNMPv3 (RFC 2271-2275) provides authentication, integrity, and encryption. SNMPv3 traffic is encrypted with DES, and carries an MD5 HMAC or a SHA HMAC algorithm for authentication and integrity purposes. The Cisco MDS 9000 family also supports stronger AES 128-based encryption with SNMPv3 (RFC 3826).
• Syslog-Syslog messages are unsolicited notification that a network device can save in a log file or direct to a server such as CiscoWorks Resource Manager Essentials (RME). Syslog messages include a timestamp from the syslog server, a device name, a sequence number, the timestamp from the network device, and the message itself.
• Network Time Protocol Version 3 (NTPv3)-NTPv3 (RFC1305) is used to synchronize system clocks in network devices and it is fundamental to be able to use syslog messages coming from multiple sources, whose timestamp allows to correlate the events that have been logged across multiple devices.
• Accounting log-An accounting audit trail of configuration commands is kept both within the switch (critical messages stored persistently in NVRAM) and can also be logged to centralized syslog and AAA servers through RADIUS accounting messages or TACACS+ accounting messages.
• Call Home-Call Home provides e-mail-based notification of critical system events. Common uses of this feature may include direct paging of a network support engineer, e-mail notification to a network operations center, and usage of Cisco AutoNotify services for direct case generation with the Cisco Technical Assistance Center (TAC). Multiple concurrent destinations, message categories. and message-delivery options mean that Call Home can be tailored to specific network-management and monitoring requirements. Message format options include short text (suitable for pagers and Short Message Service [SMS]), plain text, and Extensible Markup Language (XML)-based e-mails.
• Fabric Consistency Checker-Embedded within Fabric Manager (the JAVA-based GUI management suite that uses SNMP to communicate with Cisco MDS 9000 family switches) is a wizard called the Fabric Consistency Checker. This is a tool that can validate that configuration policy is consistent across multiple switches within a fabric. The tool will highlight configuration differences where there are exceptions from the configuration of a master "policy" switch and provide a mechanism to resolve configuration differences. Fabric Consistency Checker provides an effortless way to confirm that security policy and security configurations are consistent across all switches within a fabric.
• ACLs-ACLs may be applied on management interfaces and IPS-4, IPS-8 and MPS 14+2 IP Storage Service modules Gigabit Ethernet interfaces to limit management and IP access to a subset of IP addresses.
• Switched Port Analyzer (SPAN)-SPAN allows for any interfaces or VSANs being monitored to have a copy of each frame taken and sent out a SPAN destination port. Any Fibre Channel port in a switch can be configured as a SPAN destination port. A Fibre Channel Analyzer (such as a Finisar Analyzer) or a Cisco Port Adapter Analyzer may be connected to the SPAN destination port and receive a copy of all monitored traffic.
• Virtual LANs (VLANs) on the LAN and virtual SANs (VSANs) on the SAN
• ACLs on the LAN and hard zoning on the SAN
• Ethernet port security on the LAN and Fibre Channel port security on the SAN
• VLAN Trunking Protocol Version 3 (VTPv3) and Routing Protocol Authentication on the LAN and FCSP DH-CHAP authentication on the SAN
• SSL and IPSec on the LAN and in future Fibre Channel Security (FCSec) (part of FCSP) on the SAN
• SPAN, RSPAN, VACL capture, NetFlow, and Call Home on the LAN and SPAN, RSPAN, Fibre Channel flow statistics, Call Home, and RMON Threshold Alarms on the SAN
• AAA, SSHv2, SNMPv3, syslog, NTPv3, and RBAC available on both LAN devices and SAN switches.
SECURITY ARCHITECTURE AND PRODUCTS
• Cisco Catalyst 6500 Series Switch-As the premier intelligent multilayer modular switch from Cisco, the Catalyst 6500 Series is uniquely qualified for the data center. Its forwarding performance and its support for Layer 4 to 7 service modules, 10/100/1000 ports, 10 Gigabit Ethernet, jumbo frames, 802.1s, 802.1w, VLAN ACLs, SPAN, QoS, Multicast, uRPF in hardware, etc. make it the obvious choice as an aggregation and access switch in the data center.
• Cisco Catalyst 6500 Series Firewall Services Module (FWSM)-This module provides a high-performance integrated firewall solution within the Catalyst 6500 Series with industry-leading performance of 5-Gbps throughput, 100,000 connections per second, and 1 million concurrent connections. Up to four modules can be installed in a single chassis, providing scalability to 20 Gbps per chassis. Based on Cisco PIX ® Firewall technology, the Catalyst 6500 Series FWSM provides large enterprises and service providers with unmatched security, reliability, and performance.
• Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module or Cisco IDS 4200 Series Sensor-Cisco IDS 4200 Series sensors use a combination of highly innovative and sophisticated detection techniques, including stateful pattern recognition, protocol parsing, heuristic detection, and anomaly detection, which provide comprehensive protection from a variety of both known and unknown cyber threats. Furthermore, the Cisco patent-pending Threat Analysis Micro-Engine (T.A.M.E) technology allows granular customization of sensor signatures, resulting in precisely tuned sensors that minimize the occurrence of "false positives." The Cisco IDS 4200 Series includes four products: the Cisco IDS 4215, IDS 4235, IDS 4250, and IDS 4250 XL sensors. At 1 Gbps, the Cisco IDS 4250 XL provides unprecedented performance through customized hardware acceleration to protect fully saturated gigabit links as well as multiple partially used gigabit subnets. The Cisco Catalyst 6500 Series IDSM-2 integrates into the Catalyst 6500 Series chassis for easier installation and better rack-space efficiency.
• Cisco Catalyst 6500 Series SSL Services Module-This module integrates into the Catalyst 6500 Series and provides an increased number of secure connections to support Web-based applications by offloading the processor-intensive tasks related to securing traffic with the SSL protocol. The use of SSL provides privacy, confidentiality, and authentication. SSL uses a wide range of certificates that reside on the module, thus centralizing certificate management, eliminating the need to manage certificates on individual servers, and reducing cost by requiring a single certificate copy versus a certificate copy for each server. The module provides up to 3000 connection setups per second, per module (12,000) per chassis); 300-Mbps bulk encrypted throughput per module (1.2 Gbps per chasses) while maintaining 60,000 concurrent client connections (240,000 per chassis).
• Cisco Content Switching Module (CSM)-The Cisco CSM integrates advanced Layer 4 to 7 content switching into the Cisco Catalyst 6500 Series to provide high-performance, high-availability load balancing. With features such as full stateful redundancy, server slow-start and graceful shutdown, SYN cookies, HTTP 1.1 persistence, cookie- and URL-based persistence, global server load balancing, route health injection, scriptable keepalives, in-band health monitoring, and HTTP return code checking, the Cisco CSM provides the flexibility to improve the performance and reliability of large-scale server farms.
• Cisco Guard modules and Cisco Traffic Anomaly detectors-These modules for the Cisco Catalyst 6500 Series deliver automated detection and mitigation of the broadest range of DDoS attacks that threaten businesses today. With these integrated security capabilities, the network infrastructure can withstand even the most massive DDoS attacks, protecting the data center and its critical applications.
• Cisco MDS 9000 family switches-The Cisco MDS 9000 family provides a full line of products to meet requirements for storage networks of all sizes and architectures. The Cisco MDS 9000 family delivers intelligent network services such as VSANs, comprehensive security, advanced traffic management, sophisticated diagnostics, and unified SAN management. In addition, the Cisco MDS 9500 series director switches and the Cisco MDS 9200 series fabric switches provide multiprotocol and multitransport integration and an open platform for embedding intelligent storage services such as network-based virtualization. With its multilayer approach to network and storage intelligence, the Cisco MDS 9000 family ushers in a new era in storage networking.
• Cisco Security Agent-This host-based software identifies and prevents malicious behavior, thereby eliminating known and unknown ("Day Zero") security risks and helping to reduce operational costs. Cisco Security Agent aggregates and extends multiple endpoint security functions by providing host intrusion prevention, distributed firewall capabilities, malicious mobile code protection, OS integrity assurance, and audit-log consolidation, all within a single product.
FOR MORE INFORMATION
Cisco Catalyst 6500 Series switches
Cisco MDS 9000 family switches
Cisco Catalyst 6500 Series Firewall Services Module
Cisco IDS 4200 Series Sensor
Cisco Catalyst 6500 Series Intrusion Detection System Services Module
Cisco Catalyst 6500 Series SSL Services Module
Cisco Content Switching Module
Cisco Security Agent