Security Overview
The Cisco MDS 9000 NX-OS software supports advanced security features that provide security within a Storage Area Network (SAN). These features protect your network against deliberate or unintentional disruptions from internal or external threats.
This chapter includes the following sections:
FIPS
The Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules, details the U.S. government requirements for cryptographic modules. FIPS 140-2 specifies that a cryptographic module should be a set of hardware, software, firmware, or some combination that implements cryptographic functions or processes, including cryptographic algorithms and, optionally, key generation, and is contained within a defined cryptographic boundary. FIPS specifies certain crypto algorithms as secure, and it also identifies which algorithms should be used if a cryptographic module is to be called FIPS compliant.
For more information on configuring FIPS, see Chapter2, “Configuring FIPS”
Users and Common Roles
Role-based authorization limits access to switch operations by assigning users to roles. All management access within the Cisco MDS 9000 Family is based upon roles. Users are restricted to performing the management operations that are explicitly permitted, by the roles to which they belong.
For information on configuring users and common roles, see Chapter3, “Configuring Common Roles”
RADIUS and TACACS+
The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use RADIUS and TACACS+ protocols to provide solutions using remote AAA servers. This security feature provides a centralized user account management capability for AAA servers.
AAA uses security protocols to administer its security functions. If your router or access server is acting as a network access server, then the communication between your network access server and the RADIUS or TACACS+ security server is through AAA.
The chapters in this guide describe the following features:
- Switch management—A management security system that provides security to all management access methods, including the command-line interface (CLI) or Simple Network Management Protocol (SNMP).
- Switch AAA functionalities—A function by which you can configure AAA switch functionalities on any switch in the Cisco MDS 9000 Family, using the command-line interface (CLI) or Simple Network Management Protocol (SNMP).
- RADIUS—A distributed client and server system implemented through AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
- TACACS+—A security application implemented through AAA that provides a centralized validation of users who are attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon that typically runs on a UNIX or Windows NT workstation. TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
For information on configuring RADIUS and TACACS+, see Chapter 4, “Configuring Security Features on an External AAA Server”
IP ACLs
IP access control lists (ACLs) provide basic network security on the out-of-band management Ethernet interface and the in-band IP management Interface. The Cisco MDS 9000 Family switches use IP ACLs to restrict traffic from unknown and untrusted sources and restrict network use based on user identity or device type.
For information on configuring IP ACLs, see Chapter 5, “Configuring IPv4 and IPv6 Access Control Lists”
PKI
The Public Key Infrastructure (PKI) allows an MDS 9000 switch to obtain and use digital certificates for secure communication in the network. PKI support provides manageability and scalability for applications, such as IPsec, IKE, and SSH, that support digital certificates.
For information on configuring PKI, see Chapter6, “Configuring Certificate Authorities and Digital Certificates”
IPsec
IP Security (IPsec) protocol is a framework of open standards by the Internet Engineering Task Force (IETF) that provides data confidentiality, data integrity, and data origin authentication between participating peers. IPsec provides security services at the IP layer, including protecting one or more data flows between a pair of hosts, a pair of security gateways, or a security gateway and a host.
For information on configuring IPsec, see Chapter7, “Configuring IPsec Network Security”
FC-SP and DHCHAP
Fibre Channel Security Protocol (FC-SP) capabilities provide switch to switch and hosts to switch authentication to overcome security challenges for enterprise-wide fabrics. Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between Cisco MDS 9000 Family switches and other devices. DHCHAP consists of the CHAP protocol combined with the Diffie-Hellman exchange.
With FC-SP, switches, storage devices, and hosts are able to prove their identity through a reliable and manageable authentication mechanism. With FC-SP, Fibre Channel traffic can be secured on a frame-by-frame basis to prevent snooping and hijacking, even over untrusted links. A consistent set of policies and management actions are propagated through the fabric to provide a uniform level of security across the entire fabric.
For more information on configuring FS-SP and DHCHAP, see Chapter8, “Configuring FC-SP and DHCHAP”
Port Security
The port security feature prevents unauthorized access to a switch port by binding specific world-wide names (WWNs) that have access to one or more given switch ports.
When port security is enabled on a switch port, all devices connecting to that port must be in the port security database and must be listed in the database as bound to a given port. If both of these criteria are not met, the port will not achieve an operationally active state and the devices connected to the port will be denied access to the SAN.
For information on configuring port security, see Chapter9, “Configuring Port Security”
Fibre Channel Common Transport Management Server Query
With the FC-CT query management feature, an administrator can configure the network in such a manner that only a storage administrator or a network administrator can send queries to a switch and access information such as devices that are logged in devices in the fabric, switches in the fabric, how they are connected, how many ports each switch has and where each port is connected, configured zone information and privilege to add or delete zone and zone sets, and Host Bus Adapter (HBA) details of all the hosts connected in the fabric and so on.
For information on configuring fabric binding, see Chapter10, “Configuring Fibre Channel Common Transport Management Security”
Fabric Binding
The fabric binding feature ensures Inter-Switch Links (ISLs) are enabled only between specified switches in the fabric binding configuration. This feature helps prevent unauthorized switches from joining the fabric or disrupting the current fabric operations. This feature uses the Exchange Fabric Membership Data (EEMD) protocol to ensure that the list of authorized switches is identical in all of the switches in a fabric.
For information on configuring fabric binding, see Chapter11, “Configuring Fabric Binding”
TrustSec Fibre Channel Link Encryption
Cisco TrustSec Fibre Channel Link Encryption is an extension of the Fibre Channel-Security Protocol (FC-SP) feature and uses the existing FC-SP architecture to provide integrity and confidentiality of transactions. Encryption is added to the peer authentication capability to provide security and prevent unwanted traffic interception. Peer authentication is implemented according to the FC-SP standard using the Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) protocol.
For information on configuring TrustSec Fibre Channel Link Encryption, see Chapter12, “Configuring Cisco TrustSec Fibre Channel Link Encryption”
Open IP Ports on Cisco MDS 9000 Series Platforms
Cisco MDS 9000 Series platforms with default configurations have IP ports that are open on the external management interface. The table below lists the open ports and their corresponding services:
Table 1-1 Open IP Ports on Cisco MDS 9000 Series Platforms
|
|
|
|
|
None |
UDP |
All |
— |
— |
600 - 1024 |
TCP |
All |
NFS |
Yes |
2002 |
TCP |
All |
Remote Packet Capture |
No |
7546 |
TCP |
All |
CFS over IPv4 |
No |
9333 |
TCP |
All |
Cluster |
No |
32768 - 32769 |
TCP |
Cisco MDS 8-Gb Fabric Switch for HP c-Class Blade System Cisco MDS 9148 Cisco MDS 9222i Cisco MDS 9506 Cisco MDS 9509 Cisco MDS 9513 |
License Manager |
Yes |
44583 - 59121 |
TCP |
Cisco MDS 9148S Cisco MDS 9250i Cisco MDS 9706 Cisco MDS 9710 |
License Manager |
Yes |
NFS —A port in this range is used by the NFS service on the switch. This is only for intraswitch use. It is not essential to provide external access to or from these ports. This feature cannot be disabled. To block access to this service, configure an IP access list to deny access to the range of ports. Refer to the Configuring IPv4 and IPv6 Access Control Lists section of the Cisco MDS 9000 Family NX-OS Security Configuration Guide for details.
Remote Packet Capture —This port is used by the Fibre Channel Analyzer service on the switch for communicating with an Ethereal protocol analyzer client on a host using the Remote Capture Protocol (RPCAP). This service is used for troubleshooting and is optional for normal switch operation. This feature cannot be disabled. To block access to this service, configure an IP access list to deny access to the range of ports. Refer to the Configuring IPv4 and IPv6 Access Control Lists section of the Cisco MDS 9000 Family NX-OS Security Configuration Guide for details.
CFS over IPv4 —This port is used by the CFS over IPv4 service to distribute switch configuration information to peer switches in the fabric. CFS is an important service for a switch to communicate with peers, but several transport options are possible. The correct transport depends on the fabric implementation. This port may be closed by disabling the CFS over IPv4 service. Refer to the Enabling CFS Over IP section of the Cisco MDS 9000 Family CLI Configuration Guide for details.
Cluster —This port is used by the cluster service to communicate with peer switches in a cluster. Features such as IOA and SME rely on this service. If such features are not in use, the cluster service is not essential to a switch operation. This port can be closed by disabling the cluster service. Refer to the Enabling and Disabling Clustering section of the Cisco MDS 9000 Family Storage Media Encryption Configuration Guide for details.
License Manager —These ports are used by the License Manager service. This only for intraswitch use. It is not essential to provide external access to or from these ports. This feature cannot be disabled. To block access to this service, configure an IP access list to deny access to the range of ports. Refer to the Configuring IPv4 and IPv6 Access Control Lists section of the Cisco MDS 9000 Family NX-OS Security Configuration Guide for details.