Sun Microsystems 5802 User Manual
Chapter 5
Managing Switches
143
Network IP Security
Network IP Security provides encryption-based security for IP version 4 and IP
version 6 communications through the use of security policies and associations. The
security policy database is the set of all security policies configured on the switch.
version 6 communications through the use of security policies and associations. The
security policy database is the set of all security policies configured on the switch.
Security Policies
A security policy defines the following parameters:
■
Connection source and destination
■
Data traffic direction: inbound or outbound
■
Protocols for which to protect data traffic
■
Security protocols; Authentication Header (AH) or Encapsulating Security
Payload (ESP)
Payload (ESP)
■
Level of protection: IP Security, discard, or none
Policies can define security for host-to-host, host-to-gateway, and gateway-to-
gateway connections; one policy for each direction. For example, to secure the
connection between two hosts, you need two policies: one for outbound traffic from
the source to the destination, and another for inbound traffic to the source from the
destination. You can specify sources and destinations by IP addresses (version 4 or
6) or DNS host names. If a host name resolves to more than one IP address, the
switch creates the necessary policies and associations. You can recognize these
dynamic policies and associations because their names begin with DynamicSP_ and
DynamicSA_ respectively.
gateway connections; one policy for each direction. For example, to secure the
connection between two hosts, you need two policies: one for outbound traffic from
the source to the destination, and another for inbound traffic to the source from the
destination. You can specify sources and destinations by IP addresses (version 4 or
6) or DNS host names. If a host name resolves to more than one IP address, the
switch creates the necessary policies and associations. You can recognize these
dynamic policies and associations because their names begin with DynamicSP_ and
DynamicSA_ respectively.
You can apply IP security to all communication between two systems, or to select
protocols, such as ICMP, TCP, or UDP. Furthermore, instead of applying IP security,
you can choose to discard all inbound or outbound traffic, or allow all traffic
without encryption. Both the AH and ESP security protocols provide source
authentication, ensure data integrity, and protect against replay.
protocols, such as ICMP, TCP, or UDP. Furthermore, instead of applying IP security,
you can choose to discard all inbound or outbound traffic, or allow all traffic
without encryption. Both the AH and ESP security protocols provide source
authentication, ensure data integrity, and protect against replay.
Security Associations
A security association defines the encryption algorithm and encryption key to apply
when called by a security policy. A security policy may call several associations at
different times, but each association is related to only one policy. The security
association database is the set of all security associations. IP Security configurations
can be complex: it is possible to un-intentionally configure policies and associations
that isolate a switch from all communication. If this happens, you can disable IP
Security by placing the switch in maintenance mode, and correct the problem
through the serial port interface.
when called by a security policy. A security policy may call several associations at
different times, but each association is related to only one policy. The security
association database is the set of all security associations. IP Security configurations
can be complex: it is possible to un-intentionally configure policies and associations
that isolate a switch from all communication. If this happens, you can disable IP
Security by placing the switch in maintenance mode, and correct the problem
through the serial port interface.