Q-Logic 5800V Manual Do Utilizador
2–Planning
Security
59265-02 B
2-19
IP Security
IP security provides encryption-based security for IPv4 and IPv6 communications
through policies and associations. Policies define security for host-to-host and
host-to-gateway connections; one policy for each direction. For example, to
secure the connection between two hosts, you need two policies: one for
outbound traffic from the source to the destination, and another for inbound traffic
to the source from the destination. A security association defines the encryption
algorithm and encryption key (public key or secret) to apply when called by a
security policy. A security policy can call several associations at different times,
but each association is related to only one policy.
through policies and associations. Policies define security for host-to-host and
host-to-gateway connections; one policy for each direction. For example, to
secure the connection between two hosts, you need two policies: one for
outbound traffic from the source to the destination, and another for inbound traffic
to the source from the destination. A security association defines the encryption
algorithm and encryption key (public key or secret) to apply when called by a
security policy. A security policy can call several associations at different times,
but each association is related to only one policy.
You must configure matching security associations on the switch and on the
connected devices (peers) that require secure IP communication. To simplify the
IP security configuration process, the switch supports the Internet key exchange
(IKE). IKE is a protocol that automates the configuration of matching IP security
associations on the switch and on the connected device (or peer). The IKE peer
defines the IKE security association connection through which the IKE policy
configures the IP security associations.The IKE policy defines the type of data
traffic to secure between the switch and the peer, and how to encrypt that data.
You must create the same IKE peer and IKE policy configurations on the switch
and the peer device.
connected devices (peers) that require secure IP communication. To simplify the
IP security configuration process, the switch supports the Internet key exchange
(IKE). IKE is a protocol that automates the configuration of matching IP security
associations on the switch and on the connected device (or peer). The IKE peer
defines the IKE security association connection through which the IKE policy
configures the IP security associations.The IKE policy defines the type of data
traffic to secure between the switch and the peer, and how to encrypt that data.
You must create the same IKE peer and IKE policy configurations on the switch
and the peer device.
Public key encryption requires a public key, a corresponding private key, and the
necessary certificates to authenticate them. Public key infrastructure (PKI)
provides support for the creation and management of public/private key pairs,
signed certificates, and certificate authority (CA) certificates when using IKE. You
can create a public/private key and combine it with one or more device identities
to generate a certificate request. Submit the certificate request to a CA to obtain a
signed certificate, which contains the authenticated public/private key pair. In
addition to the signed certificate, you must also obtain a CA certificate to
authenticate the CA. After downloading the signed certificate and a CA certificate
to the switch and importing them into the PKI database, the signed certificate
(which contains the authenticated public key) can then be used to complete the
IKE peer configuration.
necessary certificates to authenticate them. Public key infrastructure (PKI)
provides support for the creation and management of public/private key pairs,
signed certificates, and certificate authority (CA) certificates when using IKE. You
can create a public/private key and combine it with one or more device identities
to generate a certificate request. Submit the certificate request to a CA to obtain a
signed certificate, which contains the authenticated public/private key pair. In
addition to the signed certificate, you must also obtain a CA certificate to
authenticate the CA. After downloading the signed certificate and a CA certificate
to the switch and importing them into the PKI database, the signed certificate
(which contains the authenticated public key) can then be used to complete the
IKE peer configuration.
Consider your IP security requirements and the type of encryption you want to use
(public key or secret). Also consider which of the connected devices support IKE,
and how you will configure IP security on both the switch and connected devices.
(public key or secret). Also consider which of the connected devices support IKE,
and how you will configure IP security on both the switch and connected devices.
Port Binding
Port binding provides authorization for a list of up to 32 switch and device WWNs
that are permitted to log in to a specific switch port. Switches or devices that are
not among the 32 are refused access to the port. Consider what ports to secure
and the set of switches and devices that are permitted to log in to those ports. For
information about port binding, refer to the QLogic 5800V Series Fibre Channel
Switch Command Line Interface Guide.
that are permitted to log in to a specific switch port. Switches or devices that are
not among the 32 are refused access to the port. Consider what ports to secure
and the set of switches and devices that are permitted to log in to those ports. For
information about port binding, refer to the QLogic 5800V Series Fibre Channel
Switch Command Line Interface Guide.