Anda di halaman 1dari 33

Implementing Security

for SANs

BRKSAN-2892

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved. 1


Presentation_ID.scr
Agenda

ƒ SAN Security Scope


ƒ Cisco MDS9000 Security
SAN Management Security
Fabric and Target Access Security
Fabric Protocols Security
IP Storage Security
Security for Data at Rest: Storage Media Encryption

ƒ PCI DSS Compliance Considerations


ƒ Recap and Conclusions

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

SAN Security Scope

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved. 2


Presentation_ID.scr
Several Threats: Incomplete Solutions
ƒ SAN security is often overlooked as an area of concern but
can have the most detrimental impact
ƒ Application-level integrity and security is well addressed, but
the back end network carrying data is generally not
ƒ SAN extension solutions now push SANs outside the data
center boundaries
ƒ Not all compromises are intentional (many are accidental
breaches), but they still have the same impact
ƒ SAN security is only one part of complete DC solution:
Host access security—one time passwords, audit logs, VPNs
Storage security—data-at-rest encryption, LUN security
Datacenter physical security

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

SAN Security Scope


6.Data Integrity and Secrecy
ƒ Fabric security augments overall
application security 4.SAN Fabric Protocol
Security
Host and disk security also required
ƒ Six key areas of focus
SAN Management Access—Secure Cisco
Target

access to management services Host


MDS 9000
Family

Fabric Access—Secure device


access to fabric service
Target Access—Secure access to 3.Target
Access
targets and LUNs 2.Fabric Security
Access
SAN Protocols—Secure switch-to- Security
1.SAN
Management
iSCSI

switch communication protocols Security 5.IP Storage


Security
IP Storage Access—Secure FCIP (iSCSI/FCIP)

and iSCSI services


Data Integrity and Secrecy—
Encryption of data in transit and
at rest
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved. 3


Presentation_ID.scr
SAN Management
Security

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

SAN Management Potential Threats


Three main areas of vulnerability:
1. Disruption of switch processing
CPU hogging from unnecessary queries
Denial-of-service attacks
Result: Switch can’t react to
fabric events
2. Compromised fabric stability
Altered/lost switch configurations
Removal of other security services
Disabled switches/ISLs/device ports
Result: Loss of service, unplanned
down time
Out-of-band Ethernet
3. Compromised data integrity and secrecy Management Connection

Altered target (and LUN) visibility


Altered zoning configuration
Result: LUN corruption, data corruption, Accidental or Intentional
data theft or loss Harmful Management
Activity
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved. 4


Presentation_ID.scr
SAN Management Security
ƒ Securing access to all management SAN Management Security Infrastructure
facilities on the Cisco MDS Management
9000 Family Network
Integrated RFC 2625
IP-over-FC provides
redundant IP connectivity
for security services over
Must secure console sessions RAD in-band FC link

Must secure GUI application access RADIUS server


for user
Must secure API access (SMI-S) authentication

Must also secure file transfer TAC+ Out-of-band Ethernet


to/from switch Management Connection
TACACS+
server for user
ƒ Equally important to enable authentication

audit mechanisms
SNMP

Integrated RADIUS for user accounting SNMP Polling


and switch scope assignment server using
SNMPv3

Integrated SYSLOG for switch


Cisco Fabric MDS 9000
event accounting NTP Manager SAN OS CLI
using SNMPv3 using SSH/SFTP
Integrated SNMP traps for access NTP server
for time/date switch> config t

denial accounting synchronization


switch(config)>
analyzer on
switch(config)>
exit
switch>

Network time protocol (NTP) support to


synchronize clocks, log entry time stamps
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Roles-Based Access Control (RBAC)


ƒ Partitioning management capabilities in Roles-Based Access Control Details
the Cisco MDS 9000 Family Sample Roles
Management Role #1 – ‘super’ admin
Different roles for different user profiles (sys Network Zoning
FSPF
full
full
admin, network admin, super admin) VSANs
FCID Policy
full
full
RADIUS server can iSCSI full
Common roles across CLI access and Cisco be used to centralize FCIP full
user accounts and
Fabric Manager access RAD
assign roles
Role #2 – dept. admin
Zoning VSAN-2
FSPF VSAN-2

ƒ Integrated Roles-Based-Access-Control Roles are populated into


VSANs
FCID Policy
iSCSI
no
VSAN-2
view-only
switches. Different roles FCIP view-only
Assign subsets of full command set to roles can exist in different
Role #3 – network admin
switches as required Zoning view-only
Users are then assigned to roles FSPF
VSANs
view-only
view-only
FCID Policy view-only
May have a maximum of 64 unique roles iSCSI
FCIP
full
full

Roles include IP storage features (iSCSI/FCIP) Bill – SAN admin


Role #1
Commands not visible if not part of assigned role VSAN- All switches
Enabled (full fabric admin)
ƒ VSAN-based RBAC Fabric 1 2

Sally – Storage admin


Roles can be assigned to specific VSAN(s) only Role #1
Switch 1,2 only
(assigns storage only)
Enables administrator-per-VSAN model 3 4 5 6

Reduce infrastructure costs through Fred – Email admin


Role #2
consolidation using VSANs and still Switch 3,4 only
VSAN 1 VSAN 2 (VSAN-2 – email app)
delegate fabric ‘island’ administration

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved. 5


Presentation_ID.scr
Flexible RADIUS and TACACS+ Services
ƒ Used for AAA (Authentication, RADIUS and TACACS+ Deployments

Authorization, and Accounting) services Dial/VPN servers


Datacenter for remote
Limit management access to a subset of switches routers and access
switches System console
MDS 9000 supports up to five HA server definitions terminal servers

ƒ RADIUS—Remote Authentication Dial In Network


User Service (IETF RFC-2865 standard)
NMS
RAD management
AD stations
Redundant
Initially used for dial-in networks—now greatly Microsoft Server
Active Directory
expanded to a variety of uses Authentication calls and
accounting records are
RAD
sent to centralized
System user account centralized authentication RADIUS or TACACS+
Windows 2000 servers
Network device user account AAA services IAS Server
(RADIUS)
LDAP
Dial-in/VPN service AAA services Server
Cisco
iSCSI host authentication TAC+ MDS 9000
Family
Linux
Switches
ƒ TACACS+—Terminal Access Controller DB
TACACS+ Server

Access Control System (based on Database


RBAC role
membership info Roles are

RFC-1492) Server
(Oracle,
is authorized by
RADIUS/TACACS+
populated into
MDS 9000
mySQL,
servers switches
Widely used and supported by Cisco etc)

Freely available from Cisco—similar to RADIUS

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Sample Radius Accounting Record


ƒ Example snapshot of a Microsoft NAS-IP-Address
User-Name
: 172.19.48.87
: net-adm-1
IAS RADIUS record generated Record-Date
Record-Time
: 10/3/2007
: 11:51:08
Decoded Microsoft IAS
Radius accounting record
during an MDS 9509 CLI session Service-Name
Computer-Name
: IAS
: IBM305S1
using Microsoft’s
‘iasparse.exe’ support tool
NAS-Identifier : login (part of Windows 2000/2003
ƒ ‘Start/stop’ records are recorded NAS-Port-Type
NAS-Port
: Virtual
: 3001
distribution)

by default, ‘accounting’ records Service-Type


Calling-Station-Id
: Authenticate-Only
: sjc-1.cisco.com
of actual commands are enabled Client-IP-Address
Client-Vendor
: 172.19.48.87
: CISCO
on the MDS 9000 as an option Client-Friendly-Name : core3
SAM-Account-Name : IBM305S1\net-adm-1
Fully-Qualified-Name : IBM305S1\net-adm-1
ƒ Similar record generated Authentication-Type : PAP
Class : 311 1 172.19.48.54 10/3/2007 18:44:03 1
by TACACS+ Packet-Type : Access-Request
Reason-Code : The operation completed successfully.

Full RADIUS Accounting Record

172.19.48.87,net-adm-1,10/3/2007,11:51:08,IAS,IBM305S1,32,login,61,5,5,3001,6,8,31,sjc-1.cisco.com,4108,172.19.48.87,4116,
9,4128,core3,4129,IBM305S1\net-adm-1,4130,IBM305S1\net-adm-1,4127,1,25,311 1 172.19.48.54 10/3/2007 18:44:03 1,4136,1,4142,0
172.19.48.87,net-adm-1,10/3/2007,11:51:08,…,shell:roles=network-admin,MDS Policy,172.19.48.87,core3,IBM305S1\net-adm-1,…
172.19.48.87,net-adm-1,10/3/2007,11:51:34,…,accounting:accountinginfo=vsan:4001 values updated interoperability mode:1,…
172.19.48.87,net-adm-1,10/3/2007,11:51:56,…,accounting:accountinginfo=vsan:4001 values updated loadbalancing:src-id/dst-id/oxid,…
172.19.48.87,net-adm-1,10/3/2007,11:52:02,…,accounting:accountinginfo=Interface fc3/1 state updated to down,…
172.19.48.87,net-adm-1,10/3/2007,11:52:05,…,accounting:accountinginfo=Interface fc3/1 state updated to up,…
172.19.48.87,net-adm-1,10/3/2007,11:52:16,…,accounting:accountinginfo=vsan:4001 deleted,…
172.19.48.87,net-adm-1,10/3/2007,11:52:20,…,accounting:accountinginfo=vsan:4000 deleted,… Some of these records have been
172.19.48.87,net-adm-1,10/3/2007,11:52:23,…,accounting:accountinginfo=shell terminated,… shortened to fit them on this slide ‘…’

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved. 6


Presentation_ID.scr
Configuration Consistency Analysis
ƒ Important to keep consistent Administrator
configurations across all switches compares policy
reference config to
all switches in
Especially important for security configurations: fabric

RADIUS/TACACS+, Remote SYSLOG, NTP,


SNMP communities, Authentication and Roles
Policy

ƒ MDS 9000 Family configurations can be Reference


Switch

extracted from switches as a flat text file


Allows for easy and regular archiving

ƒ Cisco Fabric Manager provides “Fabric Fabric Configuration


Configuration Analysis” tool Analysis Part of
Cisco Fabric Manager

Checks all switch configurations against policy


switch or file
Can take corrective action to fix configurations
Also has ‘zone merge analysis’ tool to validate
zone merge validity
Review Results and Take
Corrective Actions
Define Analysis Rules

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

SAN Management Recommendations


1. Use RBAC to grant adequate privilege to SAN administrators
Example: Not every administrator needs capability to disable modules
Reserve select functions to fewer ‘super-admin’ RBAC role:
VSAN definition, firmware upgrades, roles definition, RADIUS and SSH configuration

2. Use RADIUS or TACACS+ for centralized user account administration


Ensures consistent and timely removal of users if required
Use RADIUS accounting feature for audit log of configuration events

3. Use all secure forms of management protocols—disable others


SSH, SFTP, SCP, SNMPv3, SSL for SMI-S support
Disable Telnet, FTP, TFTP, SNMPv1,v2

4. Enable NTP across all switches for consistent time stamping of events
5. Log and archive everything
Enable centralized SYSLOG
Take regular copies of MDS 9000 configurations (can use CiscoWorks RME)
Turn on Cisco MDS 9000 “Call Home” feature to alert of anomalies
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved. 7


Presentation_ID.scr
Fabric and Target
Access Security

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

Fabric and Target Access


Potential Threats
Three main areas of vulnerability:
ƒ Compromised application data
Unauthorized access to targets and LUNs
High potential for data corruption, loss, or theft
Result: Unplanned down time, costly
data loss
ƒ Compromised LUN integrity
Unauthorized Unauthorized
Fabric Service Target Access
LUN corruption due to unintentional OS mount
Accidental formatting of LUN—loss of data
Result: Unplanned down time, costly
data loss
ƒ Compromised application performance
Unauthorized I/O potentially causing
congestion
Injected fabric events causing disruption;
i.e. rogue HBA hammering fabric controller
Result: Unplanned down time, poor
I/O performance
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved. 8


Presentation_ID.scr
Fabric Access Security: Port Modes
ƒ Port mode security—Allow edge ports Port Mode and VSAN-based Security
to form F_Ports or FL_Ports only,
i.e. no ISL/EISL IP access lists (ACL) based on
source and destination IP
Cisco MDS 9000 Family supports an Fx_Port Management
Network
addresses, TCP/UDP ports,
and TCP connection flags
mode which allows F_Port or FL_Port only ‘E_Port’ ‘Auto’
mode mode
Limit users who can change port mode via Any port type
Roles-Based Access Control assignments ‘Fx_Port’ ‘F_Port’
mode mode

ƒ VSAN-based security—only allow F,FL Only F Only

access to devices within attached VSAN ‘Fx_Port’


‘E_Port’
or ‘Auto’
mode
mode
Strict isolation based on fabric service
partitioning and explicit frame tagging
Independent name server table per VSAN EISLs carrying
Disk array connected
multiple VSANs
to multiple VSANs
Independent active zoneset per VSAN
VSAN 1
Part of ANSI T11 ‘Fabric Expansion’
study group VSAN 2

Both

ƒ Management port access security


One active Unique services
Provides IP access control lists (ACLs) for VSAN only per VSAN

management traffic (SNMP, SSH, Telnet, etc.)


BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Fabric Access Security


ƒ Cisco MDS Access Security Technology
Grant selective access to fabric based on device identity
Failure results in link-level login failure
Prevents FC frame S_ID spoofing through hardware frame filtering

ƒ Supports device-to-switch (port security) and switch-to-


switch (fabric binding)
ƒ Uses grouping of attributes to define binding configuration
WWN or Port_ID – port identifier on switch (i.e. fc1/2)
Multiple ‘groups’ are created and activated as a ‘group set’ to enforce
desired policy

ƒ Auto-learning mode to ease initial configuration

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved. 9


Presentation_ID.scr
Fabric Access Security: Fabric Binding
ƒ Used to allow ISL establishment
ƒ Attributes to define binding configuration:
fWWN—Fabric WWN
of switch port Bind sw-2 to sw-1 ISL Security Group – sw-1
sWWN-2

sWWN—Switch WWN
sw-1
Port_ID—Port identifier fWWN-2 fWWN-1
Port_ID-2 Port_ID-1
on switch (i.e. fc1/2) pWWN-1 pWWN-3

sWWN-1 fWWN-5
Port_ID-5
nWWN-1
fWWN-6
Port_ID-6
pWWN-2 pWWN-4

fWWN-3 fWWN-4 nWWN-2


Port_ID-3 Port_ID-4

sw-2
sWWN-2

Security Group – sw-1


Bind sw-2 to sw-1/port 5 ISL sWWN-2
Port_ID-5 or fWWN-5

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Fabric Access Security: Port Security


ƒ Used to allow device-to-switch login
ƒ Attributes to define binding configuration
pWWN—Port WWN of attaching device
nWWN—Node WWN of attaching device
fWWN—Fabric WWN of switch port
Port_ID—Port identifier on switch (i.e. fc1/2)

Security Group – sw-1


Bind host to sw-1 (any port) pWWN-1 or nWWN-1
sw-1
fWWN-2 fWWN-1
Port_ID-2 Port_ID-1
Security Group – sw-1
Bind host, disk to sw-1 (any port) pWWN-1 pWWN-3
pWWN-1 or nWWN-1
pWWN-3 or nWWN-2 fWWN-5
sWWN-1
Port_ID-5
nWWN-1
Security Group – sw-1 fWWN-6
Bind host to sw-1 /port 2 Port_ID-6
pWWN-1 or nWWN-1
Port_ID-2 or fWWN-2 pWWN-2 pWWN-4

fWWN-3 fWWN-4 nWWN-2


Port_ID-3 Port_ID-4

Security Group – sw-1 sw-2


Bind host HBA-1 to sw-1/port 2 pWWN-1
Port_ID-2 or fWWN-2 sWWN-2

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved. 10


Presentation_ID.scr
Fabric Access Security: Authentication
ƒ Device authentication provides Fibre Channel Fabric Authentication
RADIUS and TACACS+ servers

stronger means of ensuring Management


Network
can be used to hold DH-CHAP
user accounts and passwords for
centralized authentication
device identity
RAD

WWNs can be spoofed by RADIUS server


simple means for user
authentication
Out-of-band Ethernet

ƒ ANSI T11 FC-SP Security TAC+


Management Connection

Protocols working group


TACACS+
server for user
Cisco was the prime contributor authentication

ƒ DH-CHAP provides DH-C


HAP

authentication mechanism - CH
AP
New host
wanting to
DH join the

DH-CHAP
Switch-to-switch authentication fabric
New switch
FCIP
wanting to join
Device-to-switch authentication (when the fabric
Network Equipped with
HBA supporting
adopting HBA supporting DH-CHAP) DH-CHAP
(Emulex, Qlogic)

New switches wanting to


join the fabric over FCIP

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

FC-SP DH-CHAP Authentication Protocol


Authentication Initiator (N) Authentication Responder (M)
AUTH_Negotiate / T_ID=Q
(NameN, DH-CHAP, hash=MD5orSHA1, DiffieHelmanGroupID=2or3)

DHCHAP_Challenge / T_ID=Q
(NameM, hash=MD5, DiffieHelmanGroupID=2, challenge C1, g^x mod p)

DHCHAP_Reply / T_ID=Q
(NameM, response R1, g^y mod p, challenge C2)

DHCHAP_Success / T_ID=Q
(response R2)

DHCHAP_Success / T_ID=Q

BRKSAN-2892
Note: common DH key is g^xy mod p
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved. 11


Presentation_ID.scr
Fabric Access Recommendations
ƒ Use IP ACLs on management interfaces to block unused services
Enable logging of denied attempts—block denial-of-service attacks

ƒ Hard-fix switch port administrative modes to assigned port function


Lock (E)ISL ports to only be (T)E_Ports—set to ‘E_Port’ mode
Lock access ports to only be F(L)_Ports—set to ‘Fx_Port’ mode

ƒ Use VSANs to isolate departments


Provides security AND availability benefits
RBAC management control per VSAN allows individual admin assignment

ƒ Use port security features everywhere


Bind devices to switch as a minimum level of security
Bind devices to a port as an optimal configuration
Consider binding to line card in case of port failure
Bind switches together at ISL ports—bind to specific port, not just switch

ƒ Use FC-SP authentication for switch-to-switch fabric access


Use device-to-switch when available
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

IP access lists (ACL) based

Target Access Security: Zoning on source and destination IP


addresses, TCP/UDP ports,
and TCP connection flags

ƒ Zoning is prime mechanism for securing Simple Name Server


Zoning

access to SAN targets (disk and tape) pWWN-1


pWWN-2
FCID-1
FCID-2
Each device connected to the
switch registers with the name
pWWN-3 FCID-3 server and queries it to find
ƒ Two prime types of zoning: pWWN-4 FCID-4 potential targets

Soft Zoning (sw-based name server filtering)


fWWN-1 fWWN-3
Port_ID-1 Port_ID-3
Communication still possible if FC_ID known
11 pWWN-1 pWWN-3

Hard Zoning (hw-enforced frame filtering) fWWN-2 fWWN-4


Port_ID-2 Port_ID-4
Absolute requirement for true security
22 pWWN-2 pWWN-4

Also involves name server filtering


zoneset-A (active)
Can filter on various attributes
Switch Port_IDs—vendor-specific zone-1 zone-2 zone-3
pWWN-1 pWWN-2 Port_ID-1
Device nWWN/pWWNs—standards-based pWWN-3 pWWN-3 Port-ID-4
Name Server Frame
Advanced zoning features offered by Cisco and Frame Filtering Filtering

Device Visibility
ƒ Zoning is very complementary to VSANs pWWN-3 FCID-3
Device Visibility
pWWN-3 FCID-3
pWWN-4 FCID-4
One active zoneset per VSAN
Name server visibility
Multiple configured zonesets per VSAN restricted based on active
2
2
11 zone definitions
Non-disruptive zoneset activation to other VSANs

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006, Cisco Systems, Inc. All rights reserved. 12


Presentation_ID.scr
Cisco MDS 9000 Family Zoning Services
ƒ All zoning services offered by Cisco are
implemented in hardware Hardware-Based Zoning Details
No dependence on whether using mix of WWNs and
Port_IDs in a zone—all hardware based fWWN-1
Port_ID-1
fWWN-3
Port_ID-3
WWN-based zoning implemented in software with 1 pWWN-1 pWWN-3

hardware reinforcement (i.e. no name server only zoning)


1
fWWN-2 fWWN-4
WWNs are translated to FCIDs to be frame-filtered Port_ID-2 Port_ID-4
2 pWWN-4
ƒ Dedicated high speed port ‘filters’ called 2
ternary CAMs (TCAMs) filter each frame in pWWN-2 FCID-2 TCAM hardware
frame filtering
WWNs translated
hardware and reside in front of each port to FCIDs to filter

Support up to 20,000 programmable entries consisting


of zones and zone members Zone_A
Very deep frame filtering for new innovative features (active)

Wire-rate filtering performance—no impact regardless


of number of zones or zone entries
Optimized programming during zoneset activation— NEW
incremental zoneset updates New
To add new host to Zone_A
ƒ RSCNs contained within zones in given VSAN and activate, an additional
TCAM entry is simply
programmed at the relevant
ƒ Selective Default Zone behavior—default ports – no disruption to existing
is deny active zones

Per VSAN setting


BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

Cisco Advanced Zoning Services


ƒ Cisco has introduced two new zoning
Advanced Zoning
capabilities in the MDS 9000 Family: LUN zoning allows control of access to
specific LUNs based on zone assignment
ƒ LUN Zoning is the ability to zone an initiator
with a subset of LUNs offered by a target Zone_A (active) 1 X
2 X
Host discovers all LUNs but can only login to those X X
LUNs part of the zone pWWN-1 pWWN-2 X X
Inaccessible LUNs are busied-out by the switch at X X
the ingress port
report_LUNs
Provides powerful solution combined with array-based 10 LUNs available
LUN security to add fabric enforcement report_size LUN_1
LUN_1 is 50GB
Accidental LUN exposure prevented by fabric report_size LUN_3
LUN_3 is unavailable
ƒ Read-Only Zoning leverage the hardware-
based frame processing of the MDS Read-only zoning restricts ‘write’ commands from
being sent to zoned targets
9000 Family
Media Zone_A
Filters FC4-Command frames based on whether the Master (active)
Server
command is a read or write command
Useful for systems that only need read access to a
volume such as multimedia servers Streaming
Server NEW
Zone_B (read-only)
Especially useful for media servers that need high (active)
speed access to rich content for broadcast—block level
bypasses NAS service
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006, Cisco Systems, Inc. All rights reserved. 13


Presentation_ID.scr
Target Access Recommendations
ƒ Use zoning services to isolate where required Learn the Isn’t soft
FCID and gain zoning good
Port or WWN-based, all hardware enforced access enough?

Use read-only zones for read-only targets


Use LUN zoning as extra reinforcement
Set default-zone policies to ‘deny’ Occupy the Ok, add port-
port and gain
ƒ Suggested to only allow zoning configuration access
based zoning

from one or two switches to minimize access


Use RBAC to create two roles, only one allowing
zoning configuration Spoof the Ok, add
Install ‘permit’ role on two switches, ‘deny’ role WWN and WWN-based
gain access zoning
on remainder
Or, use RADIUS or TACACS+ to assign roles
based on particular switch, more flexible
*Better* Must
ƒ Use WWN-based zoning for convenience spoof and Ok, add port-
and use port-security features to harden occupy to
gain access
security

switch access
Works well for interop with non-Cisco switches
*Best*
Port-based zoning in ‘native mode’ interoperability Need full Ok, add DH-
in SANOS v1.2 authentication CHAP
to gain access
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

Fabric Protocols
Security

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2006, Cisco Systems, Inc. All rights reserved. 14


Presentation_ID.scr
Fabric Protocols Potential Threats
Three main areas of vulnerability: Rogue Switch

1. Compromised fabric stability


Injection of disruptive fabric events
Creation of traffic ‘black-hole’
Result: Unplanned down time,
fabric instability
2. Compromised data security
Injection of harmful zone reconfiguration data
Open access to fabric targets Fabric Control
Protocol Integrity
Result: Unplanned down time, costly
data loss
3. Compromised application performance
Unauthorized I/O potentially causing congestion
Numerous disruptive topology changes
Result: Unplanned down time, poor
I/O performance
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

SAN Fabric Protocols Security


Fabric Protocols Security
ƒ Very important to secure the fabric control
Dept ‘A’ Dept ‘B’
protocols to ensure fabric stability
Securing access to control protocol configuration via VSAN
Cisco RBAC is first step Trunk
Bundles
1 7 2 8
Enable port-security for switch binding 5 5 6 6
Cisco
MDS 9216
Using FC-SP for switch-to-switch authentication is
Port Channeling
next critical step to block rogue ISLs for HA and
performance Cisco MDS 9500
ƒ Plug-n-play fabric protocol configuration is 3
3 3
4
4 4
Multilayer Director

convenient—however, static configuration


is more secure VSAN Trunks
over optical

Configure static principle switch DWDM or CWDM


‘RCF-reject configured to
Network
Enable static domain IDs protect against remote
initiated fabric rebuild
Statically assigned
Enable static FCIDs *optional but recommended* principle switch
Statically assigned per VSAN
Great benefit for HP/UX and AIX environments domain_IDs, one per active
VSAN minimizes potential for
disruptive RCF
Enable RCF-reject, especially on long-haul links Enterprise
1 1 2 2 Tape VSAN
Enable RSCN-suppression where necessary

ƒ Use VSANs to divide and manage individual


fabric configuration and resiliency

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2006, Cisco Systems, Inc. All rights reserved. 15


Presentation_ID.scr
Certificate Infrastructure
ƒ MDS can relay upon the IKE (Internet Key Exchange) infrastructure to
exchange asymmetric keys
Asymmetric key are used to initialize protocols like IPSec and SSH
ƒ MDS can enroll with a CA (Certificate Authority, trust point) to obtain an
identity certificate
ƒ The identity certificate contains the local MDS public key encrypted with
the CA private key (RSA format)
ƒ Only one certificate per CA, but MDS can enroll with multiple CAs
ƒ The default key label is the switch fully qualified name
ƒ The local MDS can trust multiple CAs
It can communicate with a remote peer that uses a certificate provided by a different CA,
where the local MDS is not enrolled
The key pair is different for each CA certificate
ƒ As a good practice relay upon the IKE infrastructure to establish a
secure and trusted relationship between all the network elements and
management nodes
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

Key Management Based on Certificates


ƒ Without certificate each Keys
switch must be configured
with the symmetric key for Keys Keys
each other switch
Keys

CA

Keys
ƒ Without certificates the
CA will distribute the public
keys used for secure
key exchange

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2006, Cisco Systems, Inc. All rights reserved. 16


Presentation_ID.scr
IP Storage Security

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

IP Storage Security
IP Storage Security
ƒ iSCSI leverages many of the security
features inherent in Ethernet and IP
Ethernet Access Control Lists (ACLs) iQN2 is mapped to
↔ FC zones an allocated pWWN
and registered in the
RADIUS server fabric
Ethernet VLANs ↔ FC VSANs used to centralize
iSCSI accounts iQN1 =
Ethernet 802.1x port security ↔ FC port security pWWN1 iSCSI
pWWN1/
nWWN1
iSCSI
iSCSI authentication ↔ FC DH-CHAP RAD
RAD
authentication iSCSI Login
registering iQN
Cisco Catalyst® using CHAP
ƒ iSCSI offers LUN masking/mapping 6500 Multilayer
LAN Switches
authentication

capability as part of gateway function


ƒ FCIP security leverages many IP security IP ACLs
802.1X Auth.
iSCSI
iQN1 iSCSI
Ethernet VLANs
features in Cisco IOS®-based routers iSCSI qualified
names are defined
IPSec VPN connections through public carriers FCIP Tunnels
over IPSEC
within iSCSI client

Network
High speed encryption services in specialized HW
Can also be run through a firewall
ƒ FCIP tunnel is a virtual ISL—Can
leverage FC-based FC-SP switch-to-
switch authentication
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2006, Cisco Systems, Inc. All rights reserved. 17


Presentation_ID.scr
Security for Data
at Rest: Storage
Media Encryption

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

Cisco SME Overview


ƒ Encrypts storage media (data
Application
Server at rest)
Strong, IEEE compliant
Name: XYZ
SSN: 1234567890
AES-256 encryption
Amount: $123,456
Status: Gold
Integrated as transparent
Key Management
fabric service
Center
Encrypt
IP
ƒ Supports tape devices and VTLs
ƒ Compresses tape data
Name: XYZ
@!$%!%!%!%%^& ƒ Offers secure key management
SSN: 1234567890
*&^%$#&%$#$%*!^
Amount: $123,456
@*%$*^^^^%$@*)
Status: Gold
%#*@(*$%%%%#@ ƒ Allows offline media recovery
ƒ Built upon FIPS-140-2 level-3
Tape
Library
system architecture

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2006, Cisco Systems, Inc. All rights reserved. 18


Presentation_ID.scr
Cisco SME-Enabled Platforms

MDS 9222i
MDS 9000
Family
Systems

MDS 9216A
MDS 9216i MDS 9506 MDS 9509 MDS 9513

MDS 9000
Modules
18/4-Port Multiprotocol Services Module (MPS)
Mgmt. Cisco Fabric Manager w/Key Management Center
OS Cisco MDS 9000 Family SAN-OS
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

Transparent Fabric Service


ƒ Integrates seamlessly with existing
Application Servers Cisco MDS fabrics
ƒ Non-disruptive deployment
No appliances to insert in data path
No SAN re-wiring or re-configuration

ƒ Redirects traffic flows after


MPS-18/4 MPS-18/4 enabling encryption
ƒ Highly scaleable performance
ƒ Load balances automatically
ƒ Reliable, highly available service
Tape
Library Routes traffic to another MPS when
one fails

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2006, Cisco Systems, Inc. All rights reserved. 19


Presentation_ID.scr
Wizard-Based Provisioning

Management integrated in Fabric Manager (Web Client)


ƒ Resources management
ƒ Key management
ƒ Media management
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

SME Key Management


Cisco Key ƒ Complete key lifecycle
Management Center management
Archives, recovers, distributes, and
shreds media keys
Application Servers Accommodates single and multiple
site environments

ƒ Transports keys and management


traffic securely (SSH, HTTPS)
ƒ Key catalog based on a standard
MPS-18/4
MPS-18/4 MPS-18/4
MPS-18/4 database or on third party
Fabric ’A’ Fabric ’B’ Key Manager

Tape
ƒ Integrates with Cisco FM server
Libraries No additional software to install
Intuitive provisioning and management
with Cisco FM Web client
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2006, Cisco Systems, Inc. All rights reserved. 20


Presentation_ID.scr
Media Encryption Key Hierarchy
ƒ Master Key resides in Smart cards
Quorum (M out of N) of smartcards
Master Key required to recover a Master Key
Recovery Shares accomplish
secret sharing

ƒ Keys reside in clear-text only


within crypto boundary on
Cisco Key switch module
Management
Tape Volume
Center Group Key ƒ Unique key per tape, or per tape
volume group

Tape Key ƒ Media keys wrapped by Master


Key before storage or transport to
Cisco Key Management Center
ƒ Option to store tape keys on
tape media
Tape Key

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

SME Media and


Keys Management Options
ƒ Key mode:
Individual Key Mode: To achieve maximum security, each individual tape is assigned its
own unique key
Shared Key Mode: To simplify key management procedures and reduce to a minimum the
size of the key database, SME uses the same key for all tape volumes belonging to the
same group
ƒ Volume group (group of physical tapes) mode:
Manual grouping: Volumes are manually identified on the basis of the cartridge bar code
Auto grouping: Volumes are assigned automatically to a group by the backup application
ƒ Tape compression in the SME interface enabled or disabled
Compression should be performed before encryption, since the compression ratio for
encrypted data is usually very low
ƒ Tape recycle controls how the media key used for a tape cartridge is managed
when the specific tape is re-labeled.
One or more copies (clones) of the original tape may have been generated outside the
Cisco SME environment, to have redundant physical copies of the data in different locations
If a tape is recycled, when labeling occurs, a new media key is generated and the previous
media key is purged from the Cisco KMC database; all copies of the original tape are
virtually shredded
If a tape is not recycled, a new media key is generated for the tape, but the old media key
will be left in the Cisco KMC database, the copies of the original tape will still be readable
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2006, Cisco Systems, Inc. All rights reserved. 21


Presentation_ID.scr
Encryption Meta-Data Storage on Tape

ƒ Provides option to store media keys on tape


Media keys (Tape Volume Key) are encrypted with
the Volume Group Key for protection
These media keys are not stored in KMC, increasing
scalability with large numbers of tape volumes
Simplifies export of tapes to remote site
No need to export media keys routinely
Only need to export wrap key once

ƒ SME creates unique tape header to store


SME-related information

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

Effect of Media Key Options


on Key Management
Group Shared Key
Shared Key across a Group of Tapes

Pros The catalog dimension is contained.


A single key allows decoding all tapes in the group, very
practical in case a single backup spans more tapes, or to
share a group of tapes with a third party.

Cons Less secure.


If the single common Tape Volume Key is compromised, all the
tapes in the group can be accessed.
Recovery Procedure Key export is required only when a new tape volume group is
created, either manually or by the auto grouping

Virtual Shredding Only a tape group


Implications
Tape Recycling The key catalog size remains constant

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2006, Cisco Systems, Inc. All rights reserved. 22


Presentation_ID.scr
Effect of Media Key Options
on Key Management
Unique Key per Tape
Unique Key per Tape
Media Key stored in catalog Media Key stored on tape

Pros More secure. The catalog dimension is contained.


Each tape can be managed or transferred to A single key allows decoding all tapes in the
a third party independently. group, very practical in case a single
If a Tape Volume Key is compromised, only backup spans more tapes, or to share a
the given tape may be accessed. group of tapes with a third party.
If a Tape Volume Group Key is The tapes in a group use different media
compromised, the hacker still need to keys, solution cryptographically more
access the catalog to access the data secure than using the same key for many
tapes.

Cons The catalog contains an entry for each tape, If a Tape Volume Group Key is
so it could be very large. compromised, the hacker can decrypt the
Tape Volume Key and the data of all
tapes in the group.
Recovery Procedure Key export is required only when a tape Key export is required only when a new tape
volume is labeled volume group is created, either manually
or by the auto grouping
Virtual Shredding Can be at the individual tape level Only a tape group
Implications
Tape Recycling The key catalog contains a new entry every The key catalog size remains constant
time a tape is re-labeled, unless the
recycle option is selected
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

Secure System Architecture


ƒ Hardware and software architecture designed to meet
FIPS140-2 Level-3 certification requirements
ƒ Tamper-proof: Attempts to tamper with system destroys
the sensitive information
ƒ Strong, standard AES-256 modes of encryption
ƒ Smart cards available for master key protection
ƒ Critical security parameters and media keys never leave
system un-encrypted
ƒ Role-based access control (RBAC) secures management
Enforces SME specific roles
AAA server support allows centralized
user authentication and accounting (auditing)

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2006, Cisco Systems, Inc. All rights reserved. 23


Presentation_ID.scr
Roles and Identities

SME Administrator SME Recovery Officer

ƒ Responsible for provisioning SME ƒ Responsible for any recovery


function requiring a Master Key
ƒ Per-VSAN role-based access
control limits management scope ƒ Quorum of Recovery Officers
needed to perform recovery
ƒ SAN administrator may assume this procedures (default is two out
role too of five)
ƒ Security operations (SecOp) staff
may assume this role

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

Master Key Management


Smart cards

Advanced
Smart cards with Recovery Shares for each
Master Key where M of N Recovery Officers
Level of Security

are required to recover a Master Key

Standard
Smart Cards with all Master Keys
No Recovery Shares

Basic
• USB Drive with all Master Keys
• A file with all Master Keys
• Master keys encrypted with a password
• Regular backup & archive.

Simplicity
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2006, Cisco Systems, Inc. All rights reserved. 24


Presentation_ID.scr
Cisco SME Review
ƒ Solution for and tape and VTL
Supports existing storage devices
Simplifies provisioning and integrates key management
ƒ Integrates transparently into SAN fabric, which simplifies
deployment and eliminates down-time
No need to rewire SAN
Eliminates appliances, extra cables, and wasted switch ports
ƒ Reliable and scalable solution
Cisco MDS directors provide highly available platform,
Encryption can be added and enabled non-disruptively
ƒ Virtual SAN support
Encryption services available for all VSANs
Full RBAC with AAA servers and VSAN-based access control
ƒ Integrates management with Cisco FM Server
No additional management software needed, FM Server License not required
Unifies user rights and credentials management
FM Web Client supports provisioning and key management
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

PCI DSS Compliance


Considerations

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2006, Cisco Systems, Inc. All rights reserved. 25


Presentation_ID.scr
PCI (Payment Card Industry):
Data Security Standard (DSS)

ƒ PCI DSS are applicable if a Primary Account


Number is stored, processed or transmitted
ƒ The security requirements apply to all system
components, including servers, networks or
application, that are part of or connected to the
cardholder data environment
ƒ Adequate network segmentation can reduce the
scope of the cardholder data environment
ƒ The following requirement are excepted from the
PCI DSS v1.1, released in September 2006

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

Build and Maintain a Secure Network


ƒ Requirement 1: Use a firewall to protect cardholder data
Cisco MDS9000 SAN:
Storage protocols are likely used in internal network zone only
Use SNMPv3 and ssh for management
Create a protected internal IP network for iSCSI
Segment the SAN using Virtual SANs

ƒ Requirement 2: Do not use vendor-supplied


default password
Cisco MDS9000 SAN:
SANOS can enforce the use of passwords compliant to PCI

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2006, Cisco Systems, Inc. All rights reserved. 26


Presentation_ID.scr
Protect Cardholder Data

ƒ Requirement 3: Protect stored cardholder data


Cisco MDS9000 SAN:
Deploy SME to protect data at rest
Store the Keys in the Cisco Key Management Server or in
a secure third party Key Manager as RSA KM
VSANs provide additional segmentation and abstraction to
implement the Appendix-B compensating control if needed

ƒ Requirement 4: Encrypt data across public networks


Cisco MDS9000 SAN:
Use FCIP over IPSec tunnels for SAN extension

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

Maintain a Vulnerability
Management Program

ƒ Requirement 5: Anti-virus
Cisco MDS9000 SAN:
Not applicable to SANOS

ƒ Requirement 6: Develop and maintain secure


systems and applications
Cisco MDS9000 SAN:
Use a test VSAN to validate any new configuration
before production
SANOS have been developed with secure coding
guidelines and tested against common vulnerability

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2006, Cisco Systems, Inc. All rights reserved. 27


Presentation_ID.scr
Implement Strong Access
Control Measures: 1
ƒ Requirement 7: Restrict access by business need-to-know
Cisco MDS9000 SAN:
The security features as VSANs, advanced zoning, fabric binding,
port security, FC-SP authentication and RBAC with SNMPv3 and ssh
make MDS9000 the ideal platform to enforce the restricted access
RBAC in particular, if used in conjunction with VSANs, is especially
designed to support a tight partitioning of the physical infrastructure

ƒ Requirement 8: Assign a unique ID to each user


Cisco MDS9000 SAN:
Create an individual account for each administrator with
strong password
Authentication can be performed using the external AAA server
of choice (e.g. TACAS+), to implement the desired policy of user
authentication an password management
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

Implement Strong Access


Control Measures: 2

ƒ Requirement 9: Restrict physical access to


cardholder data
Cisco MDS9000 SAN:
Media can be encrypted using SME, that provides
tools to transfer the key information to share data with
a partner, secure the data transferred via courier
SME can instantaneously “cryptographically shred”
the data without destroying the physical media, that
may be recycled

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2006, Cisco Systems, Inc. All rights reserved. 28


Presentation_ID.scr
Regularly Monitor and Test Networks
ƒ Requirement 10: Track and monitor all access to network
resources and cardholder data
Cisco MDS9000 SAN:
Fabric Manager Server provides continuous monitor of the SAN, it
allows to establish criteria and thresholds to generate real time alarm
and call home
Syslog offers detailed entries, it may be redirected to a log server to
consolidate monitoring the IT infrastructure
Note that the log never contains application data
ƒ Requirement 11: Regularly test security systems and processes
Cisco MDS9000 SAN:
Fabric Manager Server provides the configuration and topology
information needed to design, schedule and execute such a test

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

Maintain an Information Security Policy

ƒ Requirement 12: Policy that address information


security for employees and contractors
Cisco MDS9000 SAN:
SANOS can automatically disconnect unused
management sessions
RBAC allows a clear responsibility assignment
for administrators
Detailed logging supports a detailed audit

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2006, Cisco Systems, Inc. All rights reserved. 29


Presentation_ID.scr
Conclusions

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

SAN Security Review


ƒ SAN Security Scope
ƒ Cisco MDS9000 Security
SAN Management Security (Secure Protocols, RBAC, log)
Fabric and Target Access Security (Fabric Binding, Port
Security, Authentication)
Fabric Protocols Security (VSAN, hardening)
IP Storage Security (authentication, secure transport)
Identity based on certificate

ƒ Security for Data at Rest: Storage Media Encryption


Architecture, Key management
Configuration options

ƒ PCI DSS Compliance: Requirement analysis


BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2006, Cisco Systems, Inc. All rights reserved. 30


Presentation_ID.scr
Conclusions

ƒ As SANs continue to grow and expand out of the data


center, security becomes increasingly a concern
ƒ Cisco offers a comprehensive set of security features in
the MDS 9000 Family
No impact on switch performance
Data path features are all hardware-based
Address management, access, data in flight and data at rest
ƒ All security features are securely managed through
Cisco’s Fabric Manager
ƒ The adoption of the Cisco MDS 9000 Family security
feature is a step forward in achieving compliance to
applicable regulations
BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

Other Relevant Sessions


and Useful Links

Sessions relevant to SAN security


ƒ Cisco Fabric Manager BRKSAN-????
ƒ SME Configuration and Troubleshooting BRKSAN-????

White Papers relevant to SAN security


ƒ Cisco MDS 9000 SAN Security
http://www.cisco.com/en/US/prod/collateral/ps4159/ps6409/ps4358/prod_white_
paper0900aecd80281e21_ns513_Networking_Solutions_White_Paper.html

ƒ SME Key Management


http://www.cisco.com/ToBeDefined

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2006, Cisco Systems, Inc. All rights reserved. 31


Presentation_ID.scr
Q and A

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

Recommended Reading

ƒ Continue your Cisco Live


learning experience with further
reading from Cisco Press®
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store


BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2006, Cisco Systems, Inc. All rights reserved. 32


Presentation_ID.scr
Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes; winners announced daily your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center Solutions or visit
www.cisco-live.com

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

BRKSAN-2892
14698_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2006, Cisco Systems, Inc. All rights reserved. 33


Presentation_ID.scr