Anda di halaman 1dari 35

Design and

Implementation of Storage
Media Encryption

BRKSAN-2893

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved. 1


14734_05_2008_X1.scr
Agenda

ƒ FC-Redirect
ƒ SME in the Fabric
ƒ Key Management Center
ƒ Configuration/Display using Fabric Manager Server
ƒ Network Design Examples

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

Overview

ƒ What is Storage Media Encryption?


Encryption of data stored on tapes
Key Creation
Comprehensive Key Management

ƒ Why is it required?
Loss of backup tapes
Regulatory compliance
Sarbanes-Oxley, Gramm-Leach-Biley Act, VISA PCI,
HIPAA etc.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved. 2


14734_05_2008_X1.scr
FC-Redirect

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Before FC-Redirect

FC

MDS MDS
WAN

ƒ Most direct routes available were always taken from Host to Target.
ƒ Service Modules needed to be in the direct path.
ƒ Any single Service Module failure resulted in a loss of connectivity.
ƒ Services could not be enabled/disabled on demand
ƒ HA is not available with Service Modules
ƒ Software upgrades to Service Modules is disruptive

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved. 3


14734_05_2008_X1.scr
With FC-Redirect
SME - MSM SME - MSM

FC

MDS MDS
WAN

ƒ Services are inserted & removed in a non-disruptive manner.


ƒ The Management Services Module (18+4 and 9222i) is un-aware of being in the
service cascade and need not be in the direct path.
ƒ User can pick which MSM to service which Host / Storage Traffic.
ƒ When an MSM HW/SW failure occurs, based on the application configuration, FC-
Redirect will automatically remove the MSM from the flow.
ƒ If the application is HA capable FC-Redirect will prevent the Host from accessing
the storage in case of an MSM failure, until another MSM becomes ready to service
the traffic

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

FC-Redirect Requirements
ƒ Targets must be attached to an MDS with SAN-OS 3.2(2c) or later.
ƒ The MDS must be re-write capable e.g. 95XX, 92XX.
ƒ 9124/9134 models are not re-write capable.
ƒ Hosts attached to an MDS is optional. It is recommended for increased
performance.
ƒ The MSM creates a Virtual Target (VT) & Virtual Initiator (VI) for each
serviced Host and Target as required.
ƒ All the VT’s & VI’s are created in the same VSAN as the Target.
ƒ The VT & VI will be created in a default zone, with permit=deny.
ƒ No Host / Target should not be zoned with the FC-Redirect VT / VI. This
would create possible routing issues.
ƒ Cisco Fabric Services (CFS) should be enabled on all FC-Redirect
switches.
ƒ FC-Redirect is a Supervisor process.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved. 4


14734_05_2008_X1.scr
Packet Flow Host to Disk
(Host on a non FC-Redirect aware Switch)

VT < H VT < H

DPP FWD

VI > T VI > T
MSM

[H>VT]

[VI>T]

[H>T] FC
Target
FCID: H Switch
[H>T]

MAC FWD

H>T H > VT
FCID: T

Link Between Re-Write SW & Host

T
MAC FWD MAC

VI > T H>T

Trunk Link Between Re-Write SW & MSM SW

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Packet Flow Disk to Host


(Host on a non FC-Redirect aware Switch)

VI < T VI < T

DPP FWD

VT > H T>H MSM

[H<T]

[VI<T]

[H<T] FC
FCID: H Target
Switch [H<T]

FCID: T
FWD MAC T

VI < T H<T

Disk interface

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved. 5


14734_05_2008_X1.scr
Packet Flow Host to Disk
(Host on a FC-Redirect aware Switch)

VT < H VT < H

DPP FWD

VI > T VI > T
MSM

[VI>T]

[H>VT]
[H>T]

FC
Target
FCID: H Switch
[H>T]

MAC FWD

H>T H > VT
FCID: T

Host Ingress Port

T
MAC FWD MAC

VI > T H>T

Trunk Link Between Re-Write SW & SSM SW

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Displays (Cont.)
rtp9-cae-9513-3a# sh sme cluster c1 it-nexus
-------------------------------------------------------------------------------
Host W W N, VSAN Status Switch Interface
Target W W N
-------------------------------------------------------------------------------
10:00:00:00:c9:5e:9c:96,
20:01:00:60:45:17:35:57 99 online rtp9-cae-9513-3a sme9/1

FCNS displays before SME configuration:


rtp9-cae-9513-3a# sh fcns data v 99
VSA N 99:
--------------------------------------------------------------------------
FCID TYPE PW W N (VEN D O R) FC4-TYPE:FEATU RE
--------------------------------------------------------------------------
0x090100 N 10:00:00:00:c9:5e:9c:96 (E mulex) scsi-fcp:init
0x0902ef NL 20:01:00:60:45:17:35:57 (ADIC) scsi-fcp:target

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved. 6


14734_05_2008_X1.scr
Displays (Cont.)
FCNS displays after SME configuration:
rtp9-cae-9513-3a# sho w fcns database v 99
VSA N 99:
--------------------------------------------------------------------------
FCID TYPE P W W N (VEND O R) FC4-TYPE:FEATURE
--------------------------------------------------------------------------
0x090100 N 10:00:00:00:c9:5e:9c:96 (Em ulex) scsi-fcp:init
0x090101 N 2e:10:00:05:30:01:97:44 (Cisco) scsi-fcp:target vi..
0x090102 N 2e:0f:00:05:30:01:97:44 (Cisco) scsi-fcp:init vir..t
0x0902ef NL 20:01:00:60:45:17:35:57 (A DIC) scsi-fcp:target

FC-Redirect displays
rtp9-cae-9513-3a# sho w fc-redirect internal wwn-database all
Entry WWN Type
1 2e:10:00:05:30:01:97:44 Virtual Target 16
2 10:00:00:00:C9:5e:9c:96 Host 2
3 2e:0f:00:05:30:01:97:44 Virtual Initiator 8
4 20:01:00:60:45:17:35:57 Target 1

In Green are the Virtual Devices created by FC-Redirect


BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

FC-Redirect Configuration
ƒ There are no CLI configuration commands for FC-
Redirect. Only Show & Tech-Support commands
Clear Configuration is present to recover from error cases:
rtp9-cae-9513-3a# clear fc-redirect config vt2e:10:00:05:30:01:97:44

The FC-Redirect process is a permanent service as of today.

ƒ All Configurations are done by the MSM and sent


appropriately to the supervisor FC-Redirect process.
ƒ FC-Redirect process broadcasts the configuration to all
capable MDS switches in the fabric using CFS.
ƒ Configurations are saved in non-volatile Pesistent
Storage Service (PSS) if the specific VSAN is
configured locally.
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved. 7


14734_05_2008_X1.scr
FC-Redirect Configuration (Cont.)

ƒ When a New VSAN is added, the local FC-Redirect


process will download the configuration from
neighboring MDS switches for that VSAN.
ƒ When a specific Host / Target is attached locally (e.g.
sending in a Fabric Log In (FLOGI)) the configuration
kicks-in and all the required Access Control Lists
(ACL’s) are programmed.
ƒ When a specific Switch/Supervisor is replaced, certain
precautions should be taken. Allow the FC-Redirect
entries to be updated before enabling the affected local
Host / Target Ports.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

FC-Redirect Configuration (Cont.)


ƒ FC-Redirect works in a multi-version SAN-OS Fabric. Not all
switches in the Fabric are required to be running SAN-OS 3.2(2c)
or higher. Although it is recommended that all switches in a Fabric
be running the same SAN-OS if possible.
ƒ If a specific Host Switch is upgraded to FC-Redirect capable SAN-
OS, after the configuration download, the appropriate ACL entries
are programmed to control the flow.
ƒ SME Target / Host ports should not have IVR enabled for them on
the local switch.
If a specific Target is IVR enabled, then the IVR should not be enabled
on the Target switch. The Target VSAN should be trunked to an
adjacent switch and that switch be configured for IVR.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved. 8


14734_05_2008_X1.scr
SME in the Fabric

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Features
Server ƒ Transparent fabric service
ƒ Intuitive provisioning
Name: XYZ ƒ Clustering for load-balancing and
SSN: 1234567890 Fabric Manager
Amount: $123,456
Server
redundancy
ƒ Comprehensive Key Management
ƒ Role Based Access Control (RBAC)
MSM
ƒ Heterogeneous storage arrays, tape
libraries and virtual tape libraries.
@!$%!%%%^&
*&^%&%$#$%*!^ Key Management
ƒ Federal Information Processing Standard
@*%$*^^^%$@*)
Center (FIPS) Level-3 System Architecture

Tape Libraries
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved. 9


14734_05_2008_X1.scr
Transparent Fabric Service

Application Servers
ƒ Ability to deploy MSMs anywhere in
the fabric.
No appliances in-line in the data
path.
No SAN re-wiring or re-
configuration.

MSM
ƒ Traffic flow automatically redirected
to the MSM for encryption.
Achieved using FC-Redirect

Tape Library

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Clustering

Application Servers
ƒ Single point of Cluster management
ƒ Automatic Load-balancing
Traffic load for encryption is
distributed among the MSMs.
ƒ Redundancy
If an MSM should fail, traffic is
MSM
MSM automatically re-directed to another
MSM in the fabric.

Tape Libraries

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved. 10


14734_05_2008_X1.scr
Clustering …

Application Servers
ƒ Dual-fabric support
MSMs across the fabrics
configured in a single cluster
MSM Cluster communication is
over the management IP network.

ƒ Multi-path aware
MSM MSM Discovery and encryption of
SSL disks in the backend storage
arrays take multi-pathing into
account

ƒ Secure inter-node communication


using Secure Sockets Layer
(SSL)
Tape Library

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

Cluster Services
ƒ Separate SanOS Service
Will support other applications in future releases
ƒ Provides the following services to applications:
Membership & Leader Election
Database Synchronization
Secure Reliable Group Communication (RGC)
Configuration & Operation Management
ƒ Operational cluster requires a quorum of [N/2 + 1] nodes
[N/2] nodes can form a quorum if the lowest Node id is
still present present

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved. 11


14734_05_2008_X1.scr
Node Join Process
ƒ User configures the Cluster to add a new
Application Servers
switch (Node)
ƒ Cluster Membership component probes for the
switch, brings up TCP connections and enrolls
the switch into the Cluster view
ƒ Cluster and SME configuration and runtime
databases are automatically synchronized on
the new switch
ƒ Reliable Group Communication Layer keeps
any further configuration and state changes in
sync across all switches

Tape Libraries

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Reliable Group Communication


ƒ RGC layer provides total order
Coordinator atomic message delivery guarantees
to SME (all-or-none model, all
SME msg
messages in same order on all
switches)
Precommit
ƒ Application request is sent to the
coordinator from the receiving
Ack
member, who serializes the requests
ƒ Coordinator implements a 2-phase
commit protocol for each message
Commit
ƒ SME processes the message after
the commit phase
SME
processes
msg

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2006, Cisco Systems, Inc. All rights reserved. 12


14734_05_2008_X1.scr
Key Hierarchy
ƒ Master Key resides in Smartcards
A quorum of smartcards required to
Master Key
recover the Master Key (2 of 3,2 of
5,3 of 5)
Recovery Shares to accomplish this
using Secret Sharing
Key Management
Center ƒ Unique Key per Tape
Tape Volume
Group Key ƒ Keys reside in clear-text only in
crypto boundary
ƒ Tape Keys are wrapped by the
Tape Key Master key & archived at the Key
Management Center
ƒ Option to store Tape keys on tape
media
Tape Key

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

Cisco Key Management Center


Cisco Key Management
Center

Fabric Manager
Server
Tacacs+ ƒ Centralized Key Lifecycle
Management
Archive, Shred, Recover, and
Distribute media keys
SS

ƒ Integrated into FM Server


L
SSL

App Servers
ƒ Secure transport of keys
End-to-end using https/SSL/SSH
ƒ Access controls and accounting
MSM MSM
Using existing AAA mechanisms.

Tape Library
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006, Cisco Systems, Inc. All rights reserved. 13


14734_05_2008_X1.scr
Master Key Management

Smart cards
Advanced
Smart cards with Recovery Shares for each
Master Key where M of N Recovery Officers
are required to recover a Master Key
Level of Security

Standard
Single Smart Card with Master Key
No Recovery Shares

Basic
Master Key Stored in file
File encrypted with a password

Simplicity
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

Media Key Management

Advanced
Unique key per media.
Flexible and secure solution for data management.
Level of Security

Requires an enterprise-wide key management


system.

Basic
Single key for all media
Easy to deploy. Very basic key management.
Not a good practice for security. Compromise of Tape Libraries
one medium compromises all media. All Media – Same Key

Simplicity
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2006, Cisco Systems, Inc. All rights reserved. 14


14734_05_2008_X1.scr
Intuitive Provisioning - Tapes
ƒ Configuration identifies a backup
Master Server Media Server(s)
environment
Master server, Media server and the
associated tape devices
ƒ Configuration Steps
Select Master/Media servers in their
MSM backup environment: Identified by host
alias in FM
Discover the backend tape libraries:
MSM(s) in the fabric perform discovery
on behalf of the specified servers
Enable encryption

Tape Library

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

FC Session Sequence
Host VT VI Target

ƒ SME installs a VI/VT for


every I_T Nexus bound
to a SME interface.
LOGO

PLOGI

PLOGI
ƒ LOGO is issued to an
PLOGI _ ACC
existing session to flush
PRLI
any pending exchanges
PRLI _ ACC

PRLI
in transit
PRLI _ ACC
ƒ Discovery of backend
DISCOVERY
target using the identity
DISCOVERY _ RSP
of the host done during
PLOGI _ ACC
PLOGI/PRLI session
PRLI establishment.
PRLI _ ACC
ƒ Discovery includes
FC Session fully up
REPORT_LUNS,
INQUIRY
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2006, Cisco Systems, Inc. All rights reserved. 15


14734_05_2008_X1.scr
Tape Format and Tape Header
ƒ Cisco Tape Header to capture per-tape global information
Tape Key ID or Encrypted Tape Key itself.
Algorithms used etc.
ƒ Tape Logical blocks compressed, and then encrypted and
authenticated
ƒ Header Information
Random IV generated by Hifn
Compression enabled or not, length etc.
ƒ Trailer Information
Integrity Check Value etc..
ƒ Specific Cluster information

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

SME Roles and Identities

SME Administrator SME Recovery Officer

ƒ Responsible for SME Provisioning ƒ Responsible for any critical recovery


and Management. functionality that requires the Master
ƒ Per-VSAN role-based access control Key.
Scope of management can be ƒ Split Knowledge
limited to certain VSANs.
Quorum of Recovery Officers are
ƒ SAN administrator may assume this required to perform any recovery
role.
procedures. Quorum is defined at
Cluster create time as 2 of 3, 2 of 5,
or 3 of 5.
ƒ Security organization may assume
this role.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2006, Cisco Systems, Inc. All rights reserved. 16


14734_05_2008_X1.scr
FIPS Level-3 System Architecture
(Federal Information Processing Standard)

ƒ Cryptographic processing and Compression is done in Cavium Octeon


Strong AES-256 modes of encryption.
AES-GCM : For tapes. Authentication to preserve integrity.
DEFLATE : Compression for tapes.
ƒ Hardware and Software architecture is designed to meet FIPS Level-3
Certification requirements
Tamper-proof enclosure : Protects any sensitive data from being compromised.
Any attempt at tampering the system is guaranteed to destroy the sensitive
information.
Critical Security Parameters never leave the system un-encrypted.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

DS-9304-K9 (18+4) Block Diagram


Crossbar Fabric
Arbiter

To Crossbar From Crossbar

FCIP and iSCSI functionality


at 4x1Gbps
SPI4.2

IPSec encryption at 4x1Gbps

MAC Layer MAC Layer Encryption/Compression

~4Gbps of application
throughput compression using
4x1G ETH Deflate
12 FC 6 FC

Octeon Chip handles encryption and Compression

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2006, Cisco Systems, Inc. All rights reserved. 17


14734_05_2008_X1.scr
Supported Backup Applications

ƒ Chapter 4 of Interop Matrix

http://cco/en/US/docs/storage/san_switches/mds9000/interoperability/matrix/Matrix.pdf

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

SME Capabilities
Capability Rel 3.2(3)
Number of clusters per switch 1
Number of cluster per fabric 1
Switches in a cluster 4
Fabrics in a cluster 1
Modules in a switch 11
Cisco MSM-18/4 modules in a cluster 32
Initiator-Target-LUNs (ITLs) 128
LUNs behind a target 32
Host ports in a cluster 128
Target ports in a cluster 128
Number of hosts per target 16
Tape backup groups per cluster 2
Volume groups in a tape backup group 4
Cisco Key Management Center (# of keys) 32K

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2006, Cisco Systems, Inc. All rights reserved. 18


14734_05_2008_X1.scr
Licensing
ƒ M9200EXT1AK9
San Extension License for 1 DS-9304-K9 in a MDS92xx switch
ƒ M9500EXT1AK9
San Extension License for 1 DS-9304-K9 in a MDS95xx switch
ƒ M9200SME1MK9
Storage Media Encryption License for 1 DS-9304-K9 in a MDS92xx
switch
ƒ M9500SME1MK9
Storage Media Encryption License for 1 DS-9304-K9 in a MDS95xx
switch
ƒ M9200SME1FK9
Storage Media Encryption License for fixed slot in a MDS92xx switch

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

KMC Access

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2006, Cisco Systems, Inc. All rights reserved. 19


14734_05_2008_X1.scr
Cisco SME – Integrated Management

Active Keys Cisco Fabric


(in Fabric) Manager
Key 1 Key ‘n’
Key 2
Key 3

ƒ Encryption management integrated into Cisco Fabric Manager –


leveraging its knowledge of the storage fabric
Uses PostgreSQL database
No additional software required!

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

Clusters Using SSL Certificates


Application Servers
Fabric Manager
Server

Trust Certificate
Server Certificate
ca_cert MSM ca_cert
MSM ca_cert MSM
Cisco Key
Management
Center

Tape Library

ƒ Certicates are created on the MDS that will be using Trustpoints (ca_cert)
ƒ Trust Certificate and Server Certificate defined on the FMS
ƒ Cluster will be defined to use Trustpoints and MDS will register with FMS
ƒ Key Manager Center can be accessed
C:\Program Files\Cisco Systems\MDS 9000\conf\cert
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2006, Cisco Systems, Inc. All rights reserved. 20


14734_05_2008_X1.scr
Configuring KMC SSL

ƒ Cisco Key Manager Settings selection


ƒ KMC SSL Settings for Trust and Server Certificates will be selected from the
certificates that have been filed on the Fabric Manager Server in the following
Directory:
C:\Program Files\Cisco Systems\MDS 9000\conf\cert
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

Configuring RSA Key Manager

ƒ RSA Key Manager Settings selection


ƒ Define Key Manager Server and Port number
ƒ Trust and Client Certificates & Password will be provided by Customer Security team

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2006, Cisco Systems, Inc. All rights reserved. 21


14734_05_2008_X1.scr
Cisco SME – Integrated Management

Active Keys Cisco Fabric RSA Key


(in Fabric) Manager Manager
Key 1 Key ‘n’
Key 2 API
Key 3

ƒ Encryption management integrated into Cisco Fabric Manager –


leveraging its knowledge of the storage fabric
No additional software required!
ƒ Integrates with RSA Key Manager for comprehensive encryption
key lifecycle management

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

SME Configuration/
Management Using FM

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2006, Cisco Systems, Inc. All rights reserved. 22


14734_05_2008_X1.scr
Configuration/Display using FMS

ƒ Preferred mode of provisioning for SME using a FM


webclient
ƒ FM server installed on a standalone server to manage
MDS fabric(s)
ƒ Key Management Center (KMC) co-located on an FM
server

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

Accessing FMS to Configure/Display


SME

ƒ Point your Web Browser to the FMS Servers IP address


ƒ Log in with User Name and Password defined at FMS install
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2006, Cisco Systems, Inc. All rights reserved. 23


14734_05_2008_X1.scr
Displaying SME Cluster

ƒ Select the Cluster name to display


ƒ Note the Nodes and Interfaces
ƒ Note the individual Settings for this Cluster
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

Displaying Cluster Members

ƒ Select the Members selection


ƒ Note the Master Node and its IP Address
ƒ Note the Interface Id for each Node
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2006, Cisco Systems, Inc. All rights reserved. 24


14734_05_2008_X1.scr
Displaying Cluster Hosts

ƒ Select the specific Host to be displayed


ƒ Note the VSAN membership
ƒ Note the Tape Device to Lun relationship
ƒ Verify that the Tape Device is in Online Status
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

Displaying Cluster Tape Devices

ƒ Select the specific Tape Device to be displayed


ƒ Note the VSAN membership
ƒ Note the Lun defined for the Initiator, Target, Lun (ITL) relationship
ƒ Note the Node and SME Interface being used for this ITL
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2006, Cisco Systems, Inc. All rights reserved. 25


14734_05_2008_X1.scr
Displaying Cluster Volume Groups

ƒ Select the specific Volume Group to be displayed


ƒ You can create specific Volume Groups using different Filter Methods
ƒ Active Tab will display Volumes backed up using this Cluster
If you have selected Unique Key per Media and are not storing Key on Tape
ƒ Archived Tab will display Volumes imported to this Cluster
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

Volume Group Key Recovery


Production Site Disaster Recovery Site

Server Server

Name: XYZ Name: XYZ


SSN: 1234567890 SSN: 1234567890
Amount: $123,456 Amount: $123,456
FMS FMS

MSM MSM

@!$%!%%%^& @!$%!%%%^&
*&^%&%$#$%*!^ KMC *&^%&%$#$%*!^
@*%$*^^^%$@*)
KMC
@*%$*^^^%$@*)

Tape Libraries Tape Libraries

ƒ Tape Volume Group Keys can be Exported and Imported to a different site
ƒ It is recommended that the Tape Volume Group Keys be Exported
regularly
ƒ Once Imported, they can no longer be Written to, Only Read from.
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2006, Cisco Systems, Inc. All rights reserved. 26


14734_05_2008_X1.scr
Tape Volume Group Rekey
ƒ Tape volume groups can be rekeyed periodically to ensure better
security and also when the key security has been compromised.
ƒ In the unique key mode, the rekey operation generates a new tape
volume group wrap key. The current tape volume group wrap key
is archived. The current media keys remain unchanged, and the
new media keys are wrapped with the new tape volume group
wrap key.
ƒ In the shared key mode, the rekey operation generates a new tape
volume group wrap key and a new tape volume group shared key.
The current tape volume group wrap key is archived while the
current tape volume group shared key remain unchanged (in active
state)..

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

Master Key Rekey

ƒ In advanced mode, the smart card replacement triggers


a master key rekey and a new version of the master
key is generated for the cluster. The new set of master
key shares are stored in the smart cards. All the volume
group keys are also synchronized with the new master
key.
ƒ Tape Volume Groups keys are also rekeyed. New
Tape Volume Group keys are wrapped by new master
key. The existing tape volume group keys are cloned
and wrapped by new master key.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2006, Cisco Systems, Inc. All rights reserved. 27


14734_05_2008_X1.scr
Offline Data Restore Tool
ƒ Stand-alone utility that can be used to decrypt tapes written by
SME in an environment where MDS switches are not present.
ƒ User points the tool to a tape drive where this tape is loaded and
provides the key file exported from the KMC that has the
corresponding key for this tape.
ƒ Two phases
Tape to disk phase – Data is read from the tape and are stored in the
disk as temporary file(s).
Disk to tape phase – Decrypted, decompressed and written back to the
tape.
ƒ Supported only on a RHEL 5.1 linux platform at this time.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

SME Virtual Interface Counters

ƒ Display has information for Encrypted Traffic and Clear Text Traffic
ƒ Compression Ratio and traffic percentages are also provided along
with Error Statistics
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2006, Cisco Systems, Inc. All rights reserved. 28


14734_05_2008_X1.scr
Smartcard Reader

ƒ For increased operational security, smart cards are


offered to protect Master Keys, facilitate Master Key
escrow, and help prevent unauthorized cryptographic
cluster formation and key recovery.
ƒ Smart Card Reader p/n for Cisco - SMEDS-SCR-K9=
ƒ Smart Card p/n for Cisco - SMEDS-SC-K9=

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

Displays (Cont.)

ƒ Debugging information
show tech-support sme
show tech-support cluster

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2006, Cisco Systems, Inc. All rights reserved. 29


14734_05_2008_X1.scr
SME Network Designs

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

Core-Edge Topology
In core-edge topology, media servers are at the edge of the network,
and tape libraries at the core.

MSM MSM MSM

If the targets that require SME If the targets that require SME services are connected
services are connected to only to multiple core switches, connect SME line cards and
one switch in the core, use SME provision SME on these switches. Based on the
throughput requirements, derive the total number SME
line cards and provision SME on line cards and spread them (in proportion to the
this switch only. The number of expected traffic) across the switches where the targets
SME line cards depends on the are connected. Additionally, provision the ISLs
throughput requirements between the target-connected switches in the core to
account for SME traffic
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2006, Cisco Systems, Inc. All rights reserved. 30


14734_05_2008_X1.scr
Edge-Core-Edge Topology
In Edge-Core-Edge topology, the hosts and the targets are at the two
edges of the network connected via core switches.
Tape Libraries

MSM MSM
MSM

If the targets that require SME services If the targets that require SME services are connected
to multiple core switches, connect SME line cards and
are connected to only one switch on provision SME on these switches. Based on the
the edge, use SME line cards and throughput requirements, derive the total number SME
provision SME on this switch only. The line cards and spread them (in proportion to the
number of SME line cards depends on expected traffic) across the switches where the targets
the throughput requirements are connected. Additionally, provision the ISLs
between the target-connected switches in the core to
account for SME traffic
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

Single Switch Fabric


Backup environment consists of 16 media servers and 30 LTO3 tape drives
4 MSM Modules installed in 9509 MDS
(3 for expected traffic and 1 for failover)

WS-X9530 SFI

T M GMT
CONSOLE 10 /100
MGM
T US TEM IVE ET COM 1
STA SYS ACT PWR RES CFI

SUPERVI SOR

WS-X9530 SFI

T M GMT
CONSOLE 10 /100
MGM
T US TEM IVE ET COM 1
STA SYS ACT PWR RES CFI

SUPERVI SOR

The 30 tape drives are evenly distributed across all 4 SME line cards (7 or 8 tape drives each).
The 16 media servers are evenly distributed across all 4 modules (4 media servers each
There is any-to-any connectivity between the media servers and the tape drives (zoning configuration).

The number of FC redirect entries used on each line card is calculated below:
Target to host entries (8 targets/line card) * (16 hosts) = 128
Host to target entries (4 hosts/line card) * (30 targets) = 120
SME entries (8 targets/line card) * (16 hosts) * 2 = 256 entries

This is an average load when encryption load for the targets is evenly distributed on multiple SME line cards. If one of the
modules fails, other modules take over the load and would have higher number of entries during that period.

Total 504 entries (within the limit of 1000)


BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2006, Cisco Systems, Inc. All rights reserved. 31


14734_05_2008_X1.scr
Dual Switch Fabric
Backup environment consists of 16 media servers and 30 LTO3 tape drives
3 MSM Modules installed in 9509a MDS
3 MSM Modules installed in 9509b MDS
(2 for expected traffic and 1 for failover)

30 tape drives. 15 attached to each MDS, distributed evenly across 3 MSM modules.
16 media servers. 8 accessing each MDS on a single line card from other switches in the Fabric.
There is any-to-any connectivity between the media servers and the tape drives (zoning configuration).
Note that encryption engines on each MSM can encrypt tapes connected to the other MDS.
The number of FC redirect entries used on each line card is calculated below:
Target to host entries (5 targets/line card) * (16 hosts) = 80
SME entries (5 targets/line card) * (16 hosts) * 2 = 160 entries
This is an average load when encryption load for the targets is evenly distributed on multiple SME line cards. If one of the
modules fails, other modules take over the load and would have higher number of entries during that period.
Total 240 entries on each MSM module (within the limit of 1000)
ISLs entries on the target switch depends on the load distribution. If all the local targets are serviced by the local SME line
card, the number of entries needed is (30 targets on the switch)*(16 hosts in SAN) = 480. However, it if the local targets
are serviced by the remote switch, the worst case number for FC Redirect entries on the ISL is (60 targets on the
switch)*(16 hosts in SAN) = 960. Hence, the ISL must be provisioned on a non SME line card.
Host to target entries (8 hosts/line card) * (30 targets) = 240 (within the limit of 1000)
ISL entries on host switch (8 hosts on the switch) * (60 targets) = 480 in the worst case. If the ISL is on the same line card
as the hosts, the total entries are 720.
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

Target Centralized Dual Switch Fabric


Backup environment consists of 16 media servers and 30 LTO3 tape drives
4 MSM Modules installed in 9509 MDS
(3 for expected traffic and 1 for failover)

WS-X9530 SFI

T M GMT
MGM CONSOLE 10 /100
TUS TEM IVE ET COM 1
STA SYS ACT PWR RES CFI

SUPERVI SOR

WS-X9530 SFI

T M GMT
MGM CONSOLE 10 /100
TUS TEM IVE ET COM 1
STA SYS ACT PWR RES CFI

SUPERVI SOR

The 30 tape drives are evenly distributed across all 4 SME line cards (7 or 8 tape drives each).
The 16 media servers connected to other switches in the Fabric.
There is any-to-any connectivity between the media servers and the tape drives (zoning configuration)
The number of FC redirect entries used on each line card is calculated below (note that the host entries
are not on the line cards on the target switch)
Target to host entries (8 targets/line card) * (16 hosts) = 128
SME entries (8 targets/line card) * (16 hosts) * 2 = 256 entries
This is an average load when encryption load for the targets is evenly distributed on multiple SME line
cards. If one of the modules fails, other modules take over the load and would have higher number of
entries during that period.
Total 384 entries on SME line card line card (within the limit of 1000)
Host to target entries (8 hosts/line card) * (30 targets) = 240 (within the limit of 1000)
There no FC Redirect entries on the ISL because all the targets are on the same switch and the host
switches are FC Redirect capable.
BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2006, Cisco Systems, Inc. All rights reserved. 32


14734_05_2008_X1.scr
Single Switch Fabric
Backup environment consists of 16 media servers and 60 LTO3 tape drives
7 MSM Modules installed in 9509 MDS
(6 for expected traffic and 1 for failover)

WS-X9530 SFI

M GMT
MT CONSOLE 10 /100
EM IVE MG COM 1
TUS T R ET
SYS ACT PW RES CFI
STA

SUPERVI SOR

WS-X9530 SFI

M GMT
MT CONSOLE 10 /100
EM IVE MG COM 1
TUS T R ET
SYS ACT PW RES CFI
STA

……..
SUPERVI SOR

1
The 60 tape drives are evenly distributed across all 7 SME line cards (8 or 9 tape drives each).
The 16 media servers are evenly distributed across all 7 modules (2 or 3 media servers each)
There is any-to-any connectivity between the media servers and the tape drives (zoning configuration).

The number of FC redirect entries used on each line card is calculated below:
Target to host entries (9 targets/line card) * (16 hosts) = 144
Host to target entries (9 hosts/line card) * (60 targets) = 180
SME entries (9 targets/line card) * (16 hosts) * 2 = 288 entries

This is an average load when encryption load for the targets is evenly distributed on multiple SME line cards. If one of the
modules fails, other modules take over the load and would have higher number of entries during that period.

Total 612 entries (within the limit of 1000)


BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

Single Switch Fabric


Backup environment consists of 32 media servers and 60 LTO3 tape drives
7 MSM Modules installed in 9509 MDS
(6 for expected traffic and 1 for failover)

WS-X9530 SFI

M GMT
MT CONSOLE 10 /100
EM IVE MG COM 1
TUS T R ET
SYS ACT PW RES CFI
STA

SUPERVI SOR

WS-X9530 SFI

M GMT
MT CONSOLE 10 /100
EM IVE MG COM 1
TUS T R ET
SYS ACT PW RES CFI
STA

SUPERVI SOR

The 60 tape drives are evenly distributed across all 7 SME line cards (8 or 9 tape drives each).
The 32 media servers are evenly distributed across all 7 modules (4 or 5 media servers each)

Since each target can only be zoned to a maximum of 16 hosts, the backup environment must be
divided into 2 zones. Each zone has 16 Media Servers and 30 Targets.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2006, Cisco Systems, Inc. All rights reserved. 33


14734_05_2008_X1.scr
Q and A

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67

Recommended Reading

ƒ Continue your Cisco Live


learning experience with further
reading from Cisco Press
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store


BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68

© 2006, Cisco Systems, Inc. All rights reserved. 34


14734_05_2008_X1.scr
Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69

BRKSAN-2893
14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70

© 2006, Cisco Systems, Inc. All rights reserved. 35


14734_05_2008_X1.scr