Cisco MDS 9000 SAN-OS

Network Security

Cisco takes a comprehensive approach to network security with the Cisco MDS 9000 SAN-OS Software. In addition to VSANs, which provide true isolation of SAN-attached devices, Cisco MDS 9000 SAN-OS Software offers numerous security features.

Switch and Host Authentication

Fibre Channel Security Protocol (FC-SP) capabilities in the Cisco MDS 9000 SAN-OS Software provide switch-to-switch and host-to-switch authentication for enterprisewide fabrics. Diffie-Hellman extensions with Challenge Handshake Authentication Protocol (DH-CHAP) are used to perform authentication locally in the Cisco MDS 9000 family or remotely through RADIUS or TACACS+. If authentication fails, a switch or host cannot join the fabric.

IP Security for FCIP and iSCSI

Traffic flowing outside the data center must be protected. The proven IETF standard IP Security (IPsec) capabilities in the Cisco MDS 9000 SAN-OS Software offer secure authentication, data encryption for privacy, and data integrity for both FCIP and iSCSI connections on the Cisco MDS 9000 14/2-Port Multiprotocol Services Module and Cisco MDS 9216i Multilayer Fabric Switch. The Cisco MDS 9000 SAN-OS Software uses Internet Key Exchange Version 1 (IKEv1) and IKEv2 protocols to dynamically set up security associations for IPsec using preshared keys for remote-side authentication.

Role-Based Access Control

The Cisco MDS 9000 SAN-OS Software provides role-based access control (RBAC) for management access of the Cisco MDS 9000 family command-line interface (CLI) and Simple Network Management Protocol (SNMP). In addition to the two default roles in the switch, up to 64 user-defined roles can be configured. Applications using SNMP Version 3 (SNMPv3), such as Cisco Fabric Manager, have full RBAC for switch features managed using this protocol. The roles describe the access-control policies for various feature-specific commands on one or more VSANs. CLI and SNMP users and passwords also are shared; only a single administrative account is required for each user.

Port Security and Fabric Binding

Port security locks down the mapping of an entity to a switch port. The entities can be hosts, targets, or switches that are identified through WWN. This locking helps ensure that unauthorized devices connecting to the switch port do not disrupt the SAN fabric. Fabric binding extends port security to allow ISLs only between specified switches.

Zoning

Zoning provides access control for devices within a SAN. The Cisco MDS 9000 SAN-OS Software supports the following types of zoning:

• N_Port zoning-Defines zone members based on the end-device (host and storage) port

– WWN

– Fibre Channel Identifier (FC-ID)

• Fx_Port zoning-Defines zone members based on the switch port

– WWN

– WWN + Interface index, or Domain ID + Interface index

– Domain ID + Port number (for Brocade interoperability)

• iSCSI zoning-Defines zone members based on the host zone

– iSCSI name

– IP address

• Logical-Unit-Number (LUN) zoning-When combined with N-Port zoning, LUN zoning helps ensure that LUNs are accessible only by specific hosts, providing a single point of control for managing heterogeneous storage-subsystem access.

• Read-only zones-An attribute can be set to restrict I/O operations in any zone type to SCSI read-only commands. This feature is especially useful for sharing volumes across servers for backup, data warehousing, etc.

• Broadcast zones-An attribute also can be set for any zone type to restrict broadcast frames to members of the specific zone.

To provide strict network security, zoning is always enforced per frame using access control lists (ACLs) that are applied at the ingress switch. All zoning polices are enforced in hardware, and none of them cause performance degradation. Enhanced zoning session-management capabilities further enhance security by allowing only one user at a time to modify zones.