Brocade Secure Fabric OS Administrator's Guide (53-1000244-01, November 2006)

1-2 Secure Fabric OS Administrator’s Guide
Publication Number 53-1000244-01
1
Management Channel Security
Secure Fabric OS can be used to provide policy-based access control of local and remote management
channels, including Fabric Manager, Web Tools, standard SNMP applications, and management server.
Access through a channel can be restricted by customizing the Secure Fabric OS policy for that channel.
Secure Fabric OS policies are available for telnet (includes sectelnet and SSH), SNMP, management
server, HTTP, and API.
Fabric Manager, Web Tools, and API all use both HTTP and API to access the switch. To use any of
these management tools to access a fabric that has secure mode enabled, ensure that the workstation
computers can access the fabric by both API and HTTP. If an API or HTTP policy has been created, it
must include the IP addresses of all the workstation computers.
After a digital certificate has been installed on the switch, Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and
v5.2.0 encrypt sectelnet, API, and HTTP passwords automatically, regardless of whether Secure Fabric
OS is enabled.
On two-domain directors, messages (such as notifications of password changes) that are sent to the
whole secure fabric are seen on both domains, even if the other domain is not part of the secure fabric.
Secure Shell (SSH)
Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 support SSH, enabling fully encrypted telnet sessions. Use
of SSH requires installation of a SSH client on the host computer; use of SSH does not require a digital
certificate on the switch.
SSH access is configurable by the Telnet Policy that is available through Secure Fabric OS. However,
Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 support SSH whether or not Secure Fabric OS is licensed.
To restrict CLI access to SSH over the network, disable telnet as described in “Telnet” on page 1-3 later
in this section.
SSH clients are available in the public domain and can be located by searching the Internet. Use clients
that support version 2 of the protocol, such as OpenSSH or F-Secure.
Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 also support the following ciphers for session encryption
and HMACs (hash function-based message authentication codes):
ciphers: AES128-CBC, 3DES-CBC, Blowfish-CBC, Cast128-CBC, and RC4
HMACs: HMAC-MD5, HMAC-SHA1, HMAC-SHA1-96, and HMACMD5-96
For more information about SSH, see the Fabric OS Administrator’s Guide.
N
ote
The Telnet button in Web Tools can be used to launch telnet only (not sectelnet or SSH); it is disabled
when secure mode is enabled.
N
ote
The first time a SSH client is launched, a message is displayed, indicating that the server’s host key is
not cached in the registry. You will also see this message the first time a SSH client is launched after you
upgrade switch firmware.