deploying-bna-tb
Contents
1. DATA CENTER Deploying Brocade Network Advisor in a Secure Environment To ensure secure data center operations the data handled by Brocade Network Advisor must be protected from misuse This paper describes techniques to protect this data BROCADE DATA CENTER TECHNICAL BRIEF CONTENTS apoge eli o de E 3 User ACCE COMM ON WE 3 AE O aE EEE E E E E EE sae 4 AURON ZA ON aoada E r E E A A A 6 REAC cnir 6 Kee PONC IEG ser E E O E 10 Secure Network Advisor Client Server COMMUNICATION sssssssssssssnsnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nennen nnmnnn 10 Securing SMIS Communi cati EE 11 Securing Network Advisor Server to Switch COMMUNICATION cccceeeeeeeeeeeeesseseeeeeeeeeeeeeenaeaessseseeeeeseeseeeaaaaseneeeneeees 12 Securing Network Advisor Server to Adapter COMMUNICATION cccccceeeeeeeeeeeeeeseaeaseseeeeeeeeseeeeanaaeasseeseeeeseseeseanaaaseaes 14 US UE dl TC 15 Network Advisor Server to Network Configurations cccccceccsssscnceeeeceaceaeeceeesceceeseasneeaeeceasecenseeeneeeesoes 15 Client Server Firewall Settings EE 16 OI Clie Mt Firewall Setting S eege 17 Server to Network Firewall Gettinge NNN NEEN REENEN ENNER ENEE NENNEN EEN N ENEE ERKENNEN REENEN en 17 Miscellaneous Firewall EEN Ee 18 Network UE e ee 18 INAS SON CC SINC Eege 18 WEI E uer 20 Keystore and Truststore aS SOLS EE 20 SVE Eet 21 SUNN IY EE 22 Deploying Brocade Network Advisor in a Secure Environment2. Port Contig y IP CLI Configuration P IP CLI Configuration Deploy 4 y IP Deployment Reports Y IP Discover Setup y IP Element Manager Port Config Ze IP GSLB Manager km a Cancel Help Figure 4 Role dialog A permission may be assigned to a role as either read only or read write If the permission is not assigned at all the user cannot open dialogs or tabs that require that permission If the permission is assigned as read only the user may open the dialogs or tabs to view the feature settings but editing is disabled If the permission is assigned as read write the user may view and edit the feature s settings Deploying Brocade Network Advisor in a Secure Environment 8 of 22 DATA CENTER TECHNICAL BRIEF Each user must also be assigned at least one AOR An AOR is a set of SAN switches IP network devices and hosts that the user is allowed to view or manage Administrators may create new AORs or edit existing AORs by clicking the Add Edit or Duplicate button underneath the AOR list in the Users tab of the Users dialog These buttons display the AOR dialog as shown in Figure 5 Ae Add AOR x Name Fabric B Only Description Can view and manage only SAN Fabric B You can define the area of responsibility from the available fabrics hosts and IP products Fabrics Hosts IP Products Available Fabrics Selected Fabrics Hosts and IP Products Name Location Contact Descriptic Produc
3. an export license from the United States government BROCADE 23
4. performance data and events traps e SYSLOG for events e FIP TFTP or SCP for transferring firmware images configuration backups and support save data Often the server to switch network is physically secure requiring no protection against unauthorized monitoring If the server to switch network connection extends over public links or is otherwise not considered secure from unauthorized monitoring Network Advisor provides features for encrypting most of the management traffic e HTTP should be replaced with HTTPS All transferred data including switch logins are encrypted for privacy e SCP should be used instead of FTP or TFIP for transferring boot images configuration backups and support save files SCP encrypts data during transit e SNMPv3 should be used instead of SNMPvi or SNMPv2c SNMPv3 supports encryption for privacy e There is no encryption support for SYSLOG messages The options to secure configuration data are available in the Options dialog Select Options from the Server menu and then select the Product Communication category see Figure 8 Ae Options Fa Category Use this option to configure HTTP or HTTPS connections between the Network Advisor Server d SAN switches lv Event Storage le ee Flyovers Connect using HTTP 8 HTTPS HTTP over SSL only La Look and Feel Port 443 lv Performance Graph Styles A Product Improvement Current Port 443 v SAN Display Default Port 443 lv SAN En
5. stores several pieces of information that must be protected from unauthorized access e User passwords when local user authentication is configured e Switch login passwords for switch discovery and data collection e Managed host and vCenter login passwords e Simple Network Management Protocol version 3 SNMPv3 passwords for performance monitoring trap receiving and trap forwarding e Shared secrets for secure Fibre Channel over IP FCIP tunnel connections over IP security IPsec e SSL certificate passwords for secure switch communication These pieces of data are stored in the SQL database that resides on the Network Advisor server machine Sensitive data is encrypted before being stored in the database using the Triple Data Encryption Standard SDES algorithm PBEWithSHA1AndDESede The encryption key is internally generated and is different on each Brocade Network Advisor system The Network Advisor database also contains collected configuration and performance data from the managed switches and managed hosts in the SAN This information is not encrypted when stored in the database An administrator who knows the Network Advisor database access credentials can use third party SQL query tools to view the data Brocade Network Advisor installs a default database user name dcmuser with password password for third party access to the Network Advisor server database via ODBC or JDBC The dcmuser user name has read only a
6. 2 of 22 DATA CENTER TECHNICAL BRIEF INTRODUCTION Brocade Network Advisor is a Storage Area Network SAN and Ethernet management application for enterprises and service providers It provides an intuitive user friendly Graphical User Interface GUI for the configuration and monitoring of multiple Fibre Channel FC fabrics Ethernet fabrics Ethernet switches and routers Brocade Host Bus Adapters HBAs and virtualized server infrastructures The configuration data handled by Brocade Network Advisor is critical to the network s integrity and performance To ensure secure data center operations the data handled by Network Advisor must be protected from user error or intentional misuse This paper describes how to apply the security features available in Brocade Network Advisor version 12 0 x Brocade Network Advisor is a client server application multiple clients communicate with a central server which stores configuration and performance data in a SQL Server database co located on the server s workstation The server communicates with all of the managed devices to apply configuration changes and collect configuration and performance data There are several points at which data must be secured e To control user access to Network Advisor clients through Role Based Access Control RBAC e To protect client server communication via encryption and authentication e To protect data stored locally on the server via encryption and database acc
7. 28 v Priv Password sesoseococoss Cancel Help Figure 9 SNMPv3 options for SAN devices The SNMP user name is not related to Brocade Network Advisor or SAN device login names Ensure that the SNMP user name authentication protocol authentication password privacy protocol and privacy password match those configured on the SAN device Select authentication and privacy protocols other than None for a secure and encrypted connection The Context Name may be left blank for initial discovery in virtual fabric environments Network Advisor fills in the Context Name automatically for logical switches within a chassis Deploying Brocade Network Advisor in a Secure Environment 13 of 22 DATA CENTER TECHNICAL BRIEF SECURING NETWORK ADVISOR SERVER TO ADAPTER COMMUNICATION Brocade Network Advisor manages Brocade FC adapters installed in network servers and other hosts A Host Connectivity Manager HCM agent is typically installed on the host with the Brocade adapter Network Advisor always communicates with the HCM agent over a secure SSL connection no user action is required in this case When the Brocade adapter is installed in a VMware ESXi host however Network Advisor communicates with the Common Information Model CIM server in the VMware ESXi software to obtain adapter information In that case the user has the option to use either HTTP or HTTPS For secure communication choose HTTPS when adding the host address to Netw
8. Brocade Network Advisor creates a secure connection to the NIS NIS server for the authentication request Deploying Brocade Network Advisor in a Secure Environment 4 of 22 DATA CENTER TECHNICAL BRIEF The chosen authentication method and the authentication servers are configured in the AAA Authentication Authorization and Accounting tab of the Network Advisor Server Management Console SMC as shown in Figure 2 bt Network Advisor Server Management Console Plet Services Ports 44A Settings Restore Technical Support Information HCM Upgrade Performance Data Aging This Network Advisor server currently uses Radius Server as the primary authentication and None as the secondary Authentication Configure Fail Over Option to switch from primary authentication to secondary authentication Primary Authentication Radius Server ini Secondary Authentication None 7 Fail Over Option Authorization Preference Local Database oni Radius Servers and Sequence Network Address TCP Port Timeout Sec Attempts Authentication Type 10 32 149 52 1812 3 3 CHAP 10 32 149 67 1812 3 3 PAP Add Edit Delete amp Up Audit Trail Display Test Apply Figure 2 Network Advisor Server Management Console AAA tab For RADIUS TACACS LDAP and switch authentication administrators can enter a list of server or switch addresses Brocade Network Advisor tries each address in the list in order until one responds This process allows for a back
9. Case Characters 4 0 127 Lower Case Characters 1 0 127 Number of Digits 1H 0 127 Punctuations Required 0 0 127 Maximum Repeat jr 1 127 Maximum Sequence 1 1 127 Lockout Support Lockout Threshold 3 Times 0 999 Lockout Duration 5 Minutes 0 99999 Login Policy Login Mode Single Login Action Logout Existing Sessions Gei v View Policy Violators Apply E mail Event Notification Setup Close Help Figure 6 Password Policy tab of the Users dialog More information on the various policy fields is available in the online help and user manual SECURE NETWORK ADVISOR CLIENT SERVER COMMUNICATION The Network Advisor client uses several protocols to communicate with the Network Advisor server These are as follows e HTTPS for initial program load via Java WebStart and browser based reports e EJB 3 0 Enterprise Java Beans RMI over TLS e Java Messaging System JMS over TLS e File Transfer Protocol FTP Session Control Protocol SCP or Secure File Transfer Protocol SFTP for importing firmware images from the client system Deploying Brocade Network Advisor in a Secure Environment 10 of 22 DATA CENTER TECHNICAL BRIEF HTTPS EJB and JMS use TLS v1 to encrypt all traffic between the client and server TLS v1 is an upgrade to Secure Sockets Layer SSL version 3 Although TLS is functionally equivalent to SSL the name was changed because TLS is not backward compatible with SSL Encryption
10. NICAL BRIEF User login involves two components Authentication to verify the user s identity Authorization to permit user access to only the features and data specified by an assigned role Authentication Brocade Network Advisor provides several options for user authentication Remote Authentication Dial In User Service RADIUS A widely used IETF standard protocol for authenticating users via a shared central authentication server The user s password is encrypted with a user configured shared secret before being sent to the RADIUS server The encryption scheme is defined by the RADIUS protocol and uses MD5 hashing which is no longer approved by NIST or FIPS It may be necessary to avoid using RADIUS in some secure environments Terminal Access Controller Access Control System Plus TACACS A newer remote authentication protocol similar to RADIUS Like RADIUS TACACS encrypts the user s password with a user configurable shared secret The encryption scheme is defined by the TACACS protocol and uses MD5 hash values so it may not be acceptable in environments that prohibit MIDD Lightweight Directory Access Protocol LDAP version 3 LDAP is another IETF standard protocol that allows user authentication by a central LDAP directory server LDAP v3 uses Transport Layer Security TLS to securely encrypt all traffic to and from the LDAP server Brocade Network Advisor 12 0 allows only strong ciphers to be used in the TLS connectio
11. TACACS authentication server or SMTP mail server via SSL or connects to a network device using HTTPS Network Advisor by default does not validate the remote system s certificate This allows Network Advisor to communicate with network devices and authentication servers without the overhead of installing certificates on the Network Advisor server Deploying Brocade Network Advisor in a Secure Environment 18 of 22 DATA CENTER TECHNICAL BRIEF For secure environments that require certificate validation validation should be enabled by selecting the Enable Certificate Validation check box in the Certificates category of the Server gt Options dialog Category Event Storage Flyovers Look and Feel Performance Graph Styles Product Improvement SAN Display SAN End Node Display SAN Ethernet Loss Events SAN Names Security Misc Server Backup Syslog Registration Trap Registration Trap Forwarding Credentials CI Software Configuration Certificates Client Export Port Client Server IP IP Preferences Memory Allocation Product Communication FTP SCP SFTP Server Port Support Mode Use this option to enable or disable certificate validation and to import view and delete the truststore and keystore certificates Y Enable certificate validation Keystore Certificate Truststore Certificates v addtrustclass1ca addtrustexternalca addtrustqualitiedca jaclrootcal aolrootca2 batimorecybertrustca
12. ay be a firewall between the SMI S client and the Network Advisor server If so the following TCP ports must be opened in the firewall to allow SMI S traffic The default ports are listed in Table 3 Table 3 Default Port Numbers and Descriptions for an SMI S Client Firewall 5988 SMI S port when SSL is not used Not recommended in a secure environment 5989 SMI S port when SSL is enabled The port numbers above are default values You can change the SMI S port during Brocade Network Advisor installation and in the Server Management Console If the same firewall is used for Network Advisor clients and SMI S clients open the ports listed in both tables above Server to Network Firewall Settings If a firewall exists between the Network Advisor server and the network devices the following ports need to be opened see Table 4 Table 4 Default Port Numbers and Descriptions for a Server to Network Firewall FTP Used for file transfers such as firmware images configuration backups and supportsave data Does not Z I to be opened if SCP SFTP is used instead GE UDP TFTP Used for file transfers to IP devices Does not need to be opened if FTP or SCP or SFTP is used instead HTTP Used for managing SAN devices and by Element Managers for SAN and IP devices Does not need to be opened if HTTPS is used instead SNMP Used for performance monitoring and for configuring IP devices SNMP Traps Sent from network devices to Brocade Network Advi
13. ccess to the database By default access from remote systems is disabled See the Brocade Network Advisor Administration Guide for instructions on enabling remote access Brocade Network Advisor installs another database user name dcmadmin for its private use This user name has read write access to the database This user name should not be enabled for remote access The default password for dcmadmin is passwOrd but it may be changed during Network Advisor installation Database user names are only valid for connecting to the internal PostgreSQL database Database user names are not related to Network Advisor user names Note The default database user names and passwords are not secret so customers wishing to protect the Network Advisor database from unauthorized access are encouraged to change the default database passwords to something known only to the customer Deploying Brocade Network Advisor in a Secure Environment 21 of 22 SOLUTIONS TECHNICAL BRIEF To change the database user passwords click the Change Database Password button in the Services tab of the Network Advisor SMC SMC prompts the user to provide valid Network Advisor login credentials Once the user has entered their Network Advisor user name and password SMC displays the Database Password dialog see Figure 18 we Database Password Ea User Name dcmadmin Wi Old Password eeccese New Password eeeeecece Confirm New Password eg
14. configure the Network Advisor server with two Ethernet interfaces one for client traffic and one for SAN management traffic This provides better isolation of the server to switch traffic as shown in Figure 12 KW Figure 12 Network Advisor server with two Ethernet interfaces In both configuration examples the Network Advisor clients do not need connectivity to the network devices to run the embedded web based Element Managers or to access the CLI When an Element Manager is launched from within the Network Advisor client the Network Advisor server acts as an HTTP or HTTPS proxy to forward Element Manager traffic between the client network and the management network The Network Advisor server also provides a telnet or SSH proxy for IP devices If direct access from the client to the network device CLI is desired a firewall may be used to allow Telnet or SSH traffic from the client to reach the network devices Deploying Brocade Network Advisor in a Secure Environment 15 of 22 DATA CENTER TECHNICAL BRIEF When the Network Advisor server has more than one IP address the Network Advisor server must be configured to identify which IP address to use for client communication and which IP address to use for switch communication During Brocade Network Advisor installation the addresses are configured as part of the server configuration as shown in Figure 13 cs Network Advisor Configuration Server IP Configuration o a 3 Configur
15. custom environments The data that is accessible via SMI S should be protected by encrypting the SMI S client server connection using SSL v3 or TLS v1 The SMI S interface is optionally enabled during the Brocade Network Advisor installation If the SMI S option is selected then Enable SSL should also be selected as shown in the installation screen snapshot in Figure 7 vz Network Advisor Configuration Pile E3 SMI Agent Configuration a Enable SMI Agent to enable SLP and configure HTTP or HTTPS connections between the SMI Agent and CIM Client Enable SMI Agent Enable SLP m Enable SSL v SMI Agent Port 5989 ED change this configuration by selecting Server Management Console gt Configure SMI Agent You will not be able to use SMI Agent and SLP services if they are not enabled Cancel Back Next Figure 7 Installation option to enable SMI S interface SMI agent Although the option is labeled SSL Brocade Network Advisor uses TLS if the SMI S client supports TLS The SSL option can also be set later in the Server Management Console Deploying Brocade Network Advisor in a Secure Environment 11 of 22 DATA CENTER TECHNICAL BRIEF SECURING NETWORK ADVISOR SERVER TO SWITCH COMMUNICATION The Network Advisor server uses several protocols to communicate with the SAN and IP switches e HTTP or HTTPS for SAN device configuration e Telnet or SSH for IP device configuration e SNMP v1 v2c or v3 for
16. d Node Display La SAN Ethernet Loss Everts Use this option to configure connections between the Network Advisor Server and IP LA SAN Names Products v Security Mise Product Communication La Server Backup SSHonly Telnet only SSHthen Telnet SSH Port 22 lv Syslog Registration LA Trap Registration eee File TES l l A Trap Forwarding Credentials LI SCP only T TFTP only i SCP then TFTP i TFTP then SCP Cl Software Configuration Wieb Element Manager deleng um HTTPS HTTPS then HTTP Client Export Port Client Server IP Use this option to set the user preferred IP format for the Network Advisor to IP Preferences connect with the products v Memory Allocation User Preferred IP Format SAN and Network OS products only Product Communication FTP SCP SFTP Server Port Support Mode Dud O uf e Changes will take effect at the next application restart SAN products Not applicable for Preferred IP format changes OK Cancel Apply Help Figure 8 Secure options for server to switch communication Deploying Brocade Network Advisor in a Secure Environment 12 of 22 DATA CENTER TECHNICAL BRIEF The HTTPS option for SAN devices is in the first section of the dialog This option applies to all fabrics and all switches as well as Element Managers that are launched from Brocade Network Advisor There is no Support for managing some SAN devices via HTTPS and others via HTTP Of course if Network Advisor is configured to u
17. e the server communication IP addresses Server IP VM VV2K8 49 1 35 v Configuration Switch Server IP Configuration Preferred 10 24 49 135 gp Address AER DNS is not configured in your network do not choose hostname for the Server IP Configuration Cancel Back Mext Figure 13 Network Advisor Server address configuration during installation The first selection of address or hostname is the address that Network Advisor clients use to reach the Network Advisor server The second address is the address the server uses to reach the network devices Network devices are automatically configured to send SNMP traps and syslog messages to the second address Both IPv4 and IPv6 addresses are supported The same address may be used for both purposes but if the Network Advisor server has two separate Ethernet interfaces it is best to use one address from each interface to separate the traffic You can modify the server IP address selections later In the Network Advisor client select Options from the Server menu and then select Client Server IP from the category list The current IP address selections display and can be modified Changes do not take effect until you restart the Network Advisor server Client Server Firewall Settings A firewall may be present between the Network Advisor client and server to protect the server s network from unauthorized applications If so several TCP ports must be opened in the firewal
18. ed certificate or import an existing certificate from a file The file must be in PKCS 12 format and contain both a private and public key The private key in such files is usually encrypted with a password If so the user must enter the password for the private key when importing the certificate Keystore and Truststore Passwords The keystore and truststore are files installed in these folders in Brocade Network Advisor e Keystore lt install dir gt conf security keystore jks e Truststore lt install dir gt conf security truststore jks The file contents are encrypted with a password The default password for both files is passwOrd In secure environments it is strongly recommended to change the keystore and truststore passwords to something known only to the user To change the keystore password select Change Password from the Keystore Certificate drop down list in the Certificates page of the Options dialog To change the truststore password click the Password button next to the list of truststore certificates Both actions display similar dialogs for changing the password see Figure 17 od Truststore Password x Old Password eececece New Password ececececesce Contirm New Password eeeeeeeeeee Cancel Help Figure 17 Truststore password dialog Deploying Brocade Network Advisor in a Secure Environment 20 of 22 DATA CENTER TECHNICAL BRIEF SERVER DATA STORAGE The Network Advisor server
19. eegeeeege Figure 18 Database Password dialog The User Name drop down list allows you to change the password for either dcmuser or dcmadmin SUMMARY Brocade Network Advisor provides simple facilities for protecting the customer s management data at all stages client user access client server communication server to device communication and server storage 2013 Brocade Communications Systems Inc All Rights Reserved GA TB 475 00 08 13 ADX AnylO Brocade Brocade Assurance the B wing symbol DCX Fabric OS ICX MLX MyBrocade OpenScript VCS VDX and Vyatta are registered trademarks and HyperEdge The Effortless Network and The On Demand Data Center are trademarks of Brocade Communications Systems Inc in the United States and or in other countries Other brands products or service names mentioned may be trademarks of their respective owners Notice This document is for informational purposes only and does not set forth any warranty expressed or implied concerning any equipment equipment feature or service offered or to be offered by Brocade Brocade reserves the right to make changes to this document at any time without notice and assumes no responsibility for its use This informational document describes features that may not be currently available Contact a Brocade sales office for information on feature and product availability Export of technical data contained in this document may require
20. efault Port Numbers and Descriptions for Miscellaneous Firewall Ports 25 SMTP Brocade Network Advisor uses this port to contact an external SMTP server when sending email notifications without SSL 49 TACACS Network Advisor uses this port when contacting a remote TACACS server when TACACS is configured for user authentication 389 LDAP Network Advisor uses this port when contacting a remote LDAP server when LDAP without SSL is configured for user authentication SMTP Network Advisor uses this port to contact an external SMTP server when sending email notifications with SSL LDAP Network Advisor uses this port when contacting a remote LDAP server when LDAP with SSL is configured for user authentication 1812 and 1813 RADIUS Network Advisor uses these ports when contacting a remote RADIUS server when RADIUS is configured for user authentication Port 1812 is used for authentication and port 1813 for accounting 5432 Open Database Connectivity ODBC Remote systems may contact the Network Advisor server on this port when reading the Network Advisor database directly The port numbers above are default values You can change most port numbers within Brocade Network Advisor NETWORK ADVISOR CERTIFICATES Truststore Certificates Brocade Network Advisor does not use the operating system s certificate cache Network Advisor maintains its own truststore of trusted certificates When Network Advisor connects to a remote server Such as a
21. ess restrictions e To protect server to device communication via encryption and authentication NOTE The term B Series is used in this paper to reference SAN switches running Brocade Fabric OS FOS USER ACCESS CONTROL When the Network Advisor client is launched the Network Advisor Log In dialog box displays Ae Network Advisor 12 0 2 Log In Network Advisor Enter User ID and Password to log onto the server Network Address 10 24 49 135 w Delete User ID Administrator Password egeeeeee Ki Save password G Server Available Figure 1 Network Advisor Log In dialog box The user enters a user name and password and clicks Login The Network Advisor client forwards the user name and password to the Network Advisor server which validates the user name and password using the methods described in the following section on Authentication and returns authorization information to the client As shown in Figure 1 by default Brocade Network Advisor allows users to save their password to accelerate login on clients where the OS login may be sufficient In secure environments you can remove the Save password option by following these steps 1 Open the Server gt Options dialog and select the Security Misc category 2 Change the Login Security selection to Do not allow clients to save passwords on login Deploying Brocade Network Advisor in a Secure Environment 3 of 22 DATA CENTER TECH
22. for HTTPS EJB and JMS connections was optional in Brocade Network Advisor versions earlier than 12 0 but it is now required and cannot be disabled The specific encryption algorithm used for TLS client server communication is TLS _ECDHE_RSA_WITH_AES_128 CBC_SHA Brocade Network Advisor uses FTP SCP or SFTP to import firmware images from the client to the server The Specific protocol depends on the Network Advisor server settings The supported protocols are selected when Network Advisor is installed and they may be changed via the Server gt Options dialog You can also configure external servers instead of the provided internal servers SCP and SFTP are secure the firmware image is encrypted during transfer FTP is not secure but the Brocade firmware images are publicly available so encryption in this case is not a concern However if corporate policies require a secure transfer instead of FTR make sure that either the internal SCP SFITP server is enabled on the Network Advisor server or that an external SCP or SFTP server is configured The firmware import feature uses a secure transport if one is available SCP or SFTP or uses FTP if only FTP is available SECURING SMI S COMMUNICATION The Network Advisor server includes a Storage Management Initiative Specification SMI S interface for access to the Network Advisor data The Network Advisor client does not use the SMI S interface but customers may incorporate an SMI S client into their
23. icertplusclass2primar certumca certumtrustednetwor H comodoaaaca idigicertglobalroctca digicerthighassuranc entrust2046ca entrustevca entrustrootcag2 camerfirmachambers camertirmachambersi certplusclass3pprima 7 ideutschetelekomroctc CN AddTrust Class 1 CN AddTrust Externa CN AddTrust Qualitie CN A4merica Online R CN America Online R baltimorecodesigningca CN Bakimore CyberTr CN Batimore CyberTr camerfirmachambersca CN Chambers of Com CN Chambers of Com CN Global Chambersi CN Class 2 Primary C CN Class 3P Primary CN Certum CA O Un CN Certum Trusted N CN AA4A Certificate S CN Deutsche Teleko idiqicertassuredidrootca CN DigiCert Assured CN DigiCert Global Ro CN DigiCert High Ass CN Entrust net Certifi CN Entrust Root Certi CN Entrust Root Certi Alias Name a Issued To Issued By CN AddTrust Class 1 CN AddTrust Externa CNeAddTrust Qualitie CN America Online R CN America Online R CN Battimore CyberT CN Batimore CyberT CN Chambers of Co CN Chambers of Co CN Global Chambersi CN Class 2 Primary C CN Class 3P Primary CN Certum CA O Un CN Certum Trusted N CH AAA Certificate CN Deutsche Teleko CNe DigiCert Assured CN DigiCert Global R CN DigiCert High Ass CN Entrust net Certifi CN Entrust Root Certi CN Entrust Ro
24. l to allow traffic between the client and server The default ports are listed below Deploying Brocade Network Advisor in a Secure Environment 16 of 22 DATA CENTER TECHNICAL BRIEF Table 2 Default Port Numbers and Descriptions for a Client Server Firewall 20 21 FTP Only used for importing firmware images if no secure transport SCP or SFTP is enabled on the Network Advisor server HTTP Web Server port This port is only used as a convenience to redirect HTTP launch page requests to HTTPS Port 80 does not need to be opened if https is always included in URLs used to launch the Network Advisor client HTTPS Web Server port for downloading the Network Advisor client and viewing web based reports 24600 JNP Java Naming Protocol for service location 24601 EJB connection port 24602 JMS connection port 24603 JMX Java Management eXtenstions port for JMS control messages 24604 RMI Remote Method Invocation Naming Service 24605 RMI JMRP Junk Email Reporting Program Invoker port Ports 24600 24617 are sometimes referred to collectively as the Network Advisor server communication ports The port numbers listed above are default values You can modify most port numbers during installation or later in the Server gt Options dialog Port number 80 for HTTP redirection cannot be customized but it can be disabled on the Network Advisor server SMI S Client Firewall Settings In environments using an SMI S client there m
25. loying Brocade Network Advisor in a Secure Environment 5 of 22 DATA CENTER TECHNICAL BRIEF Authorization Once a user is authenticated Brocade Network Advisor then authorizes the user to access certain features using RBAC You can obtain authorization from several sources as shown in Table 1 Table 1 Authorization Sources Authentication Source Authorization Sources RADIUS TACACS Remote RADIUS or TACACS server or local Network Advisor database LDAP Remote LDAP server s user entry remote LDAP server s user group membership or local Network Advisor database Local Network Advisor database Brocade Switch Windows Local Network Advisor database Domain or LINUX OS When using a remote RADIUS TACACS or LDAP server you can obtain authorization from the same server that is used for authentication An administrator configures a list of Brocade Network Advisor role names and a list of Network Advisor Area of Responsibility AOR names as vendor specific attributes in the user name entry on the authentication authorization server When using LDAP the administrator may instead associate Brocade Network Advisor roles and AORs to one or more LDAP group names The administrator adds roles and AORs to LDAP group names in the Network Advisor Users dialog on the LDAP Authorization tab The associations are stored in Network Advisor s local database After the user is authenticated Network Advisor queries the LDAP server for the group
26. n Brocade switch Brocade Network Advisor can delegate the user authentication to a Brocade switch The user is considered authenticated if Network Advisor can successfully log in to the switch with the given user name and password The switch itself may use RADIUS a local database or any other authentication method supported by the switch This method is only secure when encrypting server to switch communication as described in the section on Securing Network Advisor Server to Switch Communication below Local Brocade Network Advisor database Brocade Network Advisor provides its own authentication service using a set of configured user names and passwords in the Network Advisor server s SQL database The user passwords are encrypted when stored in the database Windows Domain This option is available when the Network Advisor server is running on Microsoft Windows Network Advisor authenticates the user with the underlying Microsoft Windows OS The Windows OS contacts an Active Directory server running on the Windows Domain Controller for a user configured domain name This is the same secure user authentication that is used when logging in to Windows Linux local etc passwd file based Network Information System NIS and NIS These options are available when the Network Advisor server is running on Linux For local file based authentication only password hashes are stored and compared using Unix CRYPT or MD5 hashes For NIS and NIS
27. omize the predefined default options Deploying Brocade Network Advisor in a Secure Environment 6 of 22 DATA CENTER TECHNICAL BRIEF RBAC is configured via the Users tab of the Network Advisor Users Dialog which is launched in the Network Advisor client from the Server gt Users menu item or the Users icon in the toolbar The dialog image in Figure 3 shows the default predefined roles and AORs the default Administrator user and one added user Users Policy LDAP Authorization Authentication Primary Local Database Secondary None Authorization Local Database Users UserID Ful Name Roles Area Of Respon E mail Notification Account Enabled Policy Violations Account State Administrator SAN System Ad All Hosts All Fab No Yes No Active Joe Joe Smith Operator All IP Products No Yes No Active Add En a Roles AOR Name gt Description Name Description Host Administrator Host Administrator Role All Fabrics All Fabrics from My SAN IP System Administrator IP System Administrator Role All Hosts All Hosts Network Administrator Network Administrator Role All IP Products All IP Products from My IP Network Operator Operator Role Report User Group Report User Group Role SAN System Administrator SAN System Administrator Role Security Administrator Security Administrator Role Security Officer Security Officer Role Zone Administrator Zone Administrator Role E mail Event N
28. on to identify the Network Advisor server The Network Advisor certificate contains a private key as well as a public key and is kept in a keystore The Network Advisor client always validates the Network Advisor server s certificate regardless of the server s Enable Certificate Validation setting The first time the client is launched the user may receive several requests to trust the self signed certificate one from the browser one from webstart and one from the Network Advisor client itself Each of these have their own store of trusted certificates Selecting the option to always trust this source or similar wording adds the certificate to the trusted store so the message is not repeated In secure environments a self signed certificate may not be sufficient USers may want to use a certificate issued by their company for example This is easily done by selecting Replace from the Keystore Certificate drop down list in the Certificates page of the Options dialog The Replace action displays the Replace Keystore Certificate dialog See Figure 16 Replace Keystore Certificate X Replace the current keystore certificate with one of the following _ Anew self signed certificate Certificate File Ic TempinewNetyworkAdvisorCertiticate pi Browse Password eecccccccces Cancel Help Figure 16 Importing a certificate into the Network Advisor keystore The user may create a new self sign
29. ork Advisor see Figure 10 bY Add Host Adapters E Discovery Request Name Internal web servers Network Address v Add Host List srv 144 x acme com Remove srv 154 tu acme com srv 164 jvv acme com Import Contact C HCM agent 8 CIM server ESXi only Protocol HTTPS w Port 59689 User ID Admin Password TTT OK Cancel Help Figure 10 Add Host Adapters dialog Brocade Network Advisor also communicates with configured VMware vCenter servers to discover and manage virtual machines This communication is always performed over SSL No user action is required to make this connection secure Deploying Brocade Network Advisor in a Secure Environment 14 of 22 DATA CENTER TECHNICAL BRIEF FIREWALL SETTINGS Network Advisor Server to Network Configurations The management network connecting the Network Advisor server to the network devices is often a local network that is physically protected against unauthorized access When this is the case the best way to protect management traffic is to simply isolate the management network from outside access Some common configurations are shown in Figure 11 Network Advisor Network Advisor clients server Firewall Network devices Figure 11 Network Advisor server with single Ethernet interface As shown in Figure 11 above you can configure the firewall to provide access to the Network Advisor server s IP address but not to the network devices You can
30. ot Certi Import Password Cancel Apply Help Figure 14 Certificates page in the Options dialog Brocade Network Advisor provides a default set of trusted certificate authorities in the truststore If the remote certificate to be validated was issued by a well known Certificate Authority such as Verisign or Thawte no further action is needed If the remote certificate is issued by an unknown authority then the certificate or one of the parent certificates in the certificate chain must be imported into Brocade Network Advisor s truststore For network devices for example it may be necessary to export the device s certificate to a file using the device s CLI To import the certificate into Network Advisor s truststore click the Import button next to the list of truststore certificates enter the file name of the certificate and an alias to name the certificate and click OK see Figure 15 Ve Import Truststore Certificate E Provide a path to a certificate file and choose an alias name to be used in the truststore Certificate File iC Tempismtp cer Browse Alias Name SMTPServer Figure 15 Importing a certificate into the Network Advisor truststore The imported file must be in X 509 or PKCS 7 format Deploying Brocade Network Advisor in a Secure Environment 19 of 22 DATA CENTER TECHNICAL BRIEF Keystore Certificate Brocade Network Advisor creates a self signed certificate during installati
31. otification Setup Figure 3 Users dialog The default Administrator user may be deleted as long as there is at least one other user defined with permission to create new users Some secure environments may require the default user name to be removed while others may require only that the default password is changed Deploying Brocade Network Advisor in a Secure Environment T of 22 DATA CENTER TECHNICAL BRIEF Each role contains multiple privileges Each privilege refers to a feature within Brocade Network Advisor Administrators may add new roles or edit existing roles by clicking the Add Edit or Duplicate buttons underneath the Roles list in the Users dialog These buttons display the Role dialog as shown in Figure 4 s Edit Role Fr Name Hast Administrator Description Host Administrator Role Assign the necessary access permission to this role Available Privileges Ke Active Session Management Read amp Write y Call Home 3 Y Configuration Management Y DCB Management oy E mail Event Notification Setup vy Element Manager Y Element Manager Product Administration y Event Management Fabric Watch y Fault Management Y FCoE Management y Firmware Management Read Only IP Address Finder Q P cu Y Certificate Management Y Host Adapter Management wy Performance 4 Policy Monitor vy Properties Edit Y Reports vy SAN Discover Setup Y SAN Port Mapping Host IP CLI
32. s to which the user belongs Network Advisor looks up the group names in its local database to find the user s roles and AORs If the user belongs to multiple groups the permissions for all groups are merged The final option using Brocade Network Advisor s local database for authorization is available for any authentication method The administrator adds the user name to the local Network Advisor user database and assigns appropriate roles and AORs via the Network Advisor Users dialog If the local database is not being used also for authentication no password is needed in the local database The choice of authorization method is made via the Authorization Preference option in the AAA Settings tab shown in Figure 2 If no authorization settings are found for a user the user is not allowed to log in even if the user was authenticated successfully RBAC Each Brocade Network Advisor user must be assigned at least one role and at least one Area of Responsibility AOR The role determines which Network Advisor features are made available to the user Typical roles are Network Administrator Zoning Administrator Operator and so forth The AOR determines which devices the user is allowed to manage Typical AORs might be Data Center 2 Wireless Controllers Corporate Servers Backbone fabric and so on Network Advisor provides very flexible fine grained access control via roles and AORs Administrators may define new roles and AORs or cust
33. se HTTPS all the SAN switches must be configured to support HTTPS as well To enable secure file transfers to and from SAN devices enable an internal or external SCP SFITP server in the FTP SCP SFITP category of the Options dialog and enable SCP or SFTP on the SAN devices Brocade Network Advisor automatically uses the more secure SCP or SFIP if it is available The secure options for IP devices are in the second section of the Product Communication category as shown in Figure 8 SSH SCP and HTTPS for Element Managers are set separately For the most secure settings select only SSH SCP and HTTPS The X then Y options allow for a mix of Secure and non secure IP devices Brocade Network Advisor tries the X protocol first but if the device does not support X Network Advisor falls back to using Y The SNMPv3 option for SAN devices is initially set for an entire fabric when discovering the fabric via a seed switch but you can change this option later for individual switches if needed In the IP Address tab of the Add Fabric Discovery dialog select Manual SNMP Configuration Then in the SNMP tab enter the SNMPv3 credentials as shown in Figure 9 Ve Add Fabric Discovery _ IP Address SNMP Target Port Time out sec 5 Retries 3 SNMP Version y3 v Presets _ Configure for Intrepid 10K User Name snmpadmint Context Name Auth Protocol HMAC CHA v Auth Password egeeeeeeee Priv Protocol CFB_AES 1
34. sor for event notification Deploying Brocade Network Advisor in a Secure Environment 17 of 22 DATA CENTER TECHNICAL BRIEF 443 HTTPS Used for managing SAN devices and by Element Managers for SAN and IP devices Does not need to be opened if HTTP is used instead 514 UDP Syslog Sent from network devices to Network Advisor for event notification 6343 UDP sFlow Sent from network devices to Network Advisor for performance monitoring on IP devices 24606 24607 CIM Indications Sent from managed hosts to Network Advisor server for event notification 34568 HCM agent discovery Used for managing Brocade adapters The port numbers above are default values You can modify most port numbers during installation or later in the Server gt Options dialog All ports above are TCP ports unless marked as UDP ports TFTP should be avoided in a firewall environment If the firewall is not TFTP aware all UDP ephemeral ports must be opened for server to network devices since the TFTP server in Brocade Network Advisor can respond to a network device s TFTP request from any ephemeral port Ephemeral ports are typically all ports above 3276 7 but can include ports above 4095 on Linux systems Of course in a secure environment you should not use TFTP Miscellaneous Firewall Settings If a firewall exists between the Network Advisor server and other management systems you may need to open the following TCP ports see Table 5 Table 5 D
35. t dP Address Fabric A E amp Fabrics Z Fabric B 10 24 48 177 EI Hosts amp IP Products Cancel Help Figure 5 AOR dialog Brocade Network Advisor provides three default AORs All Fabrics All Hosts and All IP Products These default AORs cannot be edited or deleted Multiple AORs may be assigned to the same user the set of visible devices is the union of all the AORs Note that newly discovered fabrics IP products and hosts are not visible to a user unless they have All Fabrics All IP Products or All Hosts in their AOR list or unless the new items are explicitly added to the user s AORs Deploying Brocade Network Advisor in a Secure Environment 9 of 22 DATA CENTER TECHNICAL BRIEF Password Policies When using the Brocade Network Advisor local database for authentication it is a good practice to require strong passwords Since the definition of strong varies with customer environments Network Advisor provides a flexible set of constraints that passwords must meet The set of constraints is called the password policy and you can view and edit it in the Policy tab of the Users dialog as shown in Figure 6 Users Policy LDAP Authorization Password Expiration Password Age 30 Days 0 999 Warning Period 10 aE Days 0 998 Password History History Count 1 l Passwords 1 24 Password Format Empty Password 1 Allow Minimum Length 8 4 127 Upper
36. up server if the first server does not respond If a server resoonds even with a user rejected response later servers are not contacted Administrators can select the Brocade Network Advisor local database as a secondary authentication method to use if the primary authentication fails The Fail Over Option determines whether the secondary authentication is used only when the primary authentication servers are not reachable or also when the user is not known to the primary authentication servers All remote authentication methods provide network privacy for user passwords through encryption RADIUS TACACS and Windows Domain authentication guarantee the identity of the remote server either via a shared secret or a prior certificate exchange Brocade Network Advisor does not verify the identity of LDAP servers or Brocade switches which makes it theoretically possible for someone with the proper network access to substitute an alternate LDAP server or Brocade switch using the same IP address as the intended server or switch to provide false authentication information Therefore LDAP and switch based authentication are considered less secure but may still be sufficient for many cases The Brocade Network Advisor user names may be the same user names that are used to log in to Windows or Linux or network devices but it is not necessary for them to be the same Network Advisor authentication is independent of any other user authentication Dep
Download Pdf Manuals
Related Search
deploying bna tb deploying nat gateway deploying national guard deploying national guard units