Like IP infrastructure, the storage infrastructure must be protected from security vulnerabilities such as denial of service (DoS) and other malware attacks. In addition, elevation of privileges can also occur if a guest’s account is not managed properly. These security risks can result in data being stolen, corrupted, and applications not functioning properly. Because of its broad capabilities, unique security considerations must be addressed when deploying the storage infrastructure in your network. The Cisco MDS 9000 NX-OS software supports advanced security features that provide security within a storage-area network (SAN). These features protect your network against deliberate or unintentional disruptions from internal or external threats.
This chapter discusses the following key topics:
Authentication, Authorization, and Accounting (AAA): This section discusses the concepts of authentication, authorization, and accounting. Later in this section, we discuss server groups, server monitoring, remote and local AAA services, server distribution using CFS, and implications of merging RADIUS and TACACS+ configurations.
User Accounts and RBAC: This section discusses user roles, rules, and policies related to user roles, along with RBAC sample configuration.
Port Security: This section discusses port security configuration and verification.
Fabric Binding: This section discusses fabric binding configuration and verification. Later in this section, we compare port security with fabric binding features.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 20-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”
Table 20-1 “Do I Know This Already?” Section-to-Question Mapping
Caution
The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
1. Which of the following statements are INCORRECT regarding TACACS+? (Choose two answers.)
a. TACACS+ uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol.
b. TACACS+ provides independent, modular AAA facilities. Authorization can be done without authentication.
c. TACACS+ encrypts passwords only.
d. TACACS+ is an open protocol supported by multiple vendors.
2. The LDAP client/server protocol uses which TCP port number for transport requirements?
a. 2003
b. 1812
c. 389
d. 49
3. Which of the following statements are CORRECT regarding user roles on Cisco MDS 9000 Series Switches? (Choose two answers.)
a. User roles contain rules that define the operations allowed for the user who is assigned the role.
b. Each user role can contain multiple rules, but each user cannot have multiple roles.
c. Up to 16 rules can be configured for each role.
d. User roles cannot be used to create VSAN administrators.
4. Which of the following statements are TRUE regarding the port security feature? (Choose two answers.)
a. Port security binds the fabric at the switch level.
b. Port security requires activation on a per-VSAN basis.
c. Port security cannot be distributed by CFS.
d. Port security uses pWWNs/nWWNs or fWWNs/sWWNs.
5. Port security can be configured using which of the following methods? (Choose three answers.)
a. Manual Database Configuration
b. Auto-Learning without CFS Distribution
c. Fabric Binding
d. Auto-Learning with CFS Distribution
6. Which statements are TRUE regarding the fabric binding feature? (Choose two answers.)
a. The fabric binding feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations.
b. Fabric binding is configured on a per-VSAN basis.
c. Fabric binding can be distributed by CFS and hence configured automatically on each switch in the fabric.
d. Fabric binding uses pWWNs/nWWNs.
7. Which databases are managed by the fabric binding feature? (Choose two answers.)
a. Configuration database
b. Inactive database
c. Active database
d. Startup database