Security Overview
PKI
The Public Key Infrastructure (PKI) allows an MDS 9000 switch to obtain and use digital certificates for
secure communication in the network. PKI support provides manageability and scalability for applications,
such as IPsec, IKE, and SSH, that support digital certificates.
For information on configuring PKI, see
SSH Services
Secure Shell (SSH) is a protocol that provides a secure, remote connection to the Cisco NX-OS CLI. SSH
provides more security for remote connections than Telnet does by providing strong encryption when a device
is authenticated. You can use SSH keys for the following SSH options:
• SSH2 using RSA
• SSH2 using DSA
Starting from Cisco MDS NX-OS Release 8.2(1), SHA2 fingerprint hashing is supported on all Cisco MDS
devices by default.
For more information about configuring SSH services, see
IPsec
IP Security (IPsec) protocol is a framework of open standards by the Internet Engineering Task Force (IETF)
that provides data confidentiality, data integrity, and data origin authentication between participating peers.
IPsec provides security services at the IP layer, including protecting one or more data flows between a pair
of hosts, a pair of security gateways, or a security gateway and a host.
For information on configuring IPsec, see
FC-SP and DHCHAP
Fibre Channel Security Protocol (FC-SP) capabilities provide switch to switch and hosts to switch authentication
to overcome security challenges for enterprise-wide fabrics. Diffie-Hellman Challenge Handshake
Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between Cisco MDS
9000 Family switches and other devices. DHCHAP consists of the CHAP protocol combined with the
Diffie-Hellman exchange.
With FC-SP, switches, storage devices, and hosts are able to prove their identity through a reliable and
manageable authentication mechanism. With FC-SP, Fibre Channel traffic can be secured on a frame-by-frame
basis to prevent snooping and hijacking, even over untrusted links. A consistent set of policies and management
actions are propagated through the fabric to provide a uniform level of security across the entire fabric.
For more information on configuring FS-SP and DHCHAP, see
About CAs and Digital
Certificates.
Configuring SSH Services, on page 155
About
IPsec.
About Fabric
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
PKI
Authentication.
5