beautypg.com

Managing security policies – HP StorageWorks 2000fc G2 Modular Smart Array User Manual

Page 69

background image

HP StorageWorks Simple SAN Connection Manager user guide

69

To copy and paste an IPsec association:

1.

On the HBA & Switch Management menu, click Set Switch IPsec Information. (If you have more than

one switch in your SAN, the Switch Selection dialog box prompts you to select a switch, and then click

OK.)
The IPsec Configuration dialog box opens (see

Figure 38

on page 65) and lists the existing IPsec

Associations on the left and the existing IPsec Policies on the right.

2.

Under IPsec Associations, select the association that you want to copy, and then click Copy.

3.

Under IPsec Associations, click Paste.
Simple SAN Connection Manager lists the new association under IPsec Associations. It appends the

string “_Copy_0” to the original name; for example, a copy of MyAssociationName becomes

MyAssociationName_Copy_0. If an association already exists with that name, it appends the string

“_Copy_1”, and so on.

4.

To modify the copy, select it, and then click Edit to open the IPsec Association dialog box (

Figure 39

on

page 66).

5.

Make changes as needed, and, optionally, save the copy with a new association name.

6.

When you are through managing security associations, select one of the following options:
• To save your changes and close the IPsec Configuration dialog box, click OK.
• To close the IPsec Configuration dialog box without saving any changes, click Cancel.

CAUTION:

Be aware that if you click Cancel on the IPsec Configuration dialog box, all changes you have

made to IPsec associations and policies are revoked. That is, all associations and policies that you have

created, edited, deleted, copied, or pasted while the IPsec Configuration dialog box was open are

nullified.

Managing security policies

The security policy database (SPD) is the set of all security policies configured on the switch. A security

policy defines the following parameters:

Connection source and destination

Data traffic direction: inbound or outbound

Protocols for which to protect data traffic

Security protocols: Authentication Header (AH) or Encapsulating Security Payload (ESP)

Level of protection: IP security, discard, or none

Policies can define security for host-to-host, host-to-gateway, and gateway-to-gateway connections; one

policy for each direction. For example, to secure the connection between two hosts, you need two policies:

one for outbound traffic from the source to the destination, and another for inbound traffic to the source

from the destination. You can specify sources and destinations by IP addresses (version 4 or 6) or DNS host

names. If a host name resolves to more than one IP address, the switch creates the necessary policies and

associations. You can recognize these dynamic policies and associations because their names begin with

DynamicSP_ and DynamicSA_, respectively.
You can apply IP security to all communication between two systems, or you can select protocols, such as

ICMP, TCP, or UDP. Furthermore, instead of applying IP security, you can choose to discard all inbound or

outbound traffic, or allow all traffic without encryption. Both the AH and ESP security protocols provide

source authentication, ensure data integrity, and protect against replay.
This section includes the following procedures for managing security policies:

“Creating an IPsec policy,”

page 70

“Editing an IPsec policy,”

page 73

“Deleting an IPsec policy,”

page 73

“Copying and pasting IPsec polices,”

page 74