3 creating a login session – HP OneView User Manual
Page 52
Best Practice
Topic
•
The appliance is preconfigured so that nonessential services are removed or disabled in its
management environment. Ensure that you continue to minimize services when you configure
host systems, management systems, network devices (including network ports not in use) to
significantly reduce the number of ways your environment could be attacked.
Nonessential
services
•
For local accounts on the appliance, change the passwords periodically according to your
password policies.
•
Ensure that passwords include at least three of these types of characters:
◦
Numeric character
◦
Lowercase alphabetic character
◦
Uppercase alphabetic character
◦
Special character
Passwords
•
Clearly define and use administrative roles and responsibilities; for example, the Infrastructure
administrator performs most administrative tasks.
Roles
•
Consider using the practices and procedures, such as those defined by the Information Technology
Infrastructure Library (ITIL). For more information, see the following website:
Service
Management
•
Ensure that a process is in place to determine if software and firmware updates are available,
and to install updates for all components in your environment on a regular basis.
Updates
•
Educate administrators about changes to their roles and responsibilities in a virtual environment.
•
Restrict access to the appliance console to authorized users. For more information, see
.
•
If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution
has visibility into network traffic in the virtual switch.
•
Turn off promiscuous mode in the hypervisor and encrypt traffic flowing over the VLAN to lessen
the effect on any VLAN traffic sniffing.
NOTE:
In most cases, if promiscuous mode is disabled in the hypervisor, it cannot be used on
a VM (Virtual Machine) guest. The VM guest can enable promiscuous mode, but it will not be
functional.
•
Maintain a zone of trust, for example, a DMZ (demilitarized zone) that is separate from production
machines.
•
Ensure proper access controls on Fibre Channel devices.
•
Use LUN masking on both storage and compute hosts.
•
Ensure that LUNs are defined in the host configuration, instead of being discovered.
•
Use hard zoning (which restricts communication across a fabric) based on port WWNs
(Worldwide Names), if possible.
•
Ensure that communication with the WWNs is enforced at the switch-port level.
Virtual
Environment
3.3 Creating a login session
You create a login session when you log in to the appliance through the browser or some other
client (for example, using the REST API). Additional requests to the appliance use the session ID,
which must be protected because it represents the authenticated user.
A session remains valid until you log out or the session times out (for example, if a session is idle
for a longer period of time than the session idle timeout value).
52
Understanding the security features of the appliance