08-25-2010 12:32 PM
I manage a fairly large SAN consisting of about 150 switches and over 5000 ports, and user account management is a real nightmare.
I am wondering, am I missing something, or does DCFM completely ignore the fact that SAN Switches have user accounts too?
By this I mean, when you discover your SAN, you provide credentials, these credentials are shared by all DCFM users - an obvious security risk.
Also, there is no way to manage the local users on your switches with DCFM.
These two facts make DCFM very difficult for me to use, because I cannot in clear conscience use a shared account to provide admin level access to many administrators, and I cannot stand managing user accounts on 150 devices completely by hand.
Can someone please shed some light on how you manage access on your SAN? Am I missing something obvious or is using a shared account within DCFM, and having DCFM itself be your security perimeter to the rest of the SAN the best approach?
08-25-2010 11:56 PM
The account info you give when discovering a switch is for use by DCFM internally. What are your problems with the RBAC features of DCFM? If all users access switches via DCFM only (i.e. they have no accounts on the switches) what is the problem?
The problem comes rather if your company insists on changing all switch passwords regularly.
08-26-2010 02:14 AM
If your security requirements require changing passwords regularly on hundreds of san switches the I suggest you look at using either
to authenticate user access to your san switches. See the Brocade Fabric OS guide on how to set these up.
You may also be able to use the distribute command to push changes made to a switch's local user database out to all other v5.3.0 and later switches in the same fabric.
08-26-2010 06:27 AM
The problem is that we do not use DCFM exclusively, at least, not yet - and we have audit/security compliance issues that would make using a shared account for DCFM something which would be "frowned upon", to say the least, unless there was a way to make that account not be able to log in interactively via telnet/ssh.
The password changing issue, is also an "annoyance" but I have already been looking into LDAP as a solution.
Just to be clear, my original two highest priority questions remain:
Is there a way to manage switch users via DCFM?
Is the only/recommended way to discover your SAN by using a standard admin account credentials?
08-27-2010 08:07 AM
--> Is the only/recommended way to discover your SAN by using a standard admin account credentials?
When security is a topic then disable all default accounts like admin. Enable LDAP or RADIUS authentication on the switches and configure access control on LADP or RADIUS for the switches / fabrics. To use default accounts is every time a security risk and a nice point for your IT security department.
You can use in newer FOS version local account and password distribution functions to reduce the amount of work if you plan to use local accounts.
If DCFM use SNMPv3 to discover the switches you need a local account on each switch. Username and password has to be the same within a fabric.
DCFM needs SNMPv3 in virtual Fabric configurations.
--> Is there a way to manage switch users via DCFM?
I haven't found a nice way within DCFM for this task.
DCFM needs for some tasks SSH access to the switches. To make it more security compliant you can get an agreement with your security department if the service account password is share over two guys. Each one knows only 50% of the password. THis is not nice but is a way.
I hope this helps,
08-27-2010 09:15 AM
One thing I know DCFM is a feature combined with EFCM+FM.
EFCM is an excellent tool. I have not used DCFM enterprise till now as our customer finds it very costly. We have CCstorage, HISAT. I have used ESM. I have suggested our customer to use this. But is it too difficult to manage security wise?