Cisco Storage Media Encryption Security Overview; Additional Security Capabilities - Cisco AJ732A - MDS 9134 Fabric Switch Configuration Manual

Chapter 1 Product Overview
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
•
•
•
•

Cisco Storage Media Encryption Security Overview

Cisco SME transparently encrypts and decrypts data inside the storage environment without slowing or
disrupting business critical applications.
Cisco SME generates a master key, tape volume keys and tape keys. The keys are encrypted in a
hierarchical order: the master key encrypts the tape volume keys and the tape keys. They are also copied
to the key catalog on the Cisco KMC server for backup and archival. Eventually inactive keys are
removed from the fabric, but they are retained in the Cisco KMC catalog. The keys can be retrieved
automatically from the Cisco KMC by the Cisco SME services in the fabric if needed again.
A single Cisco KMC can be used as a centralized key repository for multiple fabrics with Cisco SME
services if desired. Key catalog import and export capabilities are also provided to accommodate moving
tape media to different fabrics in environments with multiple Cisco KMC servers. Backup applications
can be used to archive the key catalogs for additional protection.

Additional Security Capabilities

Additional security capabilities offered by Cisco NX-OS complete the Cisco SME solution. For
example, RADIUS and TACACS+ servers can be used to authenticate, authorize, and provide accounting
(AAA) for Cisco SME administrators. Management of Cisco SME can be limited to authorized
administrators using role based access controls (RBAC). When communication occurs, secure shell
(SSHv2) protocol is used to provide message integrity and privacy.
The Cisco MDS 9000 Family is certified to meet Common Criteria (CC) EAL3 and Federal Information
Processing Standard (FIPS) 140-2 level 2. To meet FIPS 140-2 level 3 Certification requirements for the
critical Cisco SME services, the MSM-18/4 has the cryptographic engine and related memory devices
encapsulated to prevent tampering. Any attempt at tampering the system is guaranteed to destroy the
sensitive data. In addition, critical security parameters never leave the system unencrypted.
OL-18091-01, Cisco MDS NX-OS Release 4.x
Each FC-redirected target can be zoned to 16 hosts or less.
CFS should be enabled on all required switches for FC-redirect.
Cisco SME servers and tape devices should not be part of an IVR zone set.
Advanced zoning capabilities like quality of service (QoS), logical unit number (LUN) zoning, and
read-only LUNs must not be used for FC-Redirect hosts and targets.
Cisco Storage Media Encryption Security Overview
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
1-13