Encryption Solution Design and Deployment Considerations.pdf
(
1852 KB
)
Pobierz
DATA CENTER
Encryption Solution Design and
Deployment Considerations
This
Encryption Solution Design and Deployment Considerations
reference guide is designed to help customers and partners
architect and deploy Brocade encryption solutions to maximize
system performance, minimize administrative overhead, and
mitigate the possibility of operational disruptions.
This guide was compiled with the help of a working group of
subject matter experts from Brocade Headquarters and the
Brocade field organization.
DATA CENTER
BEST PRACTICES
DEDICATION
This Encryption Solution Design and Deployment Considerations reference guide is dedicated to the memory
of Peter Carucci—a wonderful person, father, and husband, who left us much too soon. Peter was an avid
supporter of the Brocade encryption solutions and was instrumental in their success. He is sorely missed.
Encryption Solution Design and Deployment Considerations
2 of 58
DATA CENTER
BEST PRACTICES
CONTENTS
DEDICATION ............................................................................................................................................... 2
INTRODUCTION .......................................................................................................................................... 6
Document Scope ................................................................................................................................. 6
ESSENTIAL ELEMENTS OF CRYPTOGRAPHY AND SECURITY ........................................................................... 7
Symmetric vs. Asymmetric Cryptography ................................................................................................ 7
Symmetric Keys ............................................................................................................................ 7
Asymmetric Keys .......................................................................................................................... 7
Key Management ................................................................................................................................. 8
Trusted Key Exchange .................................................................................................................... 9
Opaque Key Exchange .................................................................................................................... 9
Cryptographic Algorithms .................................................................................................................... 10
Block Ciphers .............................................................................................................................. 11
Stream Ciphers ........................................................................................................................... 11
Digital Signatures ........................................................................................................................ 12
Modes of Operation ........................................................................................................................... 13
Advanced Encryption Standard (AES) ............................................................................................. 13
Digital Certificates ....................................................................................................................... 13
Federal Information Processing Standards (FIPS) .................................................................................. 14
Security Level 1 ........................................................................................................................... 14
Security Level 2 ........................................................................................................................... 14
Security Level 3 ........................................................................................................................... 14
Security Level 4 ........................................................................................................................... 15
Encryption Methods Used With Brocade Encryption Solutions ......................................................... 15
BROCADE SOLUTION OVERVIEW ................................................................................................................ 15
Brocade Encryption Solutions Overview................................................................................................ 15
Brocade Encryption Switch ........................................................................................................... 16
Brocade FS8-18 Encryption Blade ................................................................................................ 17
Brocade Encryption Features............................................................................................................... 19
Brocade Encryption Process ......................................................................................................... 19
CryptoTarget Containers ......................................................................................................... 20
First-Time Encryption and Rekeying ......................................................................................... 20
Clustering and Availability ............................................................................................................. 21
HA Cluster ............................................................................................................................ 21
Encryption Group ................................................................................................................... 22
DEK Cluster .......................................................................................................................... 22
Key Management Solutions .................................................................................................... 23
Redundant Key Vaults ............................................................................................................ 23
Encrypting with Backup Applications ....................................................................................... 24
Brocade Encryption Solution Internals ........................................................................................... 24
Encryption Solution Design and Deployment Considerations
3 of 58
DATA CENTER
BEST PRACTICES
Encryption FPGA Complex ...................................................................................................... 26
Security Processor + TRNG .................................................................................................... 26
Battery ................................................................................................................................. 26
Control Processor (CP) ........................................................................................................... 26
Blade Processor (BP) ............................................................................................................. 26
Condor 2 ASIC ...................................................................................................................... 26
Metadata .............................................................................................................................. 26
PREPURCHASE VALUATION ....................................................................................................................... 27
Why Encrypt Data-at-Rest? .................................................................................................................. 27
Comparative Overview of Encryption Solutions ..................................................................................... 27
Considerations for Export of Cryptographic Products ............................................................................. 30
Qualifying the Solution........................................................................................................................ 30
Sizing the Solution ....................................................................................................................... 30
Example 1: ........................................................................................................................... 31
Example 2: ........................................................................................................................... 32
Example 3: ........................................................................................................................... 32
Encryption Switch vs. Encryption Blade? ........................................................................................ 33
High Availability ........................................................................................................................... 33
Cost Considerations .................................................................................................................... 33
Solution Interoperability ............................................................................................................... 34
DESIGN AND ARCHITECTURE CONSIDERATIONS ......................................................................................... 34
Availability Considerations .................................................................................................................. 34
Clustering Encryption Devices ....................................................................................................... 34
Dual Sites ................................................................................................................................... 35
Redundant Key Vaults .................................................................................................................. 35
Performance Considerations ............................................................................................................... 35
Deduplication and Compression with Encryption ............................................................................ 36
Cost Considerations ........................................................................................................................... 37
Other Considerations ......................................................................................................................... 37
Virtual Host Considerations .......................................................................................................... 37
Key Management ............................................................................................................................... 40
Key Expiration.............................................................................................................................. 40
Key per Media vs. Key per Pool ..................................................................................................... 40
Certificates ................................................................................................................................. 40
Key Replication............................................................................................................................ 40
Administrative Security Measures, Policies, and Procedures .................................................................. 41
Key Management Considerations ........................................................................................................ 41
DEPLOYMENT CONSIDERATIONS ............................................................................................................... 41
Virtual Fabrics.................................................................................................................................... 41
Management Interface Considerations................................................................................................. 42
Quorum Authentication ....................................................................................................................... 42
Encryption Solution Design and Deployment Considerations
4 of 58
DATA CENTER
BEST PRACTICES
Using Authentication Cards .......................................................................................................... 43
Role-Based Access Control ................................................................................................................. 43
Disk Storage Considerations ............................................................................................................... 45
Thin-Provisioning .......................................................................................................................... 45
Remote Disk Replication .............................................................................................................. 45
Disk Replication with SRDF........................................................................................................... 46
Multiple Paths to a LUN ............................................................................................................... 47
Clustering Applications................................................................................................................. 48
Cleaning Up After a POC ........................................................................................................ 48
Cleaning Up the Encryption Device .......................................................................................... 48
Decommissioning a LUN ........................................................................................................ 48
Cleaning Up a LUN ................................................................................................................ 49
First-Time Encryption Operations ................................................................................................... 49
Tape Storage Considerations .............................................................................................................. 50
Tape Pools .................................................................................................................................. 50
Double Encryption and Compression ............................................................................................. 50
MANAGEMENT CONSIDERATIONS .............................................................................................................. 51
Reverting Back to Cleartext ................................................................................................................ 51
FTE and Rekey Operations ........................................................................................................... 51
Managing Encrypted Backups ....................................................................................................... 52
Recovering Encrypted Backups at a DR Site................................................................................... 53
Managing Encryption Devices.............................................................................................................. 53
Zeroizing the DEKs ...................................................................................................................... 53
Group Leader Loses a Group Member ........................................................................................... 53
Brocade FOS and Firmware Upgrades ............................................................................................ 53
Encryption Performance Monitoring ............................................................................................... 54
APPENDIX A—SAMPLE USE CASES ........................................................................................................... 55
Single Encryption Switch Fabric ........................................................................................................... 55
Encryption Switch Added to Existing Fabric ........................................................................................... 55
Tape Backup Fabric with Encryption ..................................................................................................... 56
APPENDIX B—GLOSSARY OF TERMS ......................................................................................................... 57
Encryption Solution Design and Deployment Considerations
5 of 58
Plik z chomika:
Eroza800
Inne pliki z tego folderu:
2010_cours_crypto.pdf
(17416 KB)
(eBook) Bruce Schneier - Applied Cryptography, Second Edition - John Wiley & Sons [ISBN0471128457].pdf
(8529 KB)
2016_Crypto_101.pdf
(15881 KB)
00-cnam-cryptographie.pdf
(199 KB)
013-jgl.pdf
(272 KB)
Inne foldery tego chomika:
1_Security
2_Hack
Advanced_Malware_Analysis_Training_SecurityXploded
cheat-sheets
Electronics & IT
Zgłoś jeśli
naruszono regulamin