As security regulations tighten and quantum computing advances, organizations are prioritizing cybersecurity, making encryption increasingly essential. The Cisco MDS 9000 family of storage networking devices offers cutting-edge encryption solutions, specifically through Cisco TrustSec Fibre Channel Link Encryption, ensuring secure data transmission across Fibre Channel (FC) networks.
Threats and security regulations mandate stronger security postures
Data is among the most important assets for any corporation, so protecting data from unauthorized access and misuse is a key concern. With the emergence of hybrid work, the adoption of cloud services, and the malicious use of AI-based tools, cyberthreats have become more advanced and impactful. At the same time, new privacy and security regulations are mandating that organizations achieve a better, more comprehensive security posture. As a result, cybersecurity is the top priority among AI deployments, according to the Cisco 2024 AI Readiness Index, and data encryption is now in high demand from corporations of all sizes and industries.
With FC being the protocol of choice for accessing business-critical enterprise datasets, an important facet of a security posture is to validate the identity of adjacent switches and to encrypt data while in transit on a storage area network (SAN). These capabilities are offered on the Cisco MDS 9000 family of storage networking devices using Cisco TrustSec FC Link Encryption. With recent NX-OS code, a new cypher has been introduced to withstand the brute-force calculations that can overcome current encryption standards with quantum computing, featuring a straightforward configuration. Available under Advantage and Premier license tiers, this feature supports director switches, fixed configuration switches, and multiprotocol switches, benefiting both mainframe and open system environments.
Authentication is a prerequisite to encryption
Cisco MDS 9000 Series Switches implement the Fibre Channel Security Protocol (FC-SP-2 standard, ANSI INCITS 496-2012), enabling switch-to-switch and host-to-switch authentication to address security challenges in enterprise fabrics. The Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) is a FC-SP protocol that provides authentication between Cisco MDS 9000 Series Switches and other devices. DHCHAP combines the CHAP protocol with the Diffie-Hellman (DH) exchange, ensuring that only trusted devices can join a fabric, thereby preventing unauthorized access.
DHCHAP is a secure, password-based key-exchange authentication protocol supporting both switch-to-switch and host-to-switch authentication. This configuration requires setting local and peer switch passwords, with DHCHAP negotiating hash algorithms and DH groups. With NX-OS 9.4(3), SHA-1 algorithm-based authentication is default, configured at the physical FC interface level.
Cisco TrustSec Fibre Channel Link Encryption
The Advanced Encryption Standard (AES) is a high-security, symmetric-key block-cipher algorithm adopted globally since 2002. It supports various applications, including disk encryption, VPN systems, and messaging programs. Its substitution-permutation network involves sophisticated bit operations, with hardware-efficient execution.
Cisco TrustSec FC Link Encryption extends the Fibre Channel Security Protocol (FCSP), ensuring transaction integrity and confidentiality using DHCHAP for peer authentication. Encryption configuration involves defining security associations on interfaces, setting a key and using a salt for enhancing security by differentiating encrypted text patterns.
Cisco TrustSec FC Link Encryption enables AES-GCM (default, encryption and authentication) or AES-GMAC (authentication only). Key lengths supported are 128 bits for 32G devices and both 128-bit and 256-bit for 64G devices, offering flexibility and choice. If executed in software, AES-128 is marginally faster and needs less system resources, while AES-256 provides greater resilience against brute-force attacks and elevates the solution to become quantum resistant. Cisco MDS 9000 switches leverage advanced hardware-assisted AES implementation so that both AES-128 and AES-256 execute with the same optimal level of performance.
Industry-leading performance and throughput
The Cisco 64G FC switching module provides high encryption capabilities, supporting eight ports at 64G speeds each, achieving 512G aggregate encrypted throughput per module. This industry-leading performance results from advanced ASIC design, handling encryption with no performance penalty. The store-and-forward architecture ensures unchanged latency between encrypted and non-encrypted configurations, making MDS 9000 SAN switches unique in maintaining efficiency with the highest level of security. Fixed configuration and multiservice switches leverage the same capabilities, but the number of encrypted ports depends on the switch model. For example, on Cisco MDS 9124V there are four ports that can be encrypted, on Cisco MDS 9148V there are eight, and on Cisco MDS 9396V there are 16.
Port independence and service availability
In real-world deployments, port independence is crucial for maintaining connectivity during disruptions. Cisco MDS 9000 Series Switches excel in this, with an optimized ASIC architecture and frame path separation ensuring no impact on other encrypted ports during events like port errdisable or cable/SFP pull. This capability enhances service availability significantly.
Fabric switches like Cisco MDS 9124V, 9148V, and 9396V support multiple encrypted ports without reducing the total number of usable ports, unlike competing products. This capability ensures consistent resource allocation regardless of encryption status.
Distance support and SAN analytics compatibility
Enabling encryption on MDS 9000 Series devices does not affect supported distances, preserving buffer credits and allowing unaltered long-distance operations. Users can maintain the same distance capabilities with encryption, eliminating design constraints during security planning.
Cisco SAN Analytics provides deep traffic visibility and is the industry benchmark. It can be fully applicable to encrypted traffic, maintaining assurance and insights without compromising visibility. The advanced architecture of the Cisco MDS 9000 Series ensures that it is always possible to inspect headers, so that SAN Analytics can be applied to encrypted traffic entering the switch or leaving it.
Key length, rekeying, and quantum resistance
AES-GCM supports 128- and 256-bit keys. Key selection on 64G devices offers flexibility, with manual periodic rekeying available as an additional security measure. AES-256 is favored for quantum resistance and protection against the emerging threats posed by quantum computers, in conjunction with Grover’s algorithm. The enhanced TrustSec capability on MDS 9000 is considered secure at least until 2050, as per ETSI GR QSC 006 V1.1.1, future-proofing security efforts.
Comprehensive security suite
The Cisco MDS 9000 Series offers extensive security features, both intrinsic and configurable. Intrinsic features include Secure Boot and Anti-counterfeit technology, while configurable options encompass VSANs, hard zoning, port security, fabric binding, secure syslog logging, secure erase, Transport Layer Security (TLS) 1.3, Simple Network Management Protocol Version 3 (SNMPv3), Secure Shell Version 2 (SSHv2), among others. These features support business continuity and disaster recovery across data centers, offering encryption on FC and FC over IP (FCIP) Inter-Switch Links (ISLs) through TrustSec and IPsec technology, respectively (Figure 1).
Conclusion
Cisco MDS 9000 switches deliver unmatched encryption for SANs, distinguished by advanced ASIC design, superior hardware architecture, and sophisticated software control. TrustSec FC Link Encryption is vital for securely interconnecting SAN fabrics across data centers using FC links. With Cisco MDS 9000 64G devices, you can extend SANs securely, enhancing the security posture in preparation for quantum computing without compromise.
Additional resources:
Cisco MDS 9000 Series Security Configuration Guide
Cisco Storage Area Networking
Storage networking products
What is a storage area network (SAN)?
Share:
