HP switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, HP strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.
Since security incidents can originate with sources inside as well as outside of an organization, your access security provisions must protect against internal and external threats while preserving the necessary network access for authorized clients and users. It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch.
Switch management access is available through the following methods:
-
Front panel access to the console serial port, see Physical security
For guidelines on locking down your switch for remote management access, see Using the Management Interface wizard.
Physical access to the switch allows the following:
-
Use of the console serial port (CLI and Menu interface) for viewing and changing the current configuration and for reading status, statistics, and log messages.
-
use of the switch’s USB port for file transfers and autorun capabilities.
-
Use of the switch's Clear and Reset buttons for these actions:
-
clearing (removing) local password protection
-
rebooting the switch
-
restoring the switch to the factory default configuration (and erasing any non-default configuration settings)
-
Keeping the switch in a locked wiring closet or other secure space helps prevent unauthorized physical access.
As additional precautions, you can do the following:
-
Disable or re-enable the password-clearing function of the Clear button.
-
Configure the Clear button to reboot the switch after clearing any local usernames and passwords.
-
Modify the operation of the Reset+Clear button combination so that the switch reboots, but does not restore the switch's factory default settings.
-
Disable USB autorun by setting a manager password, or enable USB autorun in secure mode so that security credentials are required to use this feature.
The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. It guides you through the process of locking down the following switch operations or protocols:
The wizard can also be used to view the pre-configured defaults and see the current settings for switch access security. The wizard can be launched either via the CLI or the WebAgent.
|
|
NOTE: The wizard's security settings can also be configured using standard commands via the CLI, Menu, or WebAgent. |
|
|
To configure the security settings using the CLI wizard, follow the steps below:
-
At the command prompt, type
setup mgmt-interfaces
.The welcome banner appears and the first setup option is displayed (
operator password
). As you advance through the wizard, each setup option displays the current value in brackets[]
as shown in Management Interface wizard configuration. -
When you enter the wizard, you have the following options:
-
To update a setting, type in a new value, or press Enter to keep the current value.
-
To quit the wizard without saving any changes, press CTRL-C at any time.
-
To access online Help for any option, press ?.
After you have gone through each setup option, the wizard displays the summary configuration together with a prompt to save the changes, see Management Interface wizard configuration for an example.
-
-
When the message appears asking if you want to save these changes, you have the following options:
-
Once a password has been configured on the switch, you cannot remove it using the CLI wizard. passwords can be removed by executing the
no password
command directly from the CLI. -
When you restrict SNMP access to SNMPv3 only, the options SNMPv2 community name and access level will not appear.
-
The wizard displays the first available SNMPv2 community and allows the user to modify the first community access parameters.
-
The wizard creates a new SNMP community only when no communities have been configured on the switch.
In the default configuration, the switch is open to access by management stations running SNMP, management applications capable of viewing and changing the settings and status data in the switch MIB. Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.
The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide security options.
HP recommends you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation).
A management station running an SNMP networked device management application, such as HP PCM+ or HP OpenView, can access the management information base (MIB) for read access to the switch status and read/write access to the switc's authentication configuration (hpSwitchAuth). This means that the switch's default configuration now allows SNMP access to security settings in hpSwitchAuth.
|
|
NOTE: Downloading and booting enables SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and other security safeguards are not in place, the switch's authentication configuration MIB is exposed to unprotected SNMP access and you should use the command shown below to disable this access. |
|
|
For details on this feature, see Using SNMP to view and configure switch authentication features.
See “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch.