Getting started with access security

HP switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, HP strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.

Since security incidents can originate with sources inside as well as outside of an organization, your access security provisions must protect against internal and external threats while preserving the necessary network access for authorized clients and users. It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch.

Switch management access is available through the following methods:

  • Front panel access to the console serial port, see Physical security

  • Inbound Telnet access

  • Web-browser access (WebAgent)

  • SNMP access

For guidelines on locking down your switch for remote management access, see Using the Management Interface wizard.

Physical security

Physical access to the switch allows the following:

  • Use of the console serial port (CLI and Menu interface) for viewing and changing the current configuration and for reading status, statistics, and log messages.

  • use of the switch’s USB port for file transfers and autorun capabilities.

  • Use of the switch's Clear and Reset buttons for these actions:

    • clearing (removing) local password protection

    • rebooting the switch

    • restoring the switch to the factory default configuration (and erasing any non-default configuration settings)

Keeping the switch in a locked wiring closet or other secure space helps prevent unauthorized physical access.

As additional precautions, you can do the following:

  • Disable or re-enable the password-clearing function of the Clear button.

  • Configure the Clear button to reboot the switch after clearing any local usernames and passwords.

  • Modify the operation of the Reset+Clear button combination so that the switch reboots, but does not restore the switch's factory default settings.

  • Disable or re-enable password recovery.

  • Disable USB autorun by setting a manager password, or enable USB autorun in secure mode so that security credentials are required to use this feature.

Using the Management Interface wizard

The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. It guides you through the process of locking down the following switch operations or protocols:

  • setting local passwords

  • restricting SNMP access

  • enabling/disabling Telnet

  • enabling/disabling SSH

  • enabling/disabling remote Web management (WebAgent)

  • restricting WebAgent access to SSL

  • enabling/disabling USB autorun

  • setting timeouts for SSH/Telnet sessions

The wizard can also be used to view the pre-configured defaults and see the current settings for switch access security. The wizard can be launched either via the CLI or the WebAgent.


[NOTE: ]

NOTE: The wizard's security settings can also be configured using standard commands via the CLI, Menu, or WebAgent.


Configuring security settings using the CLI wizard

To configure the security settings using the CLI wizard, follow the steps below:

  1. At the command prompt, type setup mgmt-interfaces.

    The welcome banner appears and the first setup option is displayed (operator password). As you advance through the wizard, each setup option displays the current value in brackets [] as shown in Management Interface wizard configuration.

    Management Interface wizard configuration

    Management Interface wizard configuration
  2. When you enter the wizard, you have the following options:

    • To update a setting, type in a new value, or press Enter to keep the current value.

    • To quit the wizard without saving any changes, press CTRL-C at any time.

    • To access online Help for any option, press ?.

      After you have gone through each setup option, the wizard displays the summary configuration together with a prompt to save the changes, see Management Interface wizard configuration for an example.

  3. When the message appears asking if you want to save these changes, you have the following options:

    • To save your changes, press Enter.

    • To cancel any changes without saving, type n and then press Enter.

      After pressing Enter, the wizard exits to the command line prompt.

CLI Wizard: Operating notes and restrictions

  • Once a password has been configured on the switch, you cannot remove it using the CLI wizard. passwords can be removed by executing the no password command directly from the CLI.

  • When you restrict SNMP access to SNMPv3 only, the options SNMPv2 community name and access level will not appear.

  • The wizard displays the first available SNMPv2 community and allows the user to modify the first community access parameters.

  • The wizard creates a new SNMP community only when no communities have been configured on the switch.

WebAgent: Management Interface wizard

To use the Management Interface wizard from the WebAgent, follow the steps below:

  1. In the navigation tree, select Security.

  2. Click on the Security Wizard. The Welcome window appears.

    This page allows you to choose between two setup types:

    • Typical—provides a multiple page, step-by-step method to configure security settings, with on-screen instructions for each option.

    • Advanced—provides a single summary screen in which to configure all security settings at once.

See the WebAgent Online Help for detailed information about using the Management Interface wizard.

SNMP security guidelines

In the default configuration, the switch is open to access by management stations running SNMP, management applications capable of viewing and changing the settings and status data in the switch MIB. Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.

General SNMP access to the switch

The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide security options.

HP recommends you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation).

SNMPv3 security options include:

  • Configuring device communities as a means for excluding management access by unauthorized stations

  • Configuring for access authentication and privacy

  • Reporting events to the switch CLI and to SNMP trap receivers

  • Restricting non-SNMPv3 agents to either read-only access or no access

  • Co-existing with SNMPv1 and v2c if necessary.

SNMP access to the authentication configuration MIB

A management station running an SNMP networked device management application, such as HP PCM+ or HP OpenView, can access the management information base (MIB) for read access to the switch status and read/write access to the switc's authentication configuration (hpSwitchAuth). This means that the switch's default configuration now allows SNMP access to security settings in hpSwitchAuth.


[NOTE: ]

NOTE: Downloading and booting enables SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and other security safeguards are not in place, the switch's authentication configuration MIB is exposed to unprotected SNMP access and you should use the command shown below to disable this access.



[CAUTION: ]

CAUTION: If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions:

  • If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is not desirable for your network, then immediately use the following command to disable this feature:

    snmp-server mib hpswitchauthmib excluded

  • If you choose to leave the authentication configuration MIB accessible, then you should do the following to help ensure that unauthorized workstations cannot use SNMP tools to access the MIB:

    1. Configure SNMP version 3 management and access security on the switch.

    2. Disable SNMP version 2c on the switch.


For details on this feature, see Using SNMP to view and configure switch authentication features.

See “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch.