ProCurve 2900, ProCurve Switch 2900-24G, ProCurve Switch 2900-48G User Manual
Access Security Guide
ProCurve Switches
T.13.01
2900
www.procurve.com
ProCurve Switch 2900
January 2008
T.13.01
Access Security Guide
© Copyright 2006-2008 Hewlett-Packard Development Company,
L.P. The information contained herein is subject to change without notice. All Rights Reserved.
This document contains proprietary information, which is
protected by copyright. No part of this document may be
photocopied, reproduced, or translated into another langauge without the prior written consent of Hewlett-Packard.
Publication Number
5991-6198
January 2008
Applicable Products
ProCurve Switch 2
900-24G (J9049A)
ProCurve Switch 2
900-48G (J9050A)
Trademark Credits
Microsoft, Windows, and Microsoft Windows NT are U.S.
registered trademarks of Microsoft Corporation.
Software Credits and Notices
SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by
the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit http://
www.openssh.com.
SSL on ProCurve Switches is based on the OpenSSL software
toolkit. This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit. For more
information on OpenSSL, visit
http://www.openssl.org.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com). This product includes
software written by Tim Hudson (tjh@cryptsoft.com).
Portions of the software on ProCurve switches are based on
the lightweight TCP/IP (lwIP) software toolkit by Adam
Dunkels, and are covered by the following notices.
Copyright © 2001-2003 Swedish Institute of Computer
Science. All rights reserved. Redistribution and use in source
and binary forms, with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
3. The name of the author may not be used to endorse or
promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS''
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes software written by Adam Dunkels
(adam@sics.se).
Disclaimer
The information contained in this document is subject to
change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
The only warranties for HP products and services are set
forth in the express warranty statements accompanying
such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.procurve.com
Contents
Product Documentation
About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
1 Security Overview
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Switch Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Default Configuration Settings and Access Security . . . . . . . . . . . . . . 1-4
Local Manager Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Inbound Telnet Access and Web Browser Access . . . . . . . . . . . . . 1-4
SNMP Access (Simple Network Management Protocol) . . . . . . . 1-5
Front-Panel Access and Physical Security . . . . . . . . . . . . . . . . . . . 1-6
Secure File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Other Provisions for Management Access Security . . . . . . . . . . . . . . . 1-7
Authorized IP Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Secure Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
802.1X Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Secure Socket Layer (SSLv3/TLSv1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Port Security, MAC Lockdown, and MAC Lockout . . . . . . . . . . . . . . . 1-10
Key Management System (KMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
i
Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Dynamic Configuration Arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Arbitrating Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
2 Configuring Username and Password Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Saving Security Credentials in a
Config File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Benefits of Saving Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Enabling the Storage and Display of Security Credentials . . . . . . . . 2-11
Security Settings that Can Be Saved . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Local Manager and Operator Passwords . . . . . . . . . . . . . . . . . . . . . . . 2-12
Password Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
SNMP Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
802.1X Port-Access Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
TACACS+ Encryption Key Authentication . . . . . . . . . . . . . . . . . . . . . 2-15
RADIUS Shared-Secret Key Authentication . . . . . . . . . . . . . . . . . . . . 2-16
SSH Client Public-Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Clear Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Reset Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . 2-25
Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
ii
Disabling the Clear Password Function of the Clear Button
on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Re-Enabling the Clear Button on the Switch’s Front Panel
and Setting or Changing the “Reset-On-Clear” Operation . . . 2-30
Changing the Operation of the Reset+Clear Combination . . . . . 2-31
Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
Disabling or Re-Enabling the Password Recovery Process . . . . 2-32
Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34
3 Web and MAC Authentication
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Using Customized Login Web Pages for Enhanced
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Authorized and Unauthorized Client VLANs . . . . . . . . . . . . . . . . . . . . . 3-4
RADIUS-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 3-6
Web-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Customized Login Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
MAC-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . . . . 3-14
Before You Configure Web/MAC Authentication . . . . . . . . . . . . . . . . 3-14
Configuring the RADIUS Server To Support MAC Authentication . . 3-17
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Configuring a DNS Server for Enhanced Web Authentication . . . . . 3-28
Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . 3-28
Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Configuration Commands for Web Authentication . . . . . . . . . . . . . . 3-32
Show Commands for Web Authentication . . . . . . . . . . . . . . . . . . . . . . 3-39
iii
Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . 3-45
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Configuration Commands for MAC Authentication . . . . . . . . . . . . . . 3-46
Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 3-49
Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54
4 TACACS+ Authentication
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Viewing the Switch’s Current TACACS+
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 4-3
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 4-5
Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9
Viewing the Switch’s Current Authentication Configuration . . . . . . . 4-9
Server Contact Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 4-10
Using the Privilege-Mode Option for Login . . . . . . . . . . . . . . . . . 4-11
Authentication Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Configuring the TACACS+ Server for Single Login . . . . . . . . . . . . . . 4-13
Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 4-18
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
General Authentication Process Using a TACACS+ Server . . . . . . . . 4-24
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Encryption Options in the Switch . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Controlling Web Browser Interface
Access When Using TACACS+ Authentication . . . . . . . . . . . . . . . . . . 4-28
Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 4-28
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29
iv
5 RADIUS Authentication and Accounting
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
RADIUS-Administered CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 5-8
Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-9
1. Configure Authentication for the Access Methods
You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
2. Enable the (Optional) Access Privilege Option . . . . . . . . . . . . . . . . 5-13
3. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-14
4. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-17
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Controlling Web Browser Interface Access . . . . . . . . . . . . . . . . . . . . 5-22
Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23
Enabling Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Displaying Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
Configuring Commands Authorization on a RADIUS Server . . . . . . 5-25
Using Vendor Specific Attributes (VSAs) . . . . . . . . . . . . . . . . . . . 5-25
Example Configuration on Cisco Secure ACS for MS Windows 5-27
Example Configuration Using FreeRADIUS . . . . . . . . . . . . . . . . . 5-29
VLAN Assignment in an Authentication Session . . . . . . . . . . . . . . . . 5-31
Tagged and Untagged VLAN Attributes . . . . . . . . . . . . . . . . . . . . . . . . 5-32
Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33
Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34
Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-35
Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-36
1. Configure the Switch To Access a RADIUS Server . . . . . . . . . 5-37
v
2. Configure Accounting Types and the Controls for
Sending Reports to the RADIUS Server . . . . . . . . . . . . . . . . . 5-38
3. (Optional) Configure Session Blocking and
Interim Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42
RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44
RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45
Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 5-46
Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . 5-49
6 Configuring Secure Shell (SSH)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Overview
Steps for Configuring and Using SSH
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 6-9
1. Assigning a Local Login (Operator) and
Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . 6-10
3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 6-13
4. Enabling SSH on the Switch and Anticipating SSH
Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 6-18
6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-22
Further Information on SSH Client Public-Key Authentication . 6-22
Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28
vi
7 Configuring Secure Socket Layer (SSL)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Overview
Steps for Configuring and Using SSL for Switch and Client
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . 7-7
1. Assigning a Local Login (Operator) and
Enable (Manager)Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
2. Generating the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . 7-8
To Generate or Erase the Switch’s Server Certificate
Generate a Self-Signed Host Certificate with the Web
Generate a CA-Signed server host certificate with the
with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
Comments on Certificate Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Web browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
3. Enabling SSL on the Switch and Anticipating SSL
Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Using the CLI Interface to Enable SSL . . . . . . . . . . . . . . . . . . . . . 7-19
Using the Web Browser Interface to Enable SSL . . . . . . . . . . . . . 7-19
Common Errors in SSL setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21
8 Traffic/Security Filters and Monitors
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Filter Types and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . . 8-4
vii
9
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Operating Rules for Named Source-Port Filters . . . . . . . . . . . . . . 8-6
Defining and Configuring Named Source-Port Filters . . . . . . . . . 8-7
Viewing a Named Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . 8-9
Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
Static Multicast Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Protocol Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
Configuring Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
Configuring a Source-Port Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . 8-18
Example of Creating a Source-Port Filter . . . . . . . . . . . . . . . . . . . 8-19
Configuring a Filter on a Port Trunk . . . . . . . . . . . . . . . . . . . . . . . 8-19
Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
Configuring a Multicast or Protocol Traffic Filter . . . . . . . . . . . . . . . 8-21
Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
Displaying Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
Configuring Port-Based and
User-Based Access Control (802.1X)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . . 9-4
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
802.1X User-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . 9-7
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 9-10
Example of the Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . 9-10
VLAN Membership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
General Setup Procedure for 802.1X Access Control . . . . . . . . . . . 9-15
viii
Do These Steps Before You Configure 802.1X Operation . . . . . . . . . 9-15
Overview: Configuring 802.1X Authentication on the Switch . . . . . . 9-18
Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . 9-19
1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . . 9-20
A. Enable the Selected Ports as Authenticators and Enable
the (Default) Port-Based Authentication . . . . . . . . . . . . . . . . 9-20
B. Specify User-Based Authentication or Return to Port-Based
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Example: Configuring User-Based 802.1X Authentication . . . . . 9-22
Example: Configuring Port-Based 802.1X Authentication . . . . . 9-22
2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . . 9-22
3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . . 9-25
4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 9-26
5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . . 9-26
6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . . 9-27
7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . . . 9-27
Wake-on-LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28
Example: Configuring 802.1X Controlled Directions . . . . . . . . . 9-29
802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
VLAN Membership Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-31
Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . . 9-32
Operating Rules for Authorized-Client and
Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37
Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . . 9-41
802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 9-45
Option For Authenticator Ports: Configure Port-Security
To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . . 9-46
Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-47
Configuring Switch Ports To Operate As Supplicants for 802.1X
Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-48
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-48
Supplicant Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-50
Displaying 802.1X Configuration, Statistics, and Counters . . . . . 9-52
ix
10
Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . . 9-52
Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . . 9-61
Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . 9-63
How RADIUS/802.1X Authentication Affects VLAN Operation . . 9-64
VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-65
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-65
Example of Untagged VLAN Assignment in a RADIUS-Based
Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-67
Enabling the Use of GVRP-Learned Dynamic VLANs
in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-70
Operating Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-72
Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . 9-73
Configuring and Monitoring Port Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Eavesdrop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Port Security Command Options and Operation . . . . . . . . . . . . . . . . 10-8
Port Security Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12
Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22
Differences Between MAC Lockdown and Port Security . . . . . . . . 10-23
MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 10-24
Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25
MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29
Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31
Web: Displaying and Configuring Port Security Features . . . . . . 10-32
Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . 10-32
x
Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-32
How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33
Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 10-34
Menu: Checking for Intrusions, Listing Intrusion Alerts, and
Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-35
CLI: Checking for Intrusions, Listing Intrusion Alerts,
and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36
Using the Event Log To Find Intrusion Alerts
Web: Checking for Intrusions, Listing Intrusion
. . . . . . . . . . . . . . . . . . 10-38
Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-39
Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-40
11 Using Authorized IP Managers
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 11-4
Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 11-5
CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 11-6
Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . 11-6
Configuring IP Authorized Managers for the Switch . . . . . . . . . 11-7
Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . 11-9
Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
How to Eliminate the Web Proxy Server . . . . . . . . . . . . . . . . . . . 11-9
Using a Web Proxy Server to Access the Web
Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Configuring One Station Per Authorized Manager IP Entry . . . . . . 11-10
Configuring Multiple Stations Per Authorized Manager IP Entry . . 11-11
Additional Examples for Authorizing Multiple Stations . . . . . . . . . 11-13
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
xi
12 Key Management System
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 12-3
Assigning a Time-Independent Key to a Chain . . . . . . . . . . . . . . . . . . 12-4
Assigning Time-Dependent Keys to a Chain . . . . . . . . . . . . . . . . . . . . 12-5
Index
xii
Product Documentation
About Your Switch Manual Set
The switch manual set includes the following documentation:
■ Read Me First—a printed guide shipped with your switch. Provides
software update information, product notes, and other information.
■ Installation and Getting Started Guide—a printed guide shipped with
your switch. This guide explains how to prepare for and perform the
physical installation and connect the switch to your network.
■ Management and Configuration Guide—a PDF on the ProCurve Net-
working Web Site that describes how to configure, manage, and monitor
basic switch operation.
■ Advanced Traffic Management Guide—a PDF on the ProCurve Network-
ing Web Site that explains how to configure traffic management features
such as VLANs, MSTP, and QoS.
■ Multicast and Routing Guide—a PDF on the ProCurve Networking Web
Site that explains how to configure IGMP and IP routing.
■ Access Security Guide—a PDF on the ProCurve Networking Web Site
that explains how to configure access security features and user authentication on the switch.
■ Release Notes—posted on the ProCurve Networking Web Site to provide
information on software updates. The release notes describe new features, fixes, and enhancements that become available between revisions
of the main product guide.
Note For the latest version of all ProCurve switch documentation, including
Release Notes covering recently added features, visit the ProCurve Networking Web Site at www.procurve.com, click on Technical support, and then click
on Product manuals (all).
xiii
Product Documentation
Feature Index
For the manual set supporting your switch model, the following feature index
indicates which manual to consult for information on a given software feature.
Feature Management
and
Configuration
Advanced
Traffic
Management
Multicast
and
Routing
Access
Security
Guide
802.1Q VLAN Tagging X
802.1p Priority X
802.1X Port-Based Authentication X
AAA Authentication X
Authorized IP Managers X
Authorized Manager List (web, telnet, TFTP) X
Auto MDIX Configuration X
BOOTP X
Config File X
Console Access X
Copy Command X
CoS (Class of Service) X
Debug X
DHCP Configuration X
DHCP Option 82 X
DHCP/Bootp Operation X
Diagnostic Tools X
Downloading Software X
Dynamic Configuration Arbiter X
Eavesdrop Protection X
Event Log X
xiv
Product Documentation
Feature Management
and
Configuration
Advanced
Traffic
Management
Multicast
and
Routing
Access
Security
Guide
Factory Default Settings X
Flow Control (802.3x) X
File Management X
File Transfers X
Friendly Port Names X
GVRP X
Identity-Driven Management (IDM) X
IGMP X
Interface Access (Telnet, Console/Serial, Web) X
IPv4 Addressing X
IPv6 Addressing (see the IPv6 Configuration Guide)
IP Routing X
Jumbos Support X
LACP X
Link X
LLDP X
LLDP-Med X
MAC Address Management X
MAC Lockdown X
MAC Lockout X
MAC-based Authentication X
MAC authentication RADIUS support X
Management VLAN X
Monitoring and Analysis X
Multicast Filtering X
Multiple Configuration Files X
Network Immunity Manager X
xv
X
Product Documentation
Feature Management
and
Configuration
Advanced
Traffic
Management
Multicast
and
Routing
Access
Security
Guide
Network Management Applications (SNMP) X
OpenView Device Management X
Passwords and Password Clear Protection
PCM X
Ping X
Port Configuration X
Port Monitoring X
Port Security
Port Status X
Port Trunking (LACP) X
Port-Based Access Control
Port-Based Priority (802.1Q) X
Protocol Filters X
Protocol VLANS X
Quality of Service (QoS) X
RADIUS Authentication and Accounting X
RADIUS-Based Configuration X
RADIUS VLAN Control
RMON 1,2,3,9 X
Routing X
Routing - IP Static X
Secure Copy X
SFLOW X
SFTP X
SNMPv3 X
Software Downloads (SCP/SFTP, TFPT, Xmodem) X
Source-Port Filters
xvi
X
X
X
Product Documentation
Feature Management
and
Configuration
Advanced
Traffic
Management
Multicast
and
Routing
Access
Security
Guide
Spanning Tree (MSTP) X
SSHv2 (Secure Shell) Encryption X
SSLv3 (Secure Socket Layer) X
Stack Management X
Syslog X
System Information X
TACACS+ Authentication X
Telnet Access X
TFTP X
Tiered Dynamic Override
Time Protocols (TimeP, SNTP) X
Traffic/Security Filters X
Troubleshooting X
USB Autorun X
VLANs X
VLAN Mirroring (1 static VLAN) X
Web Authentication RADIUS Support X
Web-based Authentication X
Web UI X
Xmodem X
xvii
Product Documentation
xviii
1
Security Overview
Contents
Security Overview
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Switch Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Default Configuration Settings and Access Security . . . . . . . . . . . . . . 1-3
Local Manager Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Inbound Telnet Access and Web Browser Access . . . . . . . . . . . . . 1-3
SNMP Access (Simple Network Management Protocol) . . . . . . . 1-4
Front-Panel Access and Physical Security . . . . . . . . . . . . . . . . . . . 1-5
Secure File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Other Provisions for Management Access Security . . . . . . . . . . . . . . . 1-6
Authorized IP Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Secure Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
802.1X Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Secure Socket Layer (SSLv3/TLSv1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Port Security, MAC Lockdown, and MAC Lockout . . . . . . . . . . . . . . . . 1-9
Key Management System (KMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
1-1
Security Overview
Contents
Dynamic Configuration Arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Arbitrating Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
1-2
Security Overview
Introduction
Introduction
Before you connect your switch to a network, ProCurve strongly recommends
that you review the Security Overview beginning on page 1-3. It outlines the
potential threats for unauthorized switch and network access, and provides
guidelines on how to use the various security features available on the switch
to prevent such access. For more information on individual features, see the
references provided.
About This Guide
This Access Security Guide describes how to configure security features on
the switches covered in this guide.
Note For an introduction to the standard conventions used in this guide, refer to
the Getting Started chapter in the Management and Configuration Guide for
your switch.
For More Information
For information on which product manual to consult for a specific software
feature, refer to the “Feature Index” on page xiv of this guide.
For the latest version of all ProCurve switch documentation, including
Release Notes covering recently added features and other software topics,
visit the ProCurve Networking web site at www.procurve.com, click on Te ch -
nical support, and then click on Product Manuals (all).
Switch Access Security
This section outlines provisions for protecting access to the switch’s status
information and configuration settings. ProCurve switches are designed as
“plug and play” devices, allowing quick and easy installation in your network.
However, when preparing the switch for network operation, ProCurve
strongly recommends that you enforce a security policy to help ensure that
the ease in getting started is not used by unauthorized persons as an opportu-
1-3
Security Overview
Switch Access Security
nity for access and possible malicious actions. Since security incidents can
originate with sources inside as well as outside of an organization, your access
security provisions must protect against internal and external threats while
preserving the necessary network access for authorized clients and users.
Default Configuration Settings and Access Security
In its default configuration, the switch is open to unauthorized access of
various types. In addition to applying local passwords, ProCurve recommends
that you consider using the switch’s other security features to provide a more
complete security fabric.
Switch management access is available through the following methods:
■ Inbound Telnet access and Web-browser access
■ SNMP access
■ Front-Panel access (serial port access to the console, plus resets and
clearing the password(s) or current configuration)
It is important to evaluate the level of management access vulnerability
existing in your network and take steps to ensure that all reasonable security
precautions are in place. This includes both configurable security options and
physical access to the switch hardware.
Local Manager Password
In the default configuration, there is no password protection. Configuring a
local Manager password is a fundamental step in reducing the possibility of
unauthorized access through the switch’s Web browser and console (CLI and
Menu) interfaces. The Manager password can easily be set using the CLI
password manager command, the Menu interface Console Passwords option, or
the password options under the Security tab in the Web browser interface.
Inbound Telnet Access and Web Browser Access
The default remote management protocols enabled on the switch are plain
text protocols, which transfer passwords in open or plain text that is easily
captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL must be used for
remote access. This enables you to employ increased access security while
still retaining remote client access.
■ SSHv2 provides Telnet-like connections through encrypted and authenti-
cated transactions.
1-4
Security Overview
Switch Access Security
■ SSLv3/TLSv1 provides remote Web browser access to the switch via
encrypted paths between the switch and management station clients
capable of SSL/TLS operation.
(For information on SSH, refer to Chapter 6 “Configuring Secure Shell (SSH)”;
for details on SSL, refer to Chapter 7, “Configuring Secure Socket Layer
(SSL)”.)
Also, access security on the switch is incomplete without disabling Telnet and
the standard Web browser access. Among the methods for blocking unauthorized access attempts using Telnet or the Web browser are the following two
CLI commands:
■ no telnet-server: This command blocks inbound Telnet access.
■ no web-management: This command prevents use of the Web browser
interface through http (port 80) server access.
If you choose not to disable Telnet and Web browser access, you may want to
consider using RADIUS accounting to maintain a record of password-protected access to the switch. Refer to Chapter 5, “RADIUS Authentication and
Accounting” in this guide.
SNMP Access (Simple Network Management Protocol)
In the default configuration, the switch is open to access by management
stations running SNMP management applications capable of viewing and
changing the settings and status data in the switch’s MIB (Management
Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network
security strategy.
General SNMP Access to the Switch. The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The
default configuration supports versions 1 and 2c compatibility, which uses
plain text and does not provide security options. ProCurve recommends that
you enable SNMP version 3 for improved security. SNMPv3 includes the ability
to configure restricted access and to block all non-version 3 messages (which
blocks version 1 and 2c unprotected operation).
SNMPv3 security options include:
■ configuring device communities as a means for excluding management
access by unauthorized stations
■ configuring for access authentication and privacy
■ reporting events to the switch CLI and to SNMP trap receivers
1-5
Security Overview
Switch Access Security
■ restricting non-SNMPv3 agents to either read-only access or no access
■ co-existing with SNMPv1 and v2c if necessary
For information on SNMP, refer to “Using SNMP Tools To Manage the Switch”
in the chapter titled “Configuring for Network Management Applications” in
the Management and Configuration Guide for your switch.
Front-Panel Access and Physical Security
Physical access to the switch allows the following:
■ use of the console serial port (CLI and Menu interface) for viewing and
changing the current configuration and for reading status, statistics, and
log messages.
■ use of the switch’s Clear and Reset buttons for these actions:
• clearing (removing) local password protection
• rebooting the switch
• restoring the switch to the factory default configuration (and erasing
any non-default configuration settings)
Keeping the switch in a locked wiring closet or other secure space helps to
prevent unauthorized physical access. As additional precautions, you can do
the following:
■ Disable or re-enable the password-clearing function of the Clear button.
■ Configure the Clear button to reboot the switch after clearing any local
usernames and passwords.
■ Modify the operation of the Reset+Clear button combination so that the
switch reboots, but does not restore the switch’s factory default settings.
■ Disable or re-enable password recovery.
For the commands used to implement the above actions, refer to the section
titled “Front-Panel Security” on page 2-23.
Secure File Transfers
Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP
for transferring sensitive information such as configuration files and log
information between the switch and other devices. For more on these features, refer to the section on “Using Secure Copy and SFTP” in the “File
Transfers” appendix of the Management and Configuration Guide for your
switch.
1-6
Security Overview
Switch Access Security
Other Provisions for Management Access Security
The following features can help to prevent unauthorized management access
to the switch.
Authorized IP Managers
This feature uses IP addresses and masks to determine whether to allow
management access to the switch across the network through the following :
■ Telnet and other terminal emulation applications
■ The switch’s Web browser interface
■ SNMP (with a correct community name)
For more information, refer to Chapter 11, “Using Authorized IP Managers”.
Secure Management VLAN
This feature creates an isolated network for managing the ProCurve switches
that offer this feature. When a secure management VLAN is enabled, CLI, Menu
interface, and Web browser interface access is restricted to ports configured
as members of the VLAN. For more information, refer to the chapter titled
“Static Virtual LANs (VLANs)” in the Advanced Traffic Management Guide.
TACACS+ Authentication
This application uses a central server to allow or deny access to TACACSaware devices in your network. TACACS+ uses username/password sets with
associated privilege levels to grant or deny access through either the switch’s
serial (console) port or remotely, with Telnet. If the switch fails to connect to
a TACACS+ server for the necessary authentication service, it defaults to its
own locally configured passwords for authentication control. TACACS+
allows both login (read-only) and enable (read/write) privilege level access.
For more information, refer to Chapter 4, “TACACS+ Authentication”.
RADIUS Authentication
For each authorized client, RADIUS can be used to authenticate operator or
manager access privileges on the switch via the serial port (CLI and Menu
interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access
methods. Refer to Chapter 5, “RADIUS Authentication and Accounting”.
1-7
Security Overview
Network Security Features
Network Security Features
This section outlines features for protecting access through the switch to the
network. For more detailed information, see the indicated chapters.
802.1X Access Control
This feature provides port-based or user-based authentication through a
RADIUS server to protect the switch from unauthorized access and to enable
the use of RADIUS-based user profiles to control client access to network
services. Included in the general features are the following:
■ user-based access control supporting up to 32 authenticated clients per
port
■ port-based access control allowing authentication by a single client to
open the port
■ switch operation as a supplicant for point-to-point connections to other
802.1X-compliant ProCurve switches
For more information, refer to Chapter 9 “Configuring Port-Based and UserBased Access Control (802.1X)”.
Web and MAC Authentication
These options are designed for application on the edge of a network to provide
port-based security measures for protecting private networks and the switch
itself from unauthorized access. Because neither method requires clients to
run any special supplicant software, both are suitable for legacy systems and
temporary access situations where introducing supplicant software is not an
attractive option. Both methods rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control
access from a master database in a single server. It also means the same
credentials can be used for authentication, regardless of which switch or
switch port is the current access point into the LAN. Web authentication uses
a web page login to authenticate users for access to the network. MAC
authentication grants access to a secure network by authenticating device
MAC addresses for access to the network. For more information, refer to
Chapter 3, “Web and MAC Authentication”.
1-8
Loading...