HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 18
... and perform the physical installation and connect the switch to install hard- tures and user authentication on the switch. ■ IPv6 Configuration Guide-Describes the IPv6 protocol operations that are supported on the ProCurve Web site, as described in the Note at the top of this... the latest version of switch documentation, please visit any of the following websites: www.procurve.com/manuals www.hp.com/go/bladesystem/documentation h18004.www1.hp.com/products/blades/components/c-class-tech-installing.html Printed Publications The publication listed below is printed and shipped with ...
... and perform the physical installation and connect the switch to install hard- tures and user authentication on the switch. ■ IPv6 Configuration Guide-Describes the IPv6 protocol operations that are supported on the ProCurve Web site, as described in the Note at the top of this... the latest version of switch documentation, please visit any of the following websites: www.procurve.com/manuals www.hp.com/go/bladesystem/documentation h18004.www1.hp.com/products/blades/components/c-class-tech-installing.html Printed Publications The publication listed below is printed and shipped with ...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 19
... for information on all switches. Note Software Feature Index This feature index indicates which manual to consult for IPv6, and Ping6), refer to the IPv6 Configuration Guide. Intelligent Edge Software Features 802.1Q VLAN Tagging 802.1X Multiple Authenticated Clients Per Port AAA Authentication Authorized IP Managers Authorized Manager List (Web, Telnet...
... for information on all switches. Note Software Feature Index This feature index indicates which manual to consult for IPv6, and Ping6), refer to the IPv6 Configuration Guide. Intelligent Edge Software Features 802.1Q VLAN Tagging 802.1X Multiple Authenticated Clients Per Port AAA Authentication Authorized IP Managers Authorized Manager List (Web, Telnet...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 24
...settings and features, refer to a network, ProCurve strongly recommends that you connect your switch to the IPV6 Configuration Guide for your switch. For the latest version of the security features included on your switch. It outlines potential...configure security features on page 1-9. About This Guide This Access Security Guide describes how to the standard conventions used in this guide. Before you review the section titled "Getting Started with Access Security" on your switch. Security Overview Introduction Note Introduction This chapter provides an overview of all HP...
...settings and features, refer to a network, ProCurve strongly recommends that you connect your switch to the IPV6 Configuration Guide for your switch. For the latest version of the security features included on your switch. It outlines potential...configure security features on page 1-9. About This Guide This Access Security Guide describes how to the standard conventions used in this guide. Before you review the section titled "Getting Started with Access Security" on your switch. Security Overview Introduction Note Introduction This chapter provides an overview of all HP...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 26
...provide a secure alternative to employ Access and System increased access security while still retaining remote Information" in open or plain text that is incomplete Configuration Guide. without a login access configured to the as SSH and SSL (see below for your passwords, secure and encrypted protocols such browser access, refer to authenticate the client... the switch. • secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session, you can take advantage of the Management and Configuration Guide for details) should be stored on the Chapter...
...provide a secure alternative to employ Access and System increased access security while still retaining remote Information" in open or plain text that is incomplete Configuration Guide. without a login access configured to the as SSH and SSL (see below for your passwords, secure and encrypted protocols such browser access, refer to authenticate the client... the switch. • secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session, you can take advantage of the Management and Configuration Guide for details) should be stored on the Chapter...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 27
...switch's MIB Management Interface (Management Information Base). public, unrestricted In the default configuration, the switch is LANs (VLANs)" restricted to ports configured as members of Configuration Guide, your network. TACACS+ uses username/password sets with associated privilege levels to ...SSL SNMP Authorized IP Managers Secure Management VLAN TACACS+ Authentication RADIUS Authentication Default Setting Security Guidelines More Information and Configuration Details disabled Secure Socket Layer (SSL) and Transport Layer Security "Quick Start: Using the (TLS) provide remote...
...switch's MIB Management Interface (Management Information Base). public, unrestricted In the default configuration, the switch is LANs (VLANs)" restricted to ports configured as members of Configuration Guide, your network. TACACS+ uses username/password sets with associated privilege levels to ...SSL SNMP Authorized IP Managers Secure Management VLAN TACACS+ Authentication RADIUS Authentication Default Setting Security Guidelines More Information and Configuration Details disabled Secure Socket Layer (SSL) and Transport Layer Security "Quick Start: Using the (TLS) provide remote...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 29
...(destination) basis. Some switch models also include eavesdrop prevention in the following ways: Monitoring Port Security" • Port security: Enables configuration of each switch port with a unique list of the MAC addresses of a specific MAC address so that port. Table 1-2. Security...given MAC address to use only one assigned port on the switch. Management and Configuration Guide, Appendix A "File Transfers", refer to the section "Using Secure Copy and SFTP" These statically configured filters enhance in-band Chapter 12, "Traffic/Security security (and improve control ...
...(destination) basis. Some switch models also include eavesdrop prevention in the following ways: Monitoring Port Security" • Port security: Enables configuration of each switch port with a unique list of the MAC addresses of a specific MAC address so that port. Table 1-2. Security...given MAC address to use only one assigned port on the switch. Management and Configuration Guide, Appendix A "File Transfers", refer to the section "Using Secure Copy and SFTP" These statically configured filters enhance in-band Chapter 12, "Traffic/Security security (and improve control ...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 30
...Root Guard: Protects the STP root bridge from the offending hosts. Chapter 11, "Configuring Advanced Threat Protection" • Dynamic ARP Protection: Protects your switch from malicious Advanced Traffic attacks or configuration errors: Management Guide, refer to • BPDU Filtering and BPDU Protection: Protects the the chapter "... tries to create a large number of -service Management and attacks by restricting ICMP traffic to percentage levels Configuration Guide, in the that may be due to worms or viruses Controls" refer to throttle or drop all traffic from malicious attacks...
...Root Guard: Protects the STP root bridge from the offending hosts. Chapter 11, "Configuring Advanced Threat Protection" • Dynamic ARP Protection: Protects your switch from malicious Advanced Traffic attacks or configuration errors: Management Guide, refer to • BPDU Filtering and BPDU Protection: Protects the the chapter "... tries to create a large number of -service Management and attacks by restricting ICMP traffic to percentage levels Configuration Guide, in the that may be due to worms or viruses Controls" refer to throttle or drop all traffic from malicious attacks...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 38
...when downloading and booting from the software: ■ If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is considered a security risk in the Management and Configuration Guide for the first time, use the following command to disable this feature: snmp-server mib... hpswitchauthmib excluded ■ If you choose to leave the authentication configuration MIB accessible, then you should do the following...
...when downloading and booting from the software: ■ If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is considered a security risk in the Management and Configuration Guide for the first time, use the following command to disable this feature: snmp-server mib... hpswitchauthmib excluded ■ If you choose to leave the authentication configuration MIB accessible, then you should do the following...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 48
... with no Operator password), and in a later session the Manager password is entered correctly in the Management and Configuration Guide for your switch. Notes Caution Configuring Username and Password Security Overview The manager and operator passwords and (optional) usernames control access to the Appendix A... on the autorun feature, refer to the menu interface, CLI, and web browser interface. If you configure only an Operator password, entering the Operator password enables full manager privileges. If the switch has a password for both the Manager and...
... with no Operator password), and in a later session the Manager password is entered correctly in the Management and Configuration Guide for your switch. Notes Caution Configuring Username and Password Security Overview The manager and operator passwords and (optional) usernames control access to the Appendix A... on the autorun feature, refer to the menu interface, CLI, and web browser interface. If you configure only an Operator password, entering the Operator password enables full manager privileges. If the switch has a password for both the Manager and...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 54
... a Config File ■ The chapter on "Switch Memory and Configuration" in the Management and Configuration Guide. ■ "Configuring Local Password Security" on page 2-11 are not stored in the running configuration. To view the currently configured security settings in the running configuration, enter one of the currently configured manager and operator usernames and passwords, RADIUS shared secret keys...
... a Config File ■ The chapter on "Switch Memory and Configuration" in the Management and Configuration Guide. ■ "Configuring Local Password Security" on page 2-11 are not stored in the running configuration. To view the currently configured security settings in the running configuration, enter one of the currently configured manager and operator usernames and passwords, RADIUS shared secret keys...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 57
... local operator username and password used as 802.1X authentication credentials for access to a port on "Configuring for Network Management Applications" in the Management and Configuration Guide for SNMPv3 users that can enter an SNMPv3 authentication or privacy password in either clear ASCII text or... the SHA-1 hash of SNMP security parameters, refer to the chapter on another 802.1X-aware switch. Configuring Username and Password Security...
... local operator username and password used as 802.1X authentication credentials for access to a port on "Configuring for Network Management Applications" in the Management and Configuration Guide for SNMPv3 users that can enter an SNMPv3 authentication or privacy password in either clear ASCII text or... the SHA-1 hash of SNMP security parameters, refer to the chapter on another 802.1X-aware switch. Configuring Username and Password Security...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 63
...-clear option normally reboots the switch when you press the Clear button.) For more information, see "Configuring Front-Panel Security" on page 2-27 in the Management and Configuration Guide. ■ The switch can store up to three configuration files. When you have already enabled the storage of the startup-config file in one memory...
...-clear option normally reboots the switch when you press the Clear button.) For more information, see "Configuring Front-Panel Security" on page 2-27 in the Management and Configuration Guide. ■ The switch can store up to three configuration files. When you have already enabled the storage of the startup-config file in one memory...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 143
...Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see "Troubleshooting TACACS+ Operation" in the Troubleshooting chapter of log-in attempts you need to configure an encryption key. (See "Using the Encryption Key" on the encryption server for controlling ... TACACS+ switch. server(s). • The username/password pairs you want to server(s) you • The number of the Management and Configuration Guide for your first-choice for authentication. The following : • The IP address(es) of the TACACS+ • The period you...
...Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see "Troubleshooting TACACS+ Operation" in the Troubleshooting chapter of log-in attempts you need to configure an encryption key. (See "Using the Encryption Key" on the encryption server for controlling ... TACACS+ switch. server(s). • The username/password pairs you want to server(s) you • The number of the Management and Configuration Guide for your first-choice for authentication. The following : • The IP address(es) of the TACACS+ • The period you...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 156
...If TACACS+ server "X" does not have an encryption key assigned for the switch, then configuring either a global encryption key or a server-specific key in the Management and Configuration Guide for authentication. If you configure a global encryption key, the switch uses it only with servers for a TACACS server ...you are using all have an identical key, and server-specific keys are necessary where different TACACS+ servers have not also configured a server-specific key. If this parameter is more information on out-of -band management interface. The oobm parameter specifies...
...If TACACS+ server "X" does not have an encryption key assigned for the switch, then configuring either a global encryption key or a server-specific key in the Management and Configuration Guide for authentication. If you configure a global encryption key, the switch uses it only with servers for a TACACS server ...you are using all have an identical key, and server-specific keys are necessary where different TACACS+ servers have not also configured a server-specific key. If this parameter is more information on out-of -band management interface. The oobm parameter specifies...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 157
...list would be X, Y, and C. • The easiest way to Appendix G, "Network Out-of-Band Management" in the Management and Configuration Guide for more vacant slots in the priority list is not specified, the operation goes out from the out-of-band management interface. For example... server order of priority would be : First-Choice: A Second-Choice: X Third-Choice: C • If there are fixed. TACACS+ Authentication Configuring TACACS+ on out-of-band management. For switches that have a separate out-of-band management port, the oobm parameter specifies that the operation will ...
...list would be X, Y, and C. • The easiest way to Appendix G, "Network Out-of-Band Management" in the Management and Configuration Guide for more vacant slots in the priority list is not specified, the operation goes out from the out-of-band management interface. For example... server order of priority would be : First-Choice: A Second-Choice: X Third-Choice: C • If there are fixed. TACACS+ Authentication Configuring TACACS+ on out-of-band management. For switches that have a separate out-of-band management port, the oobm parameter specifies that the operation will ...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 186
...encryption key. Example of five minutes for a server that use the same key. (For this occurs, refer to use the secondary authentication method configured for the type of access being attempted (console, Telnet, or SSH). Default: 3; For example, suppose that your switch is to...to an authentication request, specifies how many retries to respond, then the switch tries the next server in the Troubleshooting chapter of the Management and Configuration Guide for your switch. If none of the servers respond, then the switch attempts to "RADIUS-Related Problems" in the list, and so-on....
...encryption key. Example of five minutes for a server that use the same key. (For this occurs, refer to use the secondary authentication method configured for the type of access being attempted (console, Telnet, or SSH). Default: 3; For example, suppose that your switch is to...to an authentication request, specifies how many retries to respond, then the switch tries the next server in the Troubleshooting chapter of the Management and Configuration Guide for your switch. If none of the servers respond, then the switch attempts to "RADIUS-Related Problems" in the list, and so-on....
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 231
... (zeroing) the switch's public/private key pair renders the switch unable to engage in Appendix A of the running -config file). See "Configuring Autorun on the Switch" in SSH operation and automatically disables IP SSH on the switch. (To verify whether SSH is not necessary to use...RSA key for autorun. You should consider this guide for more information. Because the host key pair is , avoid re-generating the key pair without a compelling reason. bits Specify the key size (in flash instead of the Management and Configuration Guide for more information. To Generate or Erase the...
... (zeroing) the switch's public/private key pair renders the switch unable to engage in Appendix A of the running -config file). See "Configuring Autorun on the Switch" in SSH operation and automatically disables IP SSH on the switch. (To verify whether SSH is not necessary to use...RSA key for autorun. You should consider this guide for more information. Because the host key pair is , avoid re-generating the key pair without a compelling reason. bits Specify the key size (in flash instead of the Management and Configuration Guide for more information. To Generate or Erase the...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 238
...to Appendix G, "Network Out-of-Band Management" in seconds) allowed for SSH Operation [mac ] Allows configuration of the set of MACs that do not have a separate out-of -band management port. 6-18 Configuring Secure Shell (SSH) Configuring the Switch for initial protocol negotiation and authentication. inbound SSH access is the default value. Important... on Port Number" on the data ports. • both the out-of-band management port and on the out-of time (in the Management and Configuration Guide for SSH connections (default: 22). Values for this parameter are available.
...to Appendix G, "Network Out-of-Band Management" in seconds) allowed for SSH Operation [mac ] Allows configuration of the set of MACs that do not have a separate out-of -band management port. 6-18 Configuring Secure Shell (SSH) Configuring the Switch for initial protocol negotiation and authentication. inbound SSH access is the default value. Important... on Port Number" on the data ports. • both the out-of-band management port and on the out-of time (in the Management and Configuration Guide for SSH connections (default: 22). Values for this parameter are available.
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 239
...(22). If you need to use SNMP version 3 only. However, you are also allowed, but do not appear in the switch's Management and Configuration Guide. Examples of reserved IP ports are 49, 80, 1506, and 1513. Figure 6-10. ProCurve(config) ip ssh ProCurve(config)# show ip ssh ...listing. Some other reserved TCP ports on Port Number Configuring Secure Shell (SSH) Configuring the Switch for other sessions (SSH and/or Telnet). While web and Telnet access can access your private key file from unauthorized ...
...(22). If you need to use SNMP version 3 only. However, you are also allowed, but do not appear in the switch's Management and Configuration Guide. Examples of reserved IP ports are 49, 80, 1506, and 1513. Figure 6-10. ProCurve(config) ip ssh ProCurve(config)# show ip ssh ...listing. Some other reserved TCP ports on Port Number Configuring Secure Shell (SSH) Configuring the Switch for other sessions (SSH and/or Telnet). While web and Telnet access can access your private key file from unauthorized ...
HP ProCurve Series 6120 Blade Switches Access Security Guide
Page 244
...this feature, only the clients whose public keys are new to generate a key pair. by employing the local username/password, TACACS+, or RADIUS features. Configuring the Switch for your switch. The private key is not protected. (Note that even without babble conversion, or fingerprint conversion) in the Troubleshooting chapter of...you do not allow secondary SSH login (Operator) access via local password, then the switch will have achieved the level of the Management and Configuration Guide for SSH Authentication" on the switch. Use an SSH Client To Access the Switch Test the SSH...
...this feature, only the clients whose public keys are new to generate a key pair. by employing the local username/password, TACACS+, or RADIUS features. Configuring the Switch for your switch. The private key is not protected. (Note that even without babble conversion, or fingerprint conversion) in the Troubleshooting chapter of...you do not allow secondary SSH login (Operator) access via local password, then the switch will have achieved the level of the Management and Configuration Guide for SSH Authentication" on the switch. Use an SSH Client To Access the Switch Test the SSH...