Using HPE switch security features
Switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, Hewlett Packard Enterprise strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.
Since security incidents can originate with sources inside as well as outside of an organization, your access security provisions must protect against internal and external threats while preserving the necessary network access for authorized clients and users. It is important to evaluate the level of management access vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place. This includes both configurable security options and physical access to the switch.
Switch management access is available through the following methods:
Front panel access to the console serial port, see Physical security
Inbound Telnet access
Web-browser access (WebAgent)
SNMP access
For guidelines on locking down your switch for remote management access, see Using the Management Interface wizard.
Physical security
Physical access to the switch allows the following:
Use of the console serial port (CLI and Menu interface) for viewing and changing the current configuration and for reading status, statistics, and log messages.
Use of the switch's USB port for file transfers and autorun capabilities.
Use of the switch's Clear and Reset buttons for these actions:
clearing (removing) local password protection
rebooting the switch
restoring the switch to the factory default configuration (and erasing any non-default configuration settings)
Keeping the switch in a locked wiring closet or other secure space helps prevent unauthorized physical access.
As additional precautions, you can do the following:
Disable or re-enable the password-clearing function of the Clear button.
Configure the Clear button to reboot the switch after clearing any local user names and passwords.
Modify the operation of the Reset+Clear button combination so that the switch reboots, but does not restore the switch's factory default settings.
Disable or re-enable password recovery.
Disable USB autorun by setting a Manager password, or enable USB autorun in secure mode so that security credentials are required to use this feature.
For the commands used to configure the Clear and Reset buttons, see Configuring front panel security. For information on using USB Autorun, see ”Using USB to transfer files to and from switch” and “Using USB autorun” in the management and configuration guide.
Using the Management Interface wizard
The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. It guides you through the process of locking down the following switch operations or protocols:
setting local passwords
restricting SNMP access
enabling/disabling Telnet
enabling/disabling SSH
enabling/disabling remote Web management (WebAgent)
restricting WebAgent access to SSL
enabling/disabling USB autorun
setting timeouts for SSH/Telnet sessions
The wizard can also be used to view the pre-configured defaults and see the current settings for switch access security. The wizard can be launched either via the CLI or the WebAgent.
NOTE: The wizard's security settings can also be configured using standard commands via the CLI, Menu, or WebAgent. | |
WebAgent: Management Interface wizard
To use the Management Interface wizard from the WebAgent, follow the steps below:
In the navigation tree, select Security.
Click on the Security Wizard. The Welcome window appears.
This page allows you to choose between two setup types:
Typical—provides a multiple page, step-by-step method to configure security settings, with on-screen instructions for each option.
Advanced—provides a single summary screen in which to configure all security settings at once.
See the WebAgent Online Help for detailed information about using the Management Interface wizard.
SNMP security guidelines
In the default configuration, the switch is open to access by management stations running SNMP, management applications capable of viewing and changing the settings and status data in the switch MIB (Management Information Base). So controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.
General SNMP access to the switch
The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide security options.
Hewlett Packard Enterprise recommends you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation).
SNMPv3 security options include:
Configuring device communities as a means for excluding management access by unauthorized stations
Configuring for access authentication and privacy
Reporting events to the switch CLI and to SNMP trap receivers
Restricting non-SNMPv3 agents to either read-only access or no access
Coexisting with SNMPv1 and v2c if necessary.
SNMP access to the authentication configuration MIB
Beginning with software release K.12.xx, a management station running an SNMP networked device management application, such as PCM+ or OpenView, can access the management information base (MIB) for read access to the switch status and read/write access to the switch authentication configuration (hpSwitchAuth). This means that the switch's default configuration now allows SNMP access to security settings in hpSwitchAuth.
NOTE: Downloading and booting from the K.12.xx or greater software version for the first time enables SNMP access to the authentication configuration MIB (the default action). If SNMPv3 and other security safeguards are not in place, the switch's authentication configuration MIB is exposed to unprotected SNMP access and you should use the command shown below to disable this access. | |
CAUTION: If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions when downloading and booting from software release K.12.xx or greater:
| |
For details on this feature, see Using SNMP to view and configure switch authentication features.
See “Configuring for Network Management Applications” in the management and configuration guide for your switch.
Precedence of security options
This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch.
Precedence of Port-based security options
Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.
Disabled/Enabled physical port
MAC lockout (applies to all ports on the switch.)
MAC lockdown
Port security
Authorized IP Managers
Application features at higher levels in the OSI model, such as SSH.
The above list does not address the mutually exclusive relationship that exists among some security features.
Precedence of Client-based authentication: Dynamic Configuration Arbiter
Starting in software release K.13.xx, the Dynamic Configuration Arbiter (DCA) is implemented to determine the client-specific parameters that are assigned in an authentication session.
A client-specific authentication configuration is bound to the MAC address of a client device and may include the following parameters:
Untagged client VLAN ID
Tagged VLAN IDs
Per-port CoS (802.1p) priority
Per-port rate-limiting on inbound traffic
Client-based ACLs
DCA allows client-specific parameters configured in any of the following ways to be applied and removed as needed in a specified hierarchy of precedence. When multiple values for an individual configuration parameter exist, the value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority:
Although RADIUS-assigned settings are never applied to ports for non-authenticated clients, the DCA allows configuring and assigning client-specific port configurations to non-authenticated clients, provided that a client's MAC address is known in the switch in the forwarding database. DCA arbitrates the assignment of attributes on both authenticated and non-authenticated ports.
DCA does not support the arbitration and assignment of client-specific attributes on trunk ports.
HPE E-Network Immunity Manager
E-Network Immunity Manager (NIM) is a plug-in to PCM+ and a key component of the E-Network Immunity security solution that provides comprehensive detection and per-port-response to malicious traffic at the network edge. NIM allows you to apply policy-based actions to minimize the negative impact of a client's behavior on the network. For example, using NIM you can apply a client-specific profile that adds or modifies per-port rate-limiting and VLAN ID assignments.
NOTE: NIM actions only support the configuration of per-port rate-limiting and VLAN ID assignment; NIM does not support CoS (802.1p) priority assignment and ACL configuration. | |
NIM-applied parameters temporarily override RADIUS-configured and locally configured parameters in an authentication session. When the NIM-applied action is removed, the previously applied client-specific parameter (locally configured or RADIUS-assigned) is re-applied unless there have been other configuration changes to the parameter. In this way, NIM allows you to minimize network problems without manual intervention.
NIM also allows you to configure and apply client-specific profiles on ports that are not configured to authenticate clients (unauthorized clients), provided that a client's MAC address is known in the switch forwarding database.
The profile of attributes applied for each client
(MAC address) session is stored in the hpicfUsrProfile MIB, which
serves as the configuration interface for NIM. A client profile consists
of NIM-configured, RADIUS-assigned, and statically configured parameters.
Using show
commands for 802.1X, web or MAC authentication,
you can verify which RADIUS-assigned and statically configured parameters
are supported and if they are supported on a per-port or per-client
basis.
A NIM policy accesses the hpicfUsrProfileMIB through SNMP to perform the following actions:
Bind (or unbind) a profile of configured attributes to the MAC address of a client device on an authenticated or unauthenticated port.
Configure or unconfigure an untagged VLAN for use in an authenticated or unauthenticated client session.
NOTE: The attribute profile assigned to a client is often a combination of NIM-configured, RADIUS-assigned, and statically configured settings. Precedence is always given to the temporarily applied NIM-configured parameters over RADIUS-assigned and locally configured parameters. | |
For information on NIM, go to the Networking Web site at www.hpe.com/solutions.
Arbitrating client-specific attributes
In previous releases, client-specific authentication parameters for 802.1X Web, and MAC authentication are assigned to a port using different criteria. A RADIUS-assigned parameter is always given highest priority and overrides statically configured local passwords. 802.1X authentication parameters override Web or MAC authentication parameters.
Starting in release K.13.xx, DCA stores three levels of client-specific authentication parameters and prioritizes them according to the following hierarchy of precedence:
NIM access policy (applied through SNMP)
RADIUS-assigned
802.1X authentication
Web or MAC authentication
Statically (local) configured
Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
For example, NIM may configure only rate-limiting for a specified client session, while RADIUS-assigned values may include both an untagged VLAN ID and a rate-limiting value to be applied. In this case, DCA applies the NIM-configured rate-limiting value and the RADIUS-assigned VLAN (if there are no other conflicts).
Also, you can assign NIM-configured parameters (for example, VLAN ID assignment or rate-limiting) to be activated in a client session when a threat to network security is detected. When the NIM-configured parameters are later removed, the parameter values in the client session return to the RADIUS-configured or locally configured settings, depending on which are next in the hierarchy of precedence.
In addition, DCA supports conflict resolution for QoS (port-based CoS priority) and rate-limiting (ingress) by determining whether to configure either strict or non-strict resolution on a switch-wide basis. For example, if multiple clients authenticate on a port and a rate-limiting assignment by a newly authenticating client conflicts with the rate-limiting values assigned to previous clients, by using Network Immunity you can configure the switch to apply any of the following attributes:
Apply only the latest rate-limiting value assigned to all clients.
Apply a client-specific rate-limiting configuration to the appropriate client session (overwrites any rate-limit previously configured for other client sessions on the port).
For information about how to configure RADIUS-assigned and locally configured authentication settings, see:
RADIUS-assigned 802.1X authentication: Port-Based and User-Based Access Control (802.1X)
RADIUS-assigned Web or MAC authentication: Web-based and MAC authentication
RADIUS-assigned CoS, rate-limiting, and ACLs: RADIUS services supported on HPE switches
Statically (local) configured: Configuring Username and Password Security
HPE PCM+ Identity-Driven Manager (IDM)
PMC IDM is a plug-in to PCM+ and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
Using IDM, a system administrator can configure automatic and dynamic security to operate at the network edge when a user connects to the network. This operation enables the network to:
approve or deny access at the edge of the network instead of in the core;
distinguish among different users and what each is authorized to do;
configure guest access without compromising internal security.
Criteria for enforcing RADIUS-based security for IDM applications includes classifiers such as:
authorized user identity
authorized device identity (MAC address)
software running on the device
physical location in the network
time of day
Responses can be configured to support the networking requirements, user (SNMP) community, service needs, and access security level for a given client and device.
For more information on IDM, go to the Networking Web site at www.hpe.com/solutions.
Access security features
This section provides an overview of the switch’s access security features, authentication protocols, and methods. Access Security and Switch Authentication Features lists these features and provides summary configuration guidelines.
NOTE: Beginning with software release K.14.xx, the Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. See Using the Management Interface wizard for details. | |
Access Security and Switch Authentication Features
Feature | Default setting | Security guidelines | More information and configuration details |
---|---|---|---|
Manager password | no password | Configuring a local Manager password
is a fundamental step in reducing the possibility of unauthorized
access through the switch's WebAgent and console (CLI and Menu) interfaces.
The Manager password can easily be set by any one of the following
methods:
|
Using the Management Interface wizard Using SNMP to view and configure switch authentication features |
Telnet and Web-browser access (WebAgent) | enabled | The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL (see below for details) should be used for remote access. This enables you to employ increased access security while still retaining remote client access. Also, access security on the switch is incomplete without disabling Telnet and the standard Web browser access (WebAgent). Among the methods for blocking unauthorized access attempts using Telnet or the WebAgent are the following two CLI commands:
If you choose not to disable Telnet and the WebAgent, you may want to consider using RADIUS accounting to maintain a record of password-protected access to the switch. |
Using the Management Interface wizard For more on Telnet and the WebAgent, see "Interface Access and System Information" in the management and configuration guide. For RADIUS accounting, see RADIUS Authentication, Authorization, and Accounting |
SSH | disabled | SSH provides
Telnet-like functions through encrypted, authenticated transactions
of the following types:
|
|
SSL | disabled | Secure Socket Layer (SSL) and Transport Layer Security (TLS) provide remote Web browser access (WebAgent) to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication. |
|
SNMP | public, unrestricted | In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy. | Using HPE switch security features Using the Management Interface wizard management and configuration guide, Chapter 14, see the section "Using SNMP Tools To Manage the Switch" |
Authorized IP Managers | none | This feature uses IP addresses and masks to determine whether to allow management access to the switch across the network through the following :
|
|
Secure Management VLAN | disabled | This feature creates an isolated network for managing the switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface, and WebAgent access is restricted to ports configured as members of the VLAN. | See "Static Virtual LANs (VLANs)" in the advanced traffic management guide for your switch |
ACLs for Management Access Protection | none | ACLs can also be configured to protect management access by blocking inbound IP traffic that has the switch itself as the destination IP address. | Network Security—Default Settings and Security GuidelinesIPv4 Access Control Lists (ACLs) |
TACACS+ Authentication | disabled | This application uses a central server to allow or deny access to TACACS-aware devices in your network. TACACS+ uses user name/password sets with associated privilege levels to grant or deny access through either the switch serial (console) port or remotely, with Telnet. If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable (read/write) privilege level access. |
|
RADIUS Authentication | disabled | For each authorized client, RADIUS can be used to authenticate operator or manager access privileges on the switch via the serial port (CLI and Menu interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods. | |
802.1X Access Control | none | This feature provides port-based or user-based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general features are the following:
|
|
Web and MAC Authentication | none | These options are designed for application on the edge of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access. Because neither method requires clients to run any special supplicant software, both are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option. Both methods rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a master database in a single server. It also means the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. Web authentication uses a web page login to authenticate users for access to the network. MAC authentication grants access to a secure network by authenticating device MAC addresses for access to the network. |
NOTE: Beginning with software release K.14.xx, the Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. See Using the Management Interface wizard for details. | |
Network security features
This section outlines features and defence mechanisms for protecting access through the switch to the network.
Network Security—Default Settings and Security Guidelines
Feature | Default setting | Security guidelines | More information and configuration details | ||||||
---|---|---|---|---|---|---|---|---|---|
Secure File Transfers | not applicable | Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP for transferring sensitive information such as configuration files and log information between the switch and other devices. | management and configuration guide, Appendix A "File Transfers", see "Using Secure Copy and SFTP" | ||||||
USB Autorun | enabled (disabled once a password has been set) | Used in conjunction with PCM+, this feature allows diagnosis and automated updates to the switch via the USB flash drive. When enabled in secure mode, this is done with secure credentials to prevent tampering. Note that the USB Autorun feature is disabled automatically, once a password has been set on the switch. | management and configuration guide, Appendix A "File Transfers", see "USB Autorun" | ||||||
Traffic/Security Filters | none | These statically configured filters enhance in-band security (and improve control over access to network resources) by forwarding or dropping inbound network traffic according to the configured criteria. Filter options include:
|
|||||||
Access Control Lists (ACLs) | none | ACLs can filter traffic to or from a host, a group of
hosts, or entire subnets. Layer 3 IP filtering with Access Control
Lists (ACLs) enables you to improve network performance and restrict
network use by creating policies for:
|
|||||||
Port Security, MAC Lockdown, and MAC Lockout | none | The features listed below provide device-based
access security in the following ways:
|
|||||||
Key Management System (KMS) | none | KMS is available in several switch models and is designed to configure and maintain key chains for use with KMS-capable routing protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request. |
|||||||
Connection-Rate Filtering based on Virus-Throttling Technology | none | This feature helps protect the network from attack and is recommended for use on the network edge. It is primarily focused on the class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in network applications behind unsecured ports. In this case, the malicious code tries to create a large number of outbound connections on an interface in a short time. Connection-Rate filtering detects hosts that are generating traffic that exhibits this behavior, and causes the switch to generate warning messages and (optionally) to throttle or drop all traffic from the offending hosts. | |||||||
ICMP Rate-Limiting | none | This feature helps defeat ICMP denial-of-service attacks by restricting ICMP traffic to percentage levels that permit necessary ICMP functions, but throttle additional traffic that may be due to worms or viruses (reducing their spread and effect). | management and configuration guide, in the chapter on "Port Traffic Controls" see "ICMP Rate-Limiting" | ||||||
Spanning Tree Protection | none | These features prevent your switch from malicious
attacks or configuration errors:
|
advanced traffic management guide, see "Multiple Instance Spanning-Tree Operation" | ||||||
DHCP Snooping, Dynamic ARP Protection, and Dynamic IP Lockdown | none | These features provide the following additional protections
for your network:
|
Using named source-port filters
A company wants to manage traffic to the Internet and its accounting server on a 26-port switch. Their network is pictured in Network configuration for named source-port filters. Switch port 1 connects to a router that provides connectivity to a WAN and the Internet. Switch port 7 connects to the accounting server. Two workstations in accounting are connected to switch ports 10 and 11.
Editing a source-port filter
The switch includes in one filter the actions for all destination ports and trunks configured for a given source port or trunk. Thus, if a source-port filter already exists and you want to change the currently configured action for some destination ports or trunks, use the filter source-port command to update the existing filter. For example, suppose you configure a filter to drop traffic received on port 8 and destined for ports 1 and 2. The resulting filter is shown on the left in the following figure. Later, you update the filter to drop traffic received on port 8 and destined for ports 3 through 5. Since only one filter exists for a given source port, the filter on traffic from port 8 appears as shown on the right in the following figure:
Displaying traffic/security filters
This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters.
Syntax
show filter
corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information listing. A filter retains its assigned IDX number for as long as the filter exists in the switch. The switch assigns the lowest available IDX number to a new filter. This can result in a newer filter having a lower IDX number than an older filter if a previous filter deletion created a gap in the filter listing.
Filter Type
Indicates the type of filter assigned to the IDX number (source-port, multicast, or protocol).
Value
Indicates the port number or port-trunk name of the source port or trunk assigned to the filter.
[index]
Lists the filter type and other data for the filter corresponding to the index number in the show filter output. Also lists, for each outbound destination port in the switch, the port number, port type, and filter action (forward or drop). The switch assigns the lowest available index number to a new filter. If you delete a filter, the index number for that filter becomes available for the next filter you create.