HP Procurve Security Configuration
This article discusses simple yet effective methods to secure your HP Procurve Network enviroment.’,
These days I cannot stress the importance of a secure Network Enviroment. The number of potential threats that exist is more than concerning for Network Administrators.This article details effective means for securing your HP ProCurve Network Hardware; from simple password authentiction to Access List setup and SSH Inband Access.
To me this is common sense; lockdown your configuration so that only those with a username and password can modify your network. Configuration of Manager / Privalege Mode passwords should, in my opinion, be mandatory; without them it is only a matter of time before someone finds a way in and destroys your configuration. Remember it is the configuration that makes your network function, not simply the cables between devices.To enabel a password for ‘enabled’ mode enter the command:password manager my_passwordThis will create a login name of ‘manager’ with a password of my_password’
It is very easy to allow only certain IP Addresses / Ranges access to the configuration methods available on Procurve Hardware.This is very simple to configure, just modify and enter the following commands:ip authorized-managers 10.0.35.0 255.255.255.0ip authorized-managers 10.174.101.0 255.255.255.0 access OperatorThe subnet 10.0.35.0 /24 will, with password authentication, be able to modify the configuration of the Procurve hardware.The subnet 10.174.101.0 /24 will, with password authentication, be able to read the configuration details of the Procurve Hardware.Any other Subnet will not be able to access the configuration console available under a web browser.
SSH Inband Access
You may be using telnet to remotely configure your switches but would you still want to use it if I told you that all of the information you enter, including usernames and passwords, is sent in clear text? With the right tools an attacker could simply view the packets sent to and from the switch and pick out your ‘enabled’ mode username and password.This is easy to overcome and functionality exists in the 5308xl units as standard. Rather than telnet we will enable SSH access. If you’re a windows user you’ll need to download an SSH terminal program such as Putty (link.) For those running Linkx / Unix functionality exists as standard in many distributions via the x-terminal; simply execute the command:ssh firstname.lastname@example.org -p 191Admin is the name of the user you define in the command below, 191 is the port which SSH is configured to listen on the Hp Procurve Hardware.Windows users need only double-click putty.exe and enter the IP, Port and authentication settings necessary for your connection.To enable SSH Access on the 5308xl Units enter the following commands:ip ssh version 2ip ssh port 191ip sshThis will enable SSH version 2 support on port 191 – we change the port number so that it is not obvious to those who may be looking for a way in.
SNMP is a very useful tool for Network Administrators, it is also very dangerous in the wrong hands.If you are not going to use any SNMP tools, such as Procurve Manager, to manage your equipment then simply disabling SNMP will eliminate this threat. However, more practially, you can increase security authentication requirements before configuration changes can be made.This article will focus upon setting up a new privelaged manager user using snmpv3.First we must enable snmpv3 using the command: snmpv3 enableWe will then be prompted for an auth password and a priv password, enter passwords to you liking and continue. IYou will then be asked whether you want to create a user that has SHA; this is not essential. You will then be asked if you wish to enable snmpv3 restrictive-access. If you are only going to use Procurve Manager or an snmpv3 compatible client then enable this as it will stop pre snmpv3 clients modifying settings; they will be given read-only access.Now we will create a new user and assign this user to the managerpriv group:snmpv3 user NetworkAdmin auth md5 new_password priv new_password2snmpv3 group managerpriv user NetworkAdmin sec-model ver3You will now be able to use the credentials:NetworkAdminAuth MD5: new_passwordPriv DES: new_password2To gain read/write access in Procurve Manager or any other snmpv3 program.’,