Enforcing Switch Security

Switch Management Access Security

SNMP Access (Simple Network Management Protocol)

In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.

General SNMP Access to the Switch. The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide security options. ProCurve recommends that you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation). SNMPv3 security options include:

configuring device communities as a means for excluding management access by unauthorized stations

configuring for access authentication and privacy

reporting events to the switch CLI and to SNMP trap receivers

restricting non-SNMPv3 agents to either read-only access or no access

co-existing with SNMPv1 and v2c if necessary

For more on SNMPV3, refer to the next subsection and to the chapter titled “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch.

SNMP Access to the Switch’s Authentication Configuration MIB . A management station running an SNMP networked device management application such as ProCurve Manager Plus (PCM+) or HP OpenView can access the switch’s management information base (MIB) for read access to the switch’s status and read/write access to the switch’s configuration. In earlier software versions, SNMP access to the switch’s authentication configuration (hpSwitchAuth) MIB was not allowed. However, beginning with software release M.08.89, the switch’s default configuration allows SNMP access to security settings in hpSwitchAuth. If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions when downloading and booting from software release M.08.89 or greater:

1.If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above and in the section titled “Using SNMP To View and Configure Switch Authentication Features” (page 35) is not desirable for your network, then immediately after downloading and booting from the M.08.89 or greater software for the first time, use the following command to disable this feature:

snmp-server mib hpswitchauthmib excluded

12