Security Overview

 

 

 

Access Security Features

 

 

 

 

Feature

Default

Security Guidelines

More Information and

 

 

Setting

 

Configuration Details

 

 

 

 

 

 

SSL

disabled

Secure Socket Layer (SSL) and Transport Layer Security

“Quick Start: Using the

 

 

 

(TLS) provide remote Web browser access to the switch

Management Interface

 

 

via authenticated transactions and encrypted paths

Wizard” on page 1-10

 

 

between the switch and management station clients

Chapter 9, “Configuring

 

 

capable of SSL/TLS operation. The authenticated type

Secure Socket Layer (SSL)”

 

 

includes server certificate authentication with user

 

 

 

 

password authentication.

 

 

SNMP

public,

In the default configuration, the switch is open to access

 

unrestricted

by management stations running SNMP management

 

 

applications capable of viewing and changing the

 

 

settings and status data in the switch’s MIB

 

 

(Management Information Base). Thus, controlling

 

 

SNMP access to the switch and preventing

 

 

unauthorized SNMP access should be a key element of

 

 

your network security strategy.

“SNMP Security Guidelines” on page 1-15

“Quick Start: Using the Management Interface Wizard” on page 1-10

Management and Configuration Guide, Chapter 14, refer to the section “Using SNMP Tools To Manage the Switch”

Authorized IP

none

This feature uses IP addresses and masks to determine

Chapter 15, “Using

Managers

 

whether to allow management access to the switch

Authorized IP Managers”

 

 

across the network through the following :

 

 

 

• Telnet and other terminal emulation applications

 

 

 

• The switch’s Web browser interface

 

 

 

• SNMP (with a correct community name)

 

Secure

disabled

This feature creates an isolated network for managing

Management

 

the ProCurve switches that offer this feature. When a

VLAN

 

secure management VLAN is enabled, CLI, Menu

 

 

interface, and Web browser interface access is

 

 

restricted to ports configured as members of the VLAN.

Advanced Traffic Management Guide, refer to the chapter “Static Virtual LANs (VLANs)”

TACACS+

disabled

This application uses a central server to allow or deny

Chapter 5, “TACACS+

Authentication

 

access to TACACS-aware devices in your network.

Authentication”

 

 

TACACS+ uses username/password sets with

 

 

 

associated privilege levels to grant or deny access

 

 

 

through either the switch’s serial (console) port or

 

 

 

remotely, with Telnet.

 

 

 

If the switch fails to connect to a TACACS+ server for the

 

 

 

necessary authentication service, it defaults to its own

 

 

 

locally configured passwords for authentication control.

 

 

 

TACACS+ allows both login (read-only) and enable

 

 

 

(read/write) privilege level access.

 

 

 

 

 

RADIUS

disabled

For each authorized client, RADIUS can be used to

Chapter 6, “RADIUS

Authentication

 

authenticate operator or manager access privileges on

Authentication and

 

 

the switch via the serial port (CLI and Menu interface),

Accounting”

 

 

Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP)

 

 

 

access methods.

 

 

 

 

 

1-5