Secure Connection - HP PS1810 Management And Configuration Manual

Security

Secure Connection

Table 5-1. Advanced Security Fields
Field
Storm Control
Auto DoS
Click Apply to save any changes for the current boot session; the changes take effect immediately.
Secure Connection
The HP PS1810 series switch software allows the administrator to enable or disable Secure HTTP
protocol (HTTPS). When enabled, the administrator can establish a secure connection with the switch
using the Secure Sockets Layer (SSL) protocol. Secure HTTP can help ensure that communication
between the management system and the switch is protected from eavesdropping and man-in-the-
middle attacks. The HP PS1810 series switch software supports SSL version 3.0.
SSL enables the switch to generate and store a certificate that functions as a digital passport, enabling
client Web browsers to verify the identity of the switch before accessing it.
N o t e
SSL is described in client/server terminology, where the SSL-enabled switch is the server and a Web
browser is the client.
The certificate provides information to the browser such as the server name, the trusted certificate
authority (CA) that issued the certificate, the date it was issued, and the switch's public key.
The browser and server use this information to negotiate a secure connection in the following manner:
■
■
To enable secure HTTPS connections via SSL, the HTTPS Admin mode must be enabled on the switch,
and the Web server must have a public key certificate. The switch can generate its own certificates, or
you can generate these externally and download them to the switch.
■
■
5-2
Description
Activate storm control protection for broadcast and multicast globally in the system. The default
threshold is 64K pps. Clear to not use the Storm Control feature.
Enable denial of service attack protection, or clear to disable DoS protection. It is disabled by default.
The browser verifies the certificate authority's authenticity by checking it against its own list
of CAs. (Web browsers such as Microsoft Internet Explorer and Mozilla Firefox maintain data
on trusted CAs.)
After validating the CA, the browser and switch negotiate the highest level of security available
to both. The browser uses the public key to encrypt a random number and send it to the switch.
The switch uses a private key stored in memory (not advertised on the certificate) to decrypt
it. From this process, the browser and switch determine an algorithm for encrypting and
decrypting all further communication during the HTTPS session.
Certificates generated by the switch are self-signed; that is., the validity of the information
provided in the certificate is attested to by the switch itself.
Downloaded certificates can also be self-signed (by a server other than the switch), or they
can be root certificates. A root certificate has been digitally signed by a CA, and is therefore
considered to provide a higher level of security.