Download  Print this page

HP ProCurve 9304M Security Manual

Routing switches
Hide thumbs

Advertisement

9304m
9308m
Security Guide
9315m
9408sl
ProCurve Routing Switches
Software versions 07.8.00a (9300 series)
and 01.0.02 (9408sl)
www.procurve.com

Advertisement

loading

  Related Manuals for HP ProCurve 9304M

  Summary of Contents for HP ProCurve 9304M

  • Page 1 9304m 9308m Security Guide 9315m 9408sl ProCurve Routing Switches Software versions 07.8.00a (9300 series) and 01.0.02 (9408sl) www.procurve.com...
  • Page 3 Security Guide ProCurve 9300/9400 Series Routing Switches Software versions 07.8.00a (9300 series) and 01.0.02 (9408sl)
  • Page 4 A copy of the specific warranty terms applicable to Copyright 2000, 2003, 2005 Hewlett-Packard your Hewlett-Packard products and replacement Development Company, L.P. The information parts can be obtained from your HP Sales and contained herein is subject to change without Service Office or authorized dealer. notice.
  • Page 5: Table Of Contents

    Contents Organization of Product Documentation ..........ix HAPTER ..................1-1 ETTING TARTED ............................1-1 NTRODUCTION .........................1-1 OFTWARE ERSIONS OVERED ..............................1-1 UDIENCE ............................1-2 ONVENTIONS ............................1-2 ERMINOLOGY .....................1-2 UPPORT AND ARRANTY NFORMATION ..........................1-2 ELATED UBLICATIONS HAPTER ........2-1 ECURING CCESS TO ANAGEMENT UNCTIONS ........................2-1 ECURING CCESS...
  • Page 6 ETTING OCAL CCOUNTS .....................2-17 ONFIGURING A OCAL CCOUNT SSL S .............2-19 ONFIGURING ECURITY FOR THE ANAGEMENT NTERFACE SSL S HP D ................2-19 NABLING THE ERVER ON THE EVICE RSA P ............2-19 MPORTING IGITAL ERTIFICATES AND RIVATE ILES SSL C ....................2-20...
  • Page 7 Contents SSH C .....................3-9 ISPLAYING ONNECTION NFORMATION SSH C .........................3-11 AMPLE ONFIGURATION ..........................3-11 SING ECURE HAPTER 802.1X P ............4-1 ONFIGURING ECURITY ..............................4-1 VERVIEW IETF RFC S ..........................4-1 UPPORT 802.1X P ......................4-1 ECURITY ORKS 802.1X C ..................4-1 EVICE OLES IN AN ONFIGURATION .....................4-2 OMMUNICATION...
  • Page 8 Security Guide for ProCurve 9300/9400 Series Routing Switches ..............................5-1 VERVIEW ......................5-1 OCAL AND LOBAL ESOURCES MAC P ..................5-2 ONFIGURING THE ECURITY EATURE MAC P ..................5-2 NABLING THE ECURITY EATURE MAC A ......5-2 ETTING THE AXIMUM UMBER OF ECURE DDRESSES FOR AN NTERFACE ....................5-2 ETTING THE...
  • Page 9 TRING SNMP C ..................10-5 ISPLAYING THE OMMUNITY TRINGS ....................10-5 SING THE ASED ECURITY ODEL NMS .........................10-6 ONFIGURING SNMP V HP D ................10-6 ONFIGURING ERSION EVICES ID ........................10-6 EFINING THE NGINE SNMP G ......................10-7 EFINING AN ROUP SNMP U ....................10-8 EFINING AN CCOUNT ID .......................10-9...
  • Page 10 Security Guide for ProCurve 9300/9400 Series Routing Switches SNMP G ......................10-9 ISPLAYING ROUPS ......................10-10 ISPLAYING NFORMATION .................10-10 NTERPRETING ARBINDS IN EPORT ACKETS SNMP V .........................10-10 EFINING IEWS ....................Index-1 NDEX viii June 2005...
  • Page 11: Organization Of Product Documentation

    Organization of Product Documentation NOTE: HP periodically updates the ProCurve 9300/9400 Series Routing Switch documentation. For the latest version of any of these publications, visit the ProCurve website at: http://www.procurve.com Click on Technical Support, then Product manuals. NOTE: All manuals listed below are available on the ProCurve website, and also on the Documentation CD shipped with your HP product.
  • Page 12 Security Guide for ProCurve 9300/9400 Series Routing Switches Information on Configuring Features for 9300 Series and 9408sl Routing Switches • Port settings • VLANS • Trunks • Spanning Tree Protocol • Syslog Quick Start Guide for ProCurve 9300 Series Routing Switches This is a printed guide you can use as an easy reference to the installation and product safety information needed for out-of-box setup, plus the general product safety and EMC regulatory statements of which you should be aware when installing and using a Routing Switch.
  • Page 13: C Hapter

    This is an electronic (PDF) guide that provides a dictionary of CLI commands and syntax. Security Guide for ProCurve 9300/9400 Series Routing Switches This is an electronic (PDF) guide that provides procedures for securing management access to HP devices and for protecting against Denial of Service (DoS) attacks.
  • Page 14 Security Guide for ProCurve 9300/9400 Series Routing Switches June 2005...
  • Page 15: Chapter 1 Getting Started

    Chapter 1 Getting Started Introduction This guide describes how to secure access to management functions on the following ProCurve Routing Switches: • ProCurve Routing Switch 9315M • ProCurve Routing Switch 9308M • ProCurve Routing Switch 9304M • ProCurve Routing Switch 9408sl In addition, this guide explains how to secure SNMP access to these ProCurve Routing Switches, as well as how to protect them from Denial of Service (DoS) attacks.
  • Page 16: Conventions

    Refer to Support is as Close as the World Wide Web, which was shipped with your ProCurve Routing Switch. Related Publications Refer to the “Organization of Product Documentation” on page vii for a list of publications for your HP Routing Switch.
  • Page 17: Methods

    Securing Access Methods The following table lists the management access methods available on an HP device, how they are secured by default, and the ways in which they can be secured.
  • Page 18 Security Guide for ProCurve 9300/9400 Series Routing Switches Table 2.1: Ways to secure management access to HP devices (Continued) Access method How the access Ways to secure the access method method is secured page by default Access to the Privileged EXEC...
  • Page 19: Password

    Securing Access to Management Functions Table 2.1: Ways to secure management access to HP devices (Continued) Access method How the access Ways to secure the access method method is secured page by default Web management access SNMP read or read-...
  • Page 20 The following sections describe how to restrict remote access to an HP device using these methods. Using ACLs to Restrict Remote Access You can use standard ACLs to control the following access methods to management functions on an HP device: •...
  • Page 21 Securing Access to Management Functions Using an ACL to Restrict SSH Access To configure an ACL that restricts SSH access to the device, enter commands such as the following: ProCurveRS(config)# access-list 12 deny host 209.157.22.98 log ProCurveRS(config)# access-list 12 deny 209.157.23.0 0.0.0.255 log ProCurveRS(config)# access-list 12 deny 209.157.24.0/24 log ProCurveRS(config)# access-list 12 permit any ProCurveRS(config)# ssh access-group 12...
  • Page 22 Security Guide for ProCurve 9300/9400 Series Routing Switches NOTE: The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet, SSH, and Web management access using ACLs. ProCurveRS(config)# access-list 25 deny host 209.157.22.98 log ProCurveRS(config)# access-list 25 deny 209.157.23.0 0.0.0.255 log ProCurveRS(config)# access-list 25 deny 209.157.24.0 0.0.0.255 log ProCurveRS(config)# access-list 25 permit any ProCurveRS(config)# access-list 30 deny 209.157.25.0 0.0.0.255 log...
  • Page 23 Restricting Remote Access to the Device to Specific IP Addresses By default, an HP device does not control remote management access based on the IP address of the managing device. You can restrict remote management access to a single IP address for the following access methods: •...
  • Page 24 ProCurveRS(config)# ip ssh client 209.157.22.39 0007.e90f.e9a0 Syntax: [no] ip ssh client <ip-addr> <mac-addr> To allow SSH access to the HP device to a host with any IP address and MAC address 0007.e90f.e9a0, enter the following command: ProCurveRS(config)# ip ssh client any 0007.e90f.e9a0 Syntax: [no] ip ssh client any <mac-addr>...
  • Page 25 You can specify from 0 – 5 attempts. The default is 4 attempts. Restricting Remote Access to the Device to Specific VLAN IDs You can restrict management access to an HP device to ports within a specific port-based VLAN. VLAN-based access control applies to the following access methods: •...
  • Page 26: Disable Telnet Access

    Security Guide for ProCurve 9300/9400 Series Routing Switches The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access. Syntax: [no] tftp client enable vlan <vlan-id>...
  • Page 27 Disabling SNMP Access SNMP is enabled by default on all HP devices. To disable SNMP, use one of the following methods. USING THE CLI To disable SNMP management of the device:...
  • Page 28 Security Guide for ProCurve 9300/9400 Series Routing Switches USING THE WEB MANAGEMENT INTERFACE 1. Log on to the device using a valid user name and password for read-write access. The System configuration dialog is displayed. 2. Select the Management link from the System configuration panel to display the Management configuration panel.
  • Page 29 Suppressing Telnet Connection Rejection Messages By default, if an HP device denies Telnet management access to the device, the software sends a message to the denied Telnet client. You can optionally suppress the rejection message. When you enable the option, a denied Telnet client does not receive a message from the HP device.
  • Page 30 Security Guide for ProCurve 9300/9400 Series Routing Switches USING THE WEB MANAGEMENT INTERFACE You cannot configure this option using the Web management interface. Setting Passwords for Management Privilege Levels You can set one password for each of the following management privilege levels: •...
  • Page 31 Securing Access to Management Functions • All interface configuration levels • Read Only level gives access to: • The User EXEC and Privileged EXEC levels You can grant additional access to a privilege level on an individual command basis. To grant the additional access, you specify the privilege level you are enhancing, the CLI level that contains the command, and the individual command.
  • Page 32 The <number-of-characters> can be from 1 – 48. Setting Up Local User Accounts You can define up to 16 local user accounts on an HP device. User accounts regulate who can access the management functions in the CLI using the following methods: •...
  • Page 33: Access

    Securing Access to Management Functions continue to use the privilege level passwords and the SNMP community strings as additional means of access authentication. Alternatively, you can choose not to use local user accounts and instead continue to use only the privilege level passwords and SNMP community strings.
  • Page 34 Note About Changing Local User Passwords Starting in release 07.8.00, the HP device stores not only the current password configured for a local user, but the previous two passwords configured for the user as well. The local user's password cannot be changed to one of the stored passwords.
  • Page 35 It contains information about the issuing Certificate Authority, as well as a public key. You can either import digital certificates and private keys from a server, or you can allow the HP device to create them.
  • Page 36 TACACS+ server. TACACS+ allows for arbitrary length and content authentication exchanges, which allow any authentication mechanism to be utilized with the HP device. TACACS+ is extensible to provide for site customization and future development features. The protocol allows the HP device to request very precise access control and allows the TACACS+ server to respond to each component of that request.
  • Page 37 TACACS/TACACS+ Authentication, Authorization, and Accounting When you configure an HP device to use a TACACS/TACACS+ server for authentication, the device prompts users who are trying to access the CLI for a user name and password, then verifies the password with the TACACS/ TACACS+ server.
  • Page 38 1. A Telnet, SSH, or Web management interface user previously authenticated by a TACACS+ server enters a command on the HP device. 2. The HP device looks at its configuration to see if the command is at a privilege level that requires TACACS+ command authorization.
  • Page 39 Securing Access to Management Functions AAA Operations for TACACS/TACACS+ The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to an HP device that has TACACS/TACACS+ security configured. User Action Applicable AAA Operations...
  • Page 40 You must deploy at least one TACACS/TACACS+ server in your network. • HP devices support authentication using up to eight TACACS/TACACS+ servers. The device tries to use the servers in the order you add them to the device’s configuration. •...
  • Page 41 5. Optionally configure TACACS+ accounting. See “Configuring TACACS+ Accounting” on page 2-32. Identifying the TACACS/TACACS+ Servers To use TACACS/TACACS+ servers to authenticate access to an HP device, you must identify the servers to the HP device. For example, to identify three TACACS/TACACS+ servers, enter commands such as the following: ProCurveRS(config)# tacacs-server host 207.94.6.161...
  • Page 42 NOTE: The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the HP device. To specify a TACACS+ server key: ProCurveRS(config)# tacacs-server key rkwong Syntax: tacacs-server key [0 | 1] <string>...
  • Page 43 Setting the Dead Time Parameter The dead-time parameter specifies how long the HP device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 –...
  • Page 44 When frames are enabled on the Web management interface, the browser sends an HTTP request for each frame. The HP device authenticates each HTTP request from the browser. To limit authentications to one per page, disable frames on the Web management interface.
  • Page 45 If no username was entered at login, the device prompts for both username and password. To configure the HP device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI:...
  • Page 46 A-V pair is an integer that indicates the privilege level of the user. Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value other than 0, 4, or 5 is specified in the hp-privlvl A-V pair, the default privilege level of 5 (read-only) is used.
  • Page 47 Securing Access to Management Functions In a configuration that has both an “hp-privlvl” A-V pair and a non-”hp-privlvl” A-V pair for the Exec service, the non-”hp-privlvl” A-V pair is ignored. For example: user=bob { default service = permit member admin # Global password global = cleartext "cat"...
  • Page 48 To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs out: ProCurveRS(config)# aaa accounting exec default start-stop tacacs+...
  • Page 49 If your TACACS/TACACS+ server is configured to accept packets only from specific links or IP addresses, you can use this feature to simplify configuration of the TACACS/TACACS+ server by configuring the HP device to always send the TACACS/TACACS+ packets from the same link or source address.
  • Page 50 Security Guide for ProCurve 9300/9400 Series Routing Switches The following table describes the TACACS/TACACS+ information displayed by the show aaa command. Table 2.4: Output of the show aaa command for TACACS/TACACS+ Field Description Tacacs+ key The setting configured with the tacacs-server key command. At the Super User privilege level, the actual text of the key is displayed.
  • Page 51 9. Enter the key if applicable. NOTE: The key parameter applies only to TACACS+ servers, not to TACACS servers. If you are configuring for TACACS authentication, do not configure a key on the TACACS server and do not enter a key on the HP device.
  • Page 52 Security Guide for ProCurve 9300/9400 Series Routing Switches 16. Select the Authentication Methods link to display the Login Authentication Sequence panel, as shown in the following example. 17. Select the type of access for which you are defining the authentication method list from the Type field’s pulldown menu.
  • Page 53 Securing Access to Management Functions 21. To configure TACACS+ authorization, select the Management link to display the Management configuration panel and select the Authorization Methods link to display the Authorization Method panel, as shown in the following example. 22. To configure TACACS+ exec authorization, select Exec from the Type field’s pulldown menu. 23.
  • Page 54 27. To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs out, select Exec from the Type field’s pulldown menu.
  • Page 55 When RADIUS authorization takes place, the following events occur: 1. A user previously authenticated by a RADIUS server enters a command on the HP device. 2. The HP device looks at its configuration to see if the command is at a privilege level that requires RADIUS command authorization.
  • Page 56 Security Guide for ProCurve 9300/9400 Series Routing Switches 3. If the command belongs to a privilege level that requires authorization, the HP device looks at the list of commands delivered to it in the RADIUS Access-Accept packet when the user was authenticated. (Along with the command list, an attribute was sent that specifies whether the user is permitted or denied usage of the commands in the list.)
  • Page 57 Securing Access to Management Functions User Action Applicable AAA Operations User logs into the Web management Web authentication: interface aaa authentication web-server default <method-list> User logs out of Telnet/SSH session Command authorization for logout command: aaa authorization commands <privilege-level> default <method-list> Command accounting: aaa accounting commands <privilege-level>...
  • Page 58 HP devices support authentication using up to eight RADIUS servers. The device tries to use the servers in the order you add them to the device’s configuration. If one RADIUS server is not responding, the HP device tries the next one in the list.
  • Page 59 Identifying the RADIUS Server to the HP Device To use a RADIUS server to authenticate access to an HP device, you must identify the server to the HP device. For example: ProCurveRS(config)# radius-server host 209.157.22.99...
  • Page 60 The key parameter in the radius-server command is used to encrypt RADIUS packets before they are sent over the network. The value for the key parameter on the HP device should match the one configured on the RADIUS server. The key can be from 1 – 32 characters in length and cannot include any space characters.
  • Page 61 Syntax: radius-server retransmit <number> Setting the Timeout Parameter The timeout parameter specifies how many seconds the HP device waits for a response from the RADIUS server before either retrying the authentication request, or determining that the RADIUS server is unavailable and moving on to the next authentication method in the authentication-method list.
  • Page 62 Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a username and password. In this release, you can configure the HP device to prompt only for a password. The device uses the username...
  • Page 63 If no username was entered at login, the device prompts for both username and password. To configure the HP device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI:...
  • Page 64 To send an Accounting Start packet to the RADIUS accounting server when an authenticated user establishes a Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs out: ProCurveRS(config)# aaa accounting exec default start-stop radius...
  • Page 65 If your RADIUS server is configured to accept packets only from specific links or IP addresses, you can use this feature to simplify configuration of the RADIUS server by configuring the HP device to always send the RADIUS packets from the same link or source address.
  • Page 66 Displaying RADIUS Configuration Information The show aaa command displays information about all TACACS/TACACS+ and RADIUS servers identified on the device. For example: ProCurveRS# show aaa Tacacs+ key: hp Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 207.95.6.90 Port:49:...
  • Page 67 Securing Access to Management Functions The show web command displays the privilege level of Web management interface users. For example: ProCurveRS(config)# show web User Privilege IP address 192.168.1.234 Syntax: show web USING THE WEB MANAGEMENT INTERFACE To configure RADIUS using the Web management interface: 1. Log on to the device using a valid user name and password for read-write access.
  • Page 68 Security Guide for ProCurve 9300/9400 Series Routing Switches 14. Click Home to return to the System configuration panel, then select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.
  • Page 69 Securing Access to Management Functions 21. To configure RADIUS command authorization, select the Management link to display the Management configuration panel and select the Authorization Methods link to display the Authorization Method panel, as shown in the following example. 22. Select Commands from the Type field’s pulldown menu. 23.
  • Page 70 27. To send an Accounting Start packet to the RADIUS accounting server when an authenticated user establishes a Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs out, select Exec from the Type field’s pulldown menu.
  • Page 71 Securing Access to Management Functions • Local password for the Super User privilege level • Local user accounts configured on the device • Database on a TACACS or TACACS+ server • Database on a RADIUS server • No authentication NOTE: The TACACS/TACACS+, RADIUS, and Telnet login password authentication methods are not supported for SNMP access.
  • Page 72 Security Guide for ProCurve 9300/9400 Series Routing Switches User level password is configured, then access through SNMP management applications is not authenticated. To use local user accounts to authenticate access through SNMP management applications, configure an authentication-method list for SNMP access and specify “local” as the primary authentication method.
  • Page 73 Securing Access to Management Functions Table 2.8: Authentication Method Values (Continued) Method Parameter Description enable Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super- user-password… command. See “Setting Passwords for Management Privilege Levels”...
  • Page 74 Security Guide for ProCurve 9300/9400 Series Routing Switches 4. Select the type of access for which you are defining the authentication method list from the Type field’s pulldown menu. Each type of access must have a separate authentication-method list. For example, to define the authentication-method list for logging into the CLI, select Login.
  • Page 75 Configuring Secure Shell Overview Secure Shell (SSH) is a mechanism for allowing secure remote access to management functions on an HP device. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client program, just as they can with Telnet.
  • Page 76 SSH session, the HP device negotiates the version of SSHv2 to be used. The highest version of SSHv2 supported by both the HP device and the client is the version that is used for the session. Once the SSHv2 version is negotiated, the encryption algorithm with the highest security ranking is selected to be used for the session.
  • Page 77 Generating a Host RSA Key Pair When SSH is configured, a public and private host RSA key pair is generated for the HP device. The SSH server on the HP device uses this host RSA key pair, along with a dynamically generated server RSA key pair, to negotiate a session key and encryption method with the client trying to connect to it.
  • Page 78 Providing the Public Key to Clients If you are using SSH to connect to an HP device from a UNIX system, you may need to add the HP device’s public key to a “known hosts” file; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a known hosts file: 10.10.20.10 1024 37 118771881862677030464851288737258046856031640635887679230111...
  • Page 79 6. The client sends the decrypted bytes back to the HP device. 7. The HP device compares the decrypted bytes to the original bytes it sent to the client. If the two sets of bytes match, it means that the client’s private key corresponds to an authorized public key, and the client is authenticated.
  • Page 80 To disable RSA challenge-response authentication: ProCurveRS(config)# ip ssh rsa-authentication no Syntax: ip ssh rsa-authentication yes | no Setting Optional Parameters You can adjust the following SSH settings on the HP device: • The number of SSH authentication retries • The server RSA key size...
  • Page 81 The maximum idle time for SSH sessions Setting the Number of SSH Authentication Retries By default, the HP device attempts to negotiate a connection with the connecting host three times. The number of authentication retries can be changed to between 1 – 5.
  • Page 82: Configure Ssh

    Without a user name and password, a user is not granted access. See “Setting Up Local User Accounts” on page 2-16 for information on setting up user names and passwords on HP devices. If you enable empty password logins, users are not prompted for a password when they log in. Any user with an SSH client can log in without being prompted for a password.
  • Page 83 Syntax: ip ssh idle-time <minutes> If an established SSH session has no activity for the specified number of minutes, the HP device closes it. An idle time of 0 minutes (the default value) means that SSH sessions never timeout. The maximum idle time for SSH sessions is 240 minutes.
  • Page 84 Security Guide for ProCurve 9300/9400 Series Routing Switches Table 3.1: SSH Connection Information (Continued) This Field... Displays... State The connection state. This can be one of the following: 0x00 Server started to send version number to client. 0x01 Server sent version number to client. 0x02 Server received version number from client.
  • Page 85 The ip ssh pub-key-file tftp command causes a public key file called pkeys.txt to be loaded from a TFTP server at 192.168.1.234. To gain access to the HP device using SSH, a user must have a private key that corresponds to one of the public keys in this file.
  • Page 86 Security Guide for ProCurve 9300/9400 Series Routing Switches You can use SCP to copy files on the HP device, including the startup-config and running-config files, to or from an SCP-enabled remote host. SCP is enabled by default and can be disabled. To disable SCP, enter the following command:...
  • Page 87: O Verview

    HP devices support the IEEE 802.1X standard for authenticating devices attached to LAN ports. Using 802.1X port security, you can configure an HP device to grant access to a port based on information supplied by a client to an authentication server.
  • Page 88 (Authenticator) Client/Supplicant Authenticator – The device that controls access to the network. In an 802.1X configuration, the HP device serves as the Authenticator. The Authenticator passes messages between the Client and the Authentication Server. Based on the identity information supplied by the Client, and the authentication information supplied by the Authentication Server, the Authenticator either grants or does not grant network access to the Client.
  • Page 89 Figure 4.2 shows the relationship between the Authenticator PAE and the Supplicant PAE. Figure 4.2 Authenticator PAE and Supplicant PAE Authentication Server HP Device (Authenticator) 802.1X-Enabled Supplicant Authenticator PAE – The Authenticator PAE communicates with the Supplicant PAE, receiving identifying information from the Supplicant.
  • Page 90 Client can flow through the port normally. By default, all controlled ports on the HP device are placed in the authorized state, allowing all traffic. When authentication is activated on an 802.1X-enabled interface, the interface’s controlled port is placed initially in the unauthorized state.
  • Page 91 Access-Accept message sent by the RADIUS server specifies a VLAN identifier, and this VLAN is available on the HP device, the client’s port is moved from its default VLAN to the specified VLAN. When the client disconnects from the network, the port is placed back in its default VLAN. See “Configuring Dynamic VLAN Assignment for 802.1X Ports”...
  • Page 92 Configuration for these challenge types is the same as for the EAP-MD5 challenge type. Authenticating Multiple Hosts Connected to the Same Port HP devices support 802.1X authentication for ports with more than one host connected to them. Figure 4.5 illustrates a sample configuration where multiple hosts are connected to a single 802.1X port.
  • Page 93 In release 07.8.00 and later, when multiple hosts are connected to a single 802.1X-enabled port on an HP device (as in Figure 4.5), 802.1X authentication is performed in the following way: 1. One of the 802.1X-enabled Clients attempts to log into a network in which an HP device serves as an Authenticator.
  • Page 94: A Ctions

    Dynamic VLAN assignment allows an 802.1X-enabled port to be assigned to a VLAN based on information received from the RADIUS server. Attributes in the RADIUS Access-Accept message can specify a VLAN identifier; if this VLAN is available on the HP device, the Client’s port can be moved from its default VLAN to the specified VLAN.
  • Page 95 If the port is a tagged or dual-mode port, and the RADIUS Access-Accept message specifies the name or ID of a valid VLAN on the HP device, then the port is placed in that VLAN. If the port is already a member of the RADIUS-specified VLAN, no further action is taken.
  • Page 96 NOTE: If you specify both radius and none, make sure radius comes before none in the method list. Setting RADIUS Parameters To use a RADIUS server to authenticate access to an HP device, you must identify the server to the HP device. For example: ProCurveRS(config)# radius-server host 209.157.22.99 auth-port 1812 acct-port 1813...
  • Page 97 The port control type can be one of the following: force-authorized – The port’s controlled port is placed unconditionally in the authorized state, allowing all traffic. This is the default state for ports on the HP device. force-unauthorized – The controlled port is placed unconditionally in the unauthorized state.
  • Page 98 Setting the Quiet Period If the HP device is unable to authenticate the Client, the HP device waits a specified amount of time before trying again. The amount of time the HP device waits is specified with the quiet-period parameter. The quiet-period parameter can be from 0 –...
  • Page 99 Specifying the Number of EAP-Request/Identity Frame Retransmissions If the HP device does not receive a EAP-response/identity frame from a Client, the device waits 30 seconds (or the amount of time specified with the timeout tx-period command), then retransmits the EAP-request/identity frame.
  • Page 100 RADIUS messages from the RADIUS server, encapsulates them as EAPOL frames, and sends them to the Client. When the HP device relays an EAP-Request frame from the RADIUS server to the Client, it expects to receive a response from the Client within 30 seconds. If the Client does not respond within the allotted time, the device retransmits the EAP-Request frame to the Client.
  • Page 101 Denied dot1x-mac-sessions, which are the dot1x-mac-sessions for non-authenticated Clients that are blocked by the HP device are aged out if no traffic is received from the Client’s MAC address over a fixed hardware aging period (70 seconds), plus a configurable software aging period. (See the next section for more information on configuring the software aging period).
  • Page 102 Defining MAC Filters for EAP Frames You can create MAC address filters to permit or deny EAP frames. To do this, you specify the HP device’s 802.1X group MAC address as the destination address in a MAC filter, then apply the filter to an interface.
  • Page 103 If one of the attributes in the Access-Accept message specifies a VLAN identifier, and this VLAN is available on the HP device, the client’s port is moved from its default VLAN to the specified VLAN. When the client disconnects from the network, the port is placed back in its default VLAN.
  • Page 104 Information about the user-defined and dynamically applied MAC filters and IP ACLs currently active on the device • Information about the 802.1X multiple-host configuration Displaying 802.1X Configuration Information To display information about the 802.1X configuration on the HP device, enter the following command: ProCurveRS# show dot1x PAE Capability: Authenticator Only system-auth-control: Enable...
  • Page 105 Clients every 3,600 seconds by default. quiet-period When the HP device is unable to authenticate a Client, the amount of time the HP device waits before trying again (default 60 seconds). See “Setting the Quiet Period” on page 4-12 for information on how to change this setting.
  • Page 106 (disabling both reception of incoming frames and transmission of outgoing frames), or just in the incoming direction (disabling only reception of incoming frames). On HP devices, this parameter is set to BOTH. 4 - 20 June 2005...
  • Page 107 Whether the port is configured to allow multiple Supplicants accessing the interface on the HP device through a hub. See “Allowing Access to Multiple Hosts” on page 4-14 for information on how to change this setting. Displaying 802.1X Statistics To display 802.1X statistics for an individual port, enter a command such as the following:...
  • Page 108 Security Guide for ProCurve 9300/9400 Series Routing Switches Table 4.3: Output from the show dot1x statistics command (Continued) This Field... Displays... RX EAP Resp/Id The number of EAP-Response/Identity frames received on the port RX EAP Resp other than Resp/Id The total number of EAPOL-Response frames received on the port that were not EAP-Response/Identity frames.
  • Page 109 Configuring 802.1X Port Security The following is an example of the show interface command indicating the port’s dynamically assigned VLAN. Information about the dynamically assigned VLAN is shown in bold type. ProCurveRS# show interface e 12/2 FastEthernet12/2 is up, line protocol is up Hardware is FastEthernet, address is 0204.80a0.4681 (bia 0204.80a0.4681) Configured speed auto, actual 100Mbit, configured duplex fdx, actual fdx Member of L2 VLAN ID 2 (dot1x-RADIUS assigned), original L2 VLAN ID is 1,...
  • Page 110 Security Guide for ProCurve 9300/9400 Series Routing Switches ProCurveRS# show dot1x ip-acl Port 1/3 (User defined IP ACLs): Extended IP access list Port_1/3_E_IN permit udp any any Extended IP access list Port_1/3_E_OUT permit udp any any Syntax: show dot1x ip-acl Displaying Dynamically Applied MAC Filters and IP ACLs To display the dynamically applied MAC address filters active on an interface, enter a command such as the following:...
  • Page 111 Configuring 802.1X Port Security The following is an example of the output of the show dot1x command. The information related to multiple-host authentication is highlighted in bold. ProCurveRS# show dot1x Number of Ports enabled Re-Authentication : Enabled Authentication-fail-action : Restricted VLAN Authentication Failure VLAN : 111 Mac Session Aging...
  • Page 112 – The port’s controlled port is placed unconditionally in the authorized state, allowing all traffic. This is the default state for ports on the HP device. force-unauthorized – The controlled port is placed unconditionally in the unauthorized state. No authentication takes place for any connected 802.1X Clients.
  • Page 113 Configuring 802.1X Port Security Table 4.6: Output from the show dot1x mac-session command (Continued) This Field... Displays... Auth-State The authentication state of the dot1x-mac-session. This can be one of the following: permit – The Client has been successfully authenticated, and traffic from the Client is being forwarded normally.
  • Page 114 This section illustrates a sample point-to-point configuration and a sample hub configuration that use 802.1X port security. Point-to-Point Configuration Figure 4.6 illustrates a sample 802.1X configuration with Clients connected to three ports on the HP device. In a point-to-point configuration, only one 802.1X Client can be connected to each port. Figure 4.6 Sample point-to-point 802.1X configuration...
  • Page 115 Figure 4.7 illustrates a configuration where three 802.1X-enabled Clients are connected to a hub, which is connected to a port on the HP device. The configuration is similar to that in Figure 4.6, except that 802.1X port security is enabled on only one port, and the multiple-hosts command is used to allow multiple Clients on the port.
  • Page 116 Security Guide for ProCurve 9300/9400 Series Routing Switches The following commands configure the HP device in Figure 4.7: ProCurveRS(config)# aaa authentication dot1x default radius ProCurveRS(config)# radius-server host 192.168.9.22 auth-port 1812 acct-port 1813 default key mirabeau dot1x ProCurveRS(config)# dot1x-enable e 1...
  • Page 117 Using the MAC Port Security Feature Overview You can configure the HP device to learn a limited number of “secure” MAC addresses on an interface. The interface will forward only packets with source MAC addresses that match these secure addresses. The secure MAC addresses can be specified manually, or the HP device can learn them automatically.
  • Page 118 Security Guide for ProCurve 9300/9400 Series Routing Switches Configuring the MAC Port Security Feature To configure the MAC port security feature, you perform the following tasks: • Enable the MAC port security feature • Set the maximum number of secure MAC addresses for an interface •...
  • Page 119 Using the MAC Port Security Feature To set the port security age timer to 10 minutes on a specific interface: ProCurveRS(config)# int e 7/11 ProCurveRS(config-if-e100-7/11)# port security ProCurveRS(config-port-security-e100-7/11)# age 10 Syntax: [no] age <minutes> The default is 0 (never age out secure MAC addresses). Specifying Secure MAC Addresses To specify a secure MAC address on an interface, enter commands such as the following: ProCurveRS(config)# int e 7/11...
  • Page 120 Security Guide for ProCurve 9300/9400 Series Routing Switches Displaying Port Security Information You can display the following information about the port security feature: • The secure MAC addresses that have been saved to the startup-config file by the autosave feature •...
  • Page 121 Using the MAC Port Security Feature Displaying the Secure MAC Addresses on the Device To list the secure MAC addresses configured on the device, enter the following command: ProCurveRS(config)# show port security mac Port Num-Addr Secure-Src-Addr Resource Age-Left Shutdown/Time-Left ----- -------- --------------- -------- --------- ------------------ 7/11 0050.da18.747c Local...
  • Page 122 Security Guide for ProCurve 9300/9400 Series Routing Switches Table 5.3: Output from the show port security statistics <portnum> command (Continued) This Field... Displays... Shutdown/Time-Left Whether the port has been shut down due to a security violation and the number of seconds before it is enabled again. To display port security statistics for a module, enter the following command: ProCurveRS# show port security statistics 7 Module 7:...
  • Page 123 Configuring Multi-Device Port Authentication Overviewn Multi-device port authentication is a way to configure an HP device to forward or block traffic from a MAC address based on information received from a RADIUS server. This chapter is divided into the following sections: •...
  • Page 124 RADIUS server. When this happens, the RADIUS server returns an Access-Accept message back to the HP device. When the RADIUS server returns an Access- Accept message for a MAC address, that MAC address is considered authenticated, and traffic from the MAC address is forwarded normally by the HP device.
  • Page 125 Specifying the Format of the MAC Addresses Sent to the RADIUS Server When multi-device port authentication is configured, the HP device authenticates MAC addresses by sending username and password information to a RADIUS server. The username and password is the MAC address itself;...
  • Page 126 An interface can be dynamically assigned to a VLAN based on the MAC address learned on that interface. When a MAC address is successfully authenticated, the RADIUS server sends the HP device a RADIUS Access-Accept message that allows the HP device to forward traffic from that MAC address. The RADIUS Access-Accept message can also contain attributes set for the MAC address in its access profile on the RADIUS server.
  • Page 127 VLAN, but a subsequent authentication attempt was successful, the RADIUS Access-Accept message may specify a VLAN for the port. By default, the HP device moves the port out of the restricted VLAN and into the RADIUS-specified VLAN. You can optionally configure the device to ignore the RADIUS-specified VLAN in the RADIUS Access-Accept message, and leave the port in the restricted VLAN.
  • Page 128 CPU in time, causing the device to make additional authentication attempts. To limit the susceptibility of the HP device to such attacks, you can configure the device to use multiple RADIUS servers, which can share the load when there are a large number of MAC addresses that need to be authenticated.
  • Page 129 ProCurveRS(config-if-e100-3/1)# mac-authentication clear-mac-session 00e0.1234.abd4 Syntax: mac-authentication clear-mac-session <mac-address> This command removes the Layer 2 CAM entry created for the specified MAC address. If the HP device receives traffic from the MAC address again, the MAC address is authenticated again. Disabling Aging for Authenticated MAC Addresses MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no traffic is received from the MAC address for a certain period of time.
  • Page 130 CLI. Once the HP device stops receiving traffic from a blocked MAC address, the hardware aging begins and lasts for a fixed period of time. After the hardware aging period ends, the software aging period begins. The software aging period lasts for a configurable amount of time (by default 120 seconds).
  • Page 131 Table 6.2: Output from the show authenticated-mac-address configuration command This Field... Displays... Feature enabled Whether the multi-device port authentication feature is enabled on the HP device. Number of Ports enabled The number of ports on which the multi-device port authentication feature is enabled. Port Information for each multi-device port authentication-enabled port.
  • Page 132 The time at which the MAC address was authenticated. If the clock is set on the HP device, then the actual date and time are displayed. If the clock has not been set, then the time is displayed relative to when the device was last restarted.
  • Page 133 Configuring Multi-Device Port Authentication Table 6.3: Output from the show authenticated-mac-address <address> command (Continued) This Field... Displays... CAM Index If the MAC address is blocked, the index entry for the Layer 2 CAM entry created for this MAC address. If the MAC address is not blocked, either through successful authentication or through being placed in the restricted VLAN, then “N/A”...
  • Page 134 The total number of authentication attempts made for MAC addresses on an interface, including pending authentication attempts. RADIUS timeouts The number of times the session between the HP device and the RADIUS server timed out. Aging of MAC-sessions Whether software aging of MAC addresses is enabled.
  • Page 135 The time at which the MAC address was authenticated. If the clock is set on the HP device, then the actual date and time are displayed. If the clock has not been set, then the time is displayed relative to when the device was last restarted.
  • Page 136 Security Guide for ProCurve 9300/9400 Series Routing Switches 6 - 14 June 2005...
  • Page 137: S Ervice A Ttacks

    Protecting Against Denial of Service Attacks In a Denial of Service (DoS) attack, a Routing Switch is flooded with useless packets, hindering normal operation. HP devices include measures for defending against two types of DoS attacks: Smurf attacks and TCP SYN attacks.
  • Page 138 Avoiding Being a Victim in a Smurf Attack You can configure the HP device to drop ICMP packets when excessive numbers are encountered, as is the case when the device is the victim of a Smurf attack. You can set threshold values for ICMP packets that are targeted or passing through an interface, and drop them when the thresholds are exceeded.
  • Page 139: Ttacks

    TCP SYN packets, the connection queue can fill up, and service can be denied to legitimate TCP connections. To protect against TCP SYN attacks, you can configure the HP device to drop TCP SYN packets when excessive numbers are encountered. You can set threshold values for TCP SYN packets that are targeted or passing through an interface, and drop them when the thresholds are exceeded.
  • Page 140: R Elease 07.6.06

    Software releases prior to 07.6.06 apply the following rules to the SYN bit when receiving TCP segments: • If the SYN bit is set and the sequence number is outside the expected window, the HP device sends an ACK back to the sender.
  • Page 141: Dropped Because Of Do Attack

    • If the SYN bit is set and the sequence number is acceptable, the HP device sends an acknowledgement (ACK) segment to the peer. In software releases 07.6.06 and later, the TCP security enhancement is enabled by default. To disable it, see “Disabling the TCP Security Enhancement”...
  • Page 142 Security Guide for ProCurve 9300/9400 Series Routing Switches 7 - 6 June 2005...
  • Page 143 CPU (for example, DNS requests), it requires excessive CPU utilization. The CPU protection feature allows you to configure the HP device to automatically take actions when thresholds related to high CPU or CAM usage are exceeded.
  • Page 144 CPU, the CAM, or both. • The following command enables the HP device to automatically take actions when thresholds related to high CAM usage are exceeded: ProCurveRS(config)# cpupro-action hardware-flooding enable NOTE: Hardware flooding actions are supported on EP devices only.
  • Page 145 NOTE: To enable hardware flooding on virtual interfaces, see “Enabling Hardware Flooding on Virtual Routing Interfaces” on page 8-3. • The following command enables the HP device to automatically take actions when thresholds related to high CPU usage are exceeded: ProCurveRS(config)# cpupro-action quick-aging enable...
  • Page 146 Security Guide for ProCurve 9300/9400 Series Routing Switches Specifying Actions For the hardware flooding actions, you can specify the number of CAM entries that can be allocated to each kind of traffic, as well as whether to flood or drop the traffic. Allocating CAM Entries for Hardware Flooding To accommodate the hardware flooding/dropping actions, the device allocates Layer 2 CAM entries to match broadcast traffic, multicast traffic, and unknown unicast traffic.
  • Page 147 Configuring CPU Protection Table 8.1: Output of the show l2-cpupro condition command This field Displays Condition Configuration: The conditions configured on the device. These include the three pre-configured conditions, as well as any user-configured conditions. Condition Monitoring: Whether any of the conditions has surpassed its declaring watermark.
  • Page 148 Security Guide for ProCurve 9300/9400 Series Routing Switches Table 8.2: Output of the show l2-cpupro actions command This field Displays Action Configuration: The actions configured on the device. Action Execution: Which actions have been enabled. Quick Aging: Whether the quick aging action has been enabled for a condition.
  • Page 149: O Verview

    When the unicast RPF feature is enabled, the HP device recognizes that traffic coming in on an external interface should not have source addresses belonging to the internal network, and the HP device consequently drops the traffic with the spoofed source addresses.
  • Page 150 For interfaces that can receive packets from the internal network as well as from external sources, you identify the interface as an external interface; this prevents the HP device from creating RPF CAM entries for routes learned on the interface. For example, in the configuration in Figure 9.2, interface 2/1 can receive packets from the Internet as well as from the internal network.
  • Page 151: U Nicast Rpf

    Layer 2 Switch Network 192.168.30.x In this example, interface 2/1 as identified as an external interface. When the HP device compiles the list of internally learned routes for unicast RPF, it does not include the routes learned on interface 2/1. Note that...
  • Page 152: U Nicast Rpf

    ProCurveRS(config-if-e100-2/1)# ip verify unicast external-interface When an interface is identified as an external interface with this command, it prevents the HP device from creating RPF CAM entries for routes learned on the interface. Unicast RPF is not performed for incoming packets on the interface.
  • Page 153: Ntries

    Configuring Unicast RPF Table 9.1 lists the information displayed in the output of the show ip rpf command. Table 9.1: Output of the show ip rpf command This Field... Displays... Total number of RPF route The number of CAM entries that have been created for unicast RPF. entries Destination The address of the route.
  • Page 154 Security Guide for ProCurve 9300/9400 Series Routing Switches 9 - 6 June 2005...
  • Page 155 “Restricting SNMP Access to a Specific VLAN” on page 2-9 • “Disabling SNMP Access” on page 2-11 This chapter presents additional methods for securing SNMP access to HP devices. It contains the following sections: • “Establishing SNMP Community Strings” on page 10-1 •...
  • Page 156 Security Guide for ProCurve 9300/9400 Series Routing Switches as the password. You can configure as many additional read-only and read-write community strings as you need. The number of strings you can configure depends on the memory on the device. There is no practical limit. The Web management interface supports only one read-write session at a time.
  • Page 157 Securing SNMP Access NOTE: If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior.
  • Page 158 Security Guide for ProCurve 9300/9400 Series Routing Switches 3. Click the Community String link to display the SNMP Community String panel. This panel shows a list of configured community strings. For example, 4. Click Add Community String to display the SNMP Community String fields. 5. Select the type of community string you are adding by clicking the "Get"...
  • Page 159 Securing SNMP Access 10. Click Add to apply the change to the device’s running-config file. 11. Select the Save link at the bottom of the panel. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory. Displaying the SNMP Community Strings To display the SNMP community strings, use one of the following methods.
  • Page 160: Engine Id

    3. Configure the SNMP version 3 features in HP devices. Configuring SNMP Version 3 on HP Devices To configure SNMP version 3 on HP devices, do the following: 1. Enter an engine ID for the management module using the snmp-server engineid command if you will not use the default engine ID.
  • Page 161 Securing SNMP Access NOTE: Since the current implementation of SNMP version 3 does not support Notification, remote engine IDs cannot be configured at this time. The <hex-string> variable consists of 11 octets, entered as hexadecimal values. There are two hexadecimal characters in each octet.
  • Page 162 Security Guide for ProCurve 9300/9400 Series Routing Switches NOTE: If you will be using a view other than the "v1default" view, that view must be configured before creating the user group. See the section “Defining SNMP Views” on page 10-10, especially for details on the include | exclude parameters.
  • Page 163: D Isplaying Snmp G Roups

    Securing SNMP Access hexadecimal format for the des-password. If the "encryption" keyword is not used enter a password string. The agent will generate a suitable 16-octet DES key from the password string. Currently, DES is the only encryption type supported for priv password. Displaying the Engine ID To display the engine ID of a management module, enter a command such as the following: ProCurveRS(config)# show snmp engineid...
  • Page 164: D Isplaying U Ser I Nformation

    Security Guide for ProCurve 9300/9400 Series Routing Switches Displaying User Information To display the definition of an SNMP user account, enter a command such as the following: ProCurveRS(config)# show snmp user username = bob acl id = 2 group = admin security model = v3 group acl id = 0 authtype = md5...
  • Page 165 The numbers represent the hierarchical location of the object in the MIB tree. You can reference individual objects in the MIB tree or a subset of objects from the MIB tree. To configure the number of SNMP views available on the HP device: ProCurveRS(config)# system-max view 15 Syntax: system-max view <number-of-views>...
  • Page 166 Security Guide for ProCurve 9300/9400 Series Routing Switches 10 - 12 June 2005...
  • Page 167: Index

    Index Numerics authentication timeout 4-13 802.1X 4-1 authentication method 4-10 displaying information 4-18 Caution 1-ii displaying statistics 4-22 CLI dynamic VLAN 4-16 local user account 2-16 message exchange 4-4 privilege level multiple hosts 4-14 augmenting 2-14 RADIUS 4-10 community string sample configuration 4-28 configuring 10-1 sFlow 4-9...
  • Page 168 Security Guide for ProCurve 9300/9400 Series Routing Switches engine ID 10-6 10-9 publications, latest ii-ix Grounding 1-ii quiet period 4-12 IP ACL RADIUS 2-1 2-38 securing access 2-4 802.1X 4-10 SNMP access 2-5 read-write community string Telnet access 2-4 no default 10-2 Web management 2-5 release notes ii-xi IP address...
  • Page 169 idle time 3-9 login timeout 3-8 password login 3-7 port number 3-8 RSA key size RSA key 3-7 sample configuration 3-11 source of packets 3-8 SSHdeactivating authentication 3-7 TACACS/TACACS+ 2-1 2-20 TCP SYN attacks 7-3 Telnet local user account 2-16 password 2-13 security IP ACL 2-4...
  • Page 170 Security Guide for ProCurve 9300/9400 Series Routing Switches Index - 4 June 2005...
  • Page 171 Backcover...
  • Page 172 Technical information in this document is subject to change without notice. © Copyright 2000, 2005 Hewlett-Packard Development Company, L.P. All rights reserved. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws. June 2005 Manual Part Number 5990-6029...

This manual is also suitable for:

J4139aProcurve 9308mJ4874aProcurve 9408slJ4138aJ8680a ... Show all