HP 3500yl Series Access Security Manual page 38

Security Overview
Access Security Features
Feature Default
Setting
SSL disabled
SNMP public,
unrestricted
Authorized IP none
Managers
Secure disabled
Management
VLAN
ACLs for none
Management
Access
Protection
TACACS+ disabled
Authentication
RADIUS disabled
Authentication
1-4
Security Guidelines
Secure Socket Layer (SSL) and Transport Layer Security
(TLS) provide remote Web browser access (WebAgent)
to the switch via authenticated transactions and
encrypted paths between the switch and management
station clients capable of SSL/TLS operation. The
authenticated type includes server certificate
authentication with user password authentication.
In the default configuration, the switch is open to access
by management stations running SNMP management
applications capable of viewing and changing the
settings and status data in the switch's MIB
(Management Information Base). Thus, controlling
SNMP access to the switch and preventing
unauthorized SNMP access should be a key element of
your network security strategy.
This feature uses IP addresses and masks to determine
whether to allow management access to the switch
across the network through the following :
• Telnet and other terminal emulation applications
• The WebAgent
• SNMP (with a correct community name)
This feature creates an isolated network for managing
the HP switches that offer this feature. When a secure
management VLAN is enabled, CLI, Menu interface, and
WebAgent access is restricted to ports configured as
members of the VLAN.
ACLs can also be configured to protect management
access by blocking inbound IP traffic that has the switch
itself as the destination IP address.
This application uses a central server to allow or deny
access to TACACS-aware devices in your network.
TACACS+ uses username/password sets with
associated privilege levels to grant or deny access
through either the switch's serial (console) port or
remotely, with Telnet.
If the switch fails to connect to a TACACS+ server for the
necessary authentication service, it defaults to its own
locally configured passwords for authentication control.
TACACS+ allows both login (read-only) and enable
(read/write) privilege level access.
For each authorized client, RADIUS can be used to
authenticate operator or manager access privileges on
the switch via the serial port (CLI and Menu interface),
Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP)
access methods.
More Information and
Configuration Details
"Quick Start: Using the
Management Interface
Wizard" on page 1-10
Chapter 9, "Configuring
Secure Socket Layer (SSL)"
"SNMP Security Guidelines"
on page 1-13;
see the section "Using
SNMP Tools To Manage the
Switch" in the Management
and Configuration Guide
Chapter 15, "Using
Authorized IP Managers"
Advanced Traffic
Management Guide, refer to
the chapter "Static Virtual
LANs (VLANs)"
"Access Control Lists
(ACLs)" on page 1-7
Chapter 10, "IPv4 Access
Control Lists (ACLs)"
Chapter 5, "TACACS+
Authentication"
Chapter 6, "RADIUS
Authentication and
Accounting"