HP ProCurve 6120G/XG Manual page 32

Security Overview
Access Security Features
Feature Default
Setting
Telnet and enabled
Web-browser
access
SSH disabled
1-4
Security Guidelines
The default remote management protocols enabled on
the switch are plain text protocols, which transfer
passwords in open or plain text that is easily captured.
To reduce the chances of unauthorized users capturing
your passwords, secure and encrypted protocols such
as SSH and SSL (see below for details) should be used
for remote access. This enables you to employ
increased access security while still retaining remote
client access.
Also, access security on the switch is incomplete
without disabling Telnet and the standard Web browser
access. Among the methods for blocking unauthorized
access attempts using Telnet or the Web browser are
the following two CLI commands:
• no telnet-server: This command blocks inbound
Telnet access.
• no web-management: This command prevents use of
the Web browser interface through http (port 80)
server access.
If you choose not to disable Telnet and Web browser
access, you may want to consider using RADIUS
accounting to maintain a record of password-protected
access to the switch.
SSH provides Telnet-like functions through encrypted,
authenticated transactions of the following types:
• client public-key authentication: uses one or more
public keys (from clients) that must be stored on the Chapter 8 "Configuring
switch. Only a client with a private key that matches Secure Shell (SSH)"
a stored public key can gain access to the switch.
• switch SSH and user password authentication: this
option is a subset of the client public-key
authentication, and is used if the switch has SSH
enabled without a login access configured to
authenticate the client's key. In this case, the switch
authenticates itself to clients, and users on SSH
clients then authenticate themselves to the switch by
providing passwords stored on a RADIUS or
TACACS+ server, or locally on the switch.
• secure copy (SC) and secure FTP (SFTP): By opening
a secure, encrypted SSH session, you can take
advantage of SC and SFTP to provide a secure
alternative to TFTP for transferring sensitive switch
information. For more on SC and SFTP, refer to the
section titled "Using Secure Copy and SFTP" in the
"File Transfers" appendix of the Management and
Configuration Guide for your switch.
More Information and
Configuration Details
"Quick Start: Using the
Management Interface
Wizard" on page 1-10
For more on Telnet and web
browser access, refer to the
chapter on "Interface
Access and System
Information" in the
Management and
Configuration Guide.
For RADIUS accounting,
refer to Chapter 6, "RADIUS
Authentication and
Accounting"
"Quick Start: Using the
Management Interface
Wizard" on page 1-10