10
Enforcing Switch Security
Switch Management Access Security
SNMP Access
(Simple Network Management Protocol)
In the default configuration, the switch is open to access by management stations running SNMP
management applications capable of viewing and changing the settings and status data in the switch’s
MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing
unauthorized SNMP access should be a key element of your network security strategy.
General SNMP Access to the Switch.
The switch supports SNMP versions 1, 2c, and 3, including
SNMP community and trap configuration. The default configuration supports versions 1 and 2c
compatibility, which uses plain text and does not provide security options. ProCurve recommends
that you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure
restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected
operation). SNMPv3 security options include:
•
configuring device communities as a means for excluding management access by
unauthorized stations
•
configuring for access authentication and privacy
•
reporting events to the switch CLI and to SNMP trap receivers
•
restricting non-SNMPv3 agents to either read-only access or no access
•
co-existing with SNMPv1 and v2c if necessary
For more on SNMPV3, refer to the next subsection and to the chapter titled “Configuring for
Network Management Applications” in the
Management and Configuration Guide
for your switch.
SNMP Access to the Switch’s Authentication Configuration MIB.
A management station
running an SNMP networked device management application such as ProCurve Manager Plus
(PCM+) or HP OpenView can access the switch’s management information base (MIB) for read access
to the switch’s status and read/write access to the switch’s configuration. In earlier software versions,
SNMP access to the switch’s authentication configuration (hpSwitchAuth) MIB was not allowed.
However, beginning with software release L.10.20, the switch’s default configuration allows SNMP
access to security settings in hpSwitchAuth. If SNMP access to the hpSwitchAuth MIB is considered
a security risk in your network, then you should implement the following security precautions when
downloading and booting from software release L.10.20 or greater:
1.
If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above and
in the section titled
“Using SNMP To View and Configure Switch Authentication Features”
(page
) is not desirable for your network, then immediately after downloading and booting from the
L.10.20 or greater software for the first time, use the following command to disable this feature:
snmp-server mib hpswitchauthmib excluded