Resumen del contenido incluido en la página 1
ProCurve Switches
Access Security Guide
Switch 2600 Series
Switch 2600-PWR Series
Switch 2800 Series
Switch 4100 Series
Switch 6108 Series
Resumen del contenido incluido en la página 2
Resumen del contenido incluido en la página 3
ProCurve Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100gl Series Switch 6108 December 2008 Access Security Guide
Resumen del contenido incluido en la página 4
© Copyright 2001-2008 Hewlett-Packard Company, L..P. Disclaimer The information contained herein is subject to change without HEWLETT-PACKARD COMPANY MAKES NO WARRANTY notice. OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS Publication Number FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not 5990-6024 be liable for errors contained herein or for incidental or December 2008 consequential damages in connection
Resumen del contenido incluido en la página 5
Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii 1 Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 6
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 7
4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Authentication Setup Pr
Resumen del contenido incluido en la página 8
1. Configure Authentication for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-10 3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-12 Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 Controlling Web Browser Interface Access When Using
Resumen del contenido incluido en la página 9
6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-21 Further Information on SSH Client Public-Key Authentication . . . . . . . . 6-21 Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27 7 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 10
Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . . 8-15 1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . . 8-15 3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . . 8-19 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 8-20 5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . . 8-20 802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 11
MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17 Differences Between MAC Lockdown and Port Security . . . . . . . . . 9-19 Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21 MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25 Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 IP
Resumen del contenido incluido en la página 12
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 11-5 CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 11-6 Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Building IP Masks . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 13
Product Documentation About Your Switch Manual Set The switch manual set includes the following: ■ Read Me First - a printed guide shipped with your switch. Provides software update information, product notes, and other information. ■ Installation and Getting Started Guide - a printed guide shipped with your switch. This guide explains how to prepare for and perform the physical installation and connection to your network. ■ Management and Configuration Guide - included as a PDF file on the
Resumen del contenido incluido en la página 14
Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. (Note that some software features are not supported on all switch models.) Feature Management and Advanced Traffic Access Security Configuration Management Guide 802.1Q VLAN Tagging - X - 802.1X Port-Based Priority X - - Authentication -- X Authorized IP Managers - - X Config File X -- Copy Command X - -
Resumen del contenido incluido en la página 15
Product Documentation Feature Management and Advanced Traffic Access Security Configuration Management Guide LACP X -- Link X - - LLDP X -- MAC Address Management X - - MAC Lockdown - - X MAC Lockout - - X MAC-based Authentication - - X Monitoring and Analysis X - - Multicast Filtering - X - Network Management Applications (LLDP, SNMP) X - - Passwords - - X Ping X - - Port Configuration X -- Port Security - - X Port Status X -- Port Trunking (LACP) X - - Port-Based Access Control - - X Port-Bas
Resumen del contenido incluido en la página 16
Product Documentation Feature Management and Advanced Traffic Access Security Configuration Management Guide Source-Port Filters - - X Spanning Tree (STP, RSTP, MSTP) - X - SSH (Secure Shell) Encryption - - X SSL (Secure Socket Layer) - - X Stack Management (Stacking) - X - Syslog X - - System Information X -- TACACS+ Authentication - - X Telnet Access X -- TFTP X - - Time Protocols (TimeP, SNTP) X -- Traffic/Security Filters - - X Troubleshooting X -- VLANs - X - Web-based Authentication - - X
Resumen del contenido incluido en la página 17
1 Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Management Access Security Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3 General Switch Traffic Security Guidelines . . . . . . . . . . . . . . . . . . . . . . 1-4 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 18
Getting Started Introduction Introduction This Access Security Guide describes how to use ProCurve’s switch security features to protect access to your switch. This guide is intended to support the following switches: ■ ProCurve Series 2600 ■ ProCurve Series 2600-PWR ■ ProCurve Series 2800 ■ ProCurve Series 4100gl ■ ProCurve Switch 6108 For an overview of other product documentation for the above switches, refer to “Product Documentation” on page xi. The Product Documentation CD-ROM shipped w
Resumen del contenido incluido en la página 19
Getting Started Overview of Access Security Features ■ Secure Socket Layer (SSL) (page 7-1): Provides remote web access to the switch via encrypted authentication paths between the switch and management station clients capable of SSL/TLS operation. ■ Port-Based Access Control (802.1X) (page 8-1): On point-to-point connections, enables the switch to allow or deny traffic between a port and an 802.1X-aware device (supplicant) attempting to access the switch. Also enables the switch to opera
Resumen del contenido incluido en la página 20
Getting Started Overview of Access Security Features Table 1-1. Management Access Security Protection Security Feature Offers Protection Against Unauthorized Client Access to Offers Protection Switch Management Features Against Unauthorized Client Connection Telnet SNMP Web SSH Access to the (Net Mgmt) Browser Client Network Local Manager and Operator PtP: Yes No Yes Yes No 1 Usernames and Passwords Remote: Yes No Yes Yes No 1 TACACS+ PtP: Yes No No Yes No Remote: Yes No No Yes No 1 RADIUS