10
Enforcing Switch Security
Switch Management Access Security
SNMP Access (Simple Network Management Protocol)
In the default configuration, the switch is open to access by management stations running SNMP
management applications capable of viewing or changing usernames, passwords, configuration, and
status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to
the switch and preventing unauthorized SNMP access should be a key element of your network
security strategy.
General SNMP Access to the Switch. The switch supports SNMP versions 1, 2c, and 3, including
SNMP community and trap configuration. The default configuration supports versions 1 and 2c
compatibility, which uses plain text and does not provide security options. ProCurve recommends
that you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure
restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected
operation). SNMPv3 security options include:
• configuring device communities as a means for excluding management access by
unauthorized stations
• configuring for access authentication and privacy
• reporting events to the switch CLI and to SNMP trap receivers
• restricting non-SNMPv3 agents to either read-only access or no access
• co-existing with SNMPv1 and v2c if necessary
SNMP Access to the Switch’s Local Username and Password Authentication MIB Objects.
A management station running an SNMP networked device management application such as
ProCurve Manager Plus (PCM+) or HP OpenView can access the switch’s management information
base (MIB) for write access to the switch’s local username and password configuration. In earlier
software versions, SNMP access to the switch’s local authentication configuration (hpSwitchAuth)
MIB objects was not allowed. However, beginning with software release U.11.04, the switch’s default
configuration allows SNMP access to the local username and password MIB objects in hpSwitchAuth.
If SNMP access to these MIB objects is considered a security risk in your network, then you should
implement the following security precautions when downloading and booting from software release
U.11.04 or greater:
1. If SNMP write access to the switch’s local username and password authentication configuration
(hpSwitchAuth) MIB (described above is not desirable for your network, then immediately after
downloading and booting from the U.11.04 or greater software for the first time, use the
following CLI command to disable this feature:
snmp-server mib hpswitchauthmib excluded