Yesterday, the Internet Storm Center published a diary called “Access Controls for Network Infrastructure”. That particular diary is Cisco-centric, so I thought I’d put together something similar for HP ProCurve gear (at least the 2650, 2910s, and 5400s I’ve worked with).
HP ProCurve gear ships without any type of authentication, by default. This is similar to Cisco, however Cisco gear will not let us login via the network if a password has not been configured. HP ProCurve gear will.
For example, I have a ProCurve 2650 here that I completely reset to factory defaults and connected to my home lab. The switch is configured to use DHCP to obtain an IP address. Once the device has a valid IP address on the network, we are able to telnet to the device and gain complete access to it without having to authenticate.
In short, you cannot login with default credentials because there are none. Just telnet in and gain administrative access!
While not quite as good as per-user authentication backended to your directory service of choice (see below), we can set up two accounts on the device: one unprivileged, one privileged. The “operator” user is unprivileged, while the “manager” user is privileged. You can choose to use these same usernames, or create your own, e.g.:
Switch(config)# password operator Switch(config)# password operator user-name junior Switch(config)# password manager Switch(config)# password manager user-name admin
In any of those instances, you’ll be prompted twice for the password you wish to set.
I should also note that every ProCurve switch I’ve seen ships with SNMP read/write enabled by default with a community string of “public”. Seriously, HP? You can (and should) turn that off with “no snmp-server community public“.
Prevent Access in the First Place
Similar to Cisco’s “access-class”, we can restrict management of our HP devices down to specific hosts or subnets, e.g.:
Switch(config)# ip authorized-managers 192.168.7.42 255.255.255.255 access manager Switch(config)# ip authorized-managers 192.168.7.0 255.255.255.0 access operator
Some devices will allow us to specify the “access-method” (e.g. SSH, SNMP, etc.):
Switch(config)# ip authorized-managers 192.168.38.0 255.255.255.0 access manager access-method ssh Switch(config)# ip authorized-managers 192.168.55.183 255.255.255.255 access operator access-method snmp
This would allow “manager” SSH access from 192.168.38.0/24, while also allowing the host 192.168.55.183 read-only access to the device via SNMP.
Encrypt all Administrative Access
As mentioned above, SNMP and telnet are enabled by default (never a good thing). If you’re going to use SNMP, then you should only be using SNMPv3 (see my article, “SNMPv3 Configuration for ProCurve 5400s”, for an example of how to do that). Likewise, you should never use telnet, but instead use SSH (and only version 2). Setting up SSH is simple:
Switch(config)# ip ssh version 2 Switch(config)# ip ssh
Once you’ve done that, you should also disable telnet:
Switch(config)# no telnet-server
I’m not a big fan of using web interfaces to manage network devices, but I know that some people are. Device management by HTTP is also enabled by default. If you are going to use the web interface, you should disable the “plaintext” HTTP server and enable only the encrypted HTTPS server instead:
Switch(config)# no web-management plaintext Switch(config)# crypto key generate cert 1024 Switch(config)# crypto host-cert generate self-signed Validity start date [01/01/1970]: 08/06/2010 Validity end date [08/09/2011]: 08/06/2015 Common name [0.0.0.0]: switch.lab.evilrouters.net Organizational unit [Dept Name]: Networking Organization [Company Name]: Evil Routers City or location [City]: Bloomington State name [State]: Indiana Country code [US]: US Switch(config)# web-management ssl
A quick port scan of the switch now shows that only ports 22/TCP and 443/TCP are open:
$ nmap -sT 203.0.113.117 Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-06 17:38 EDT Interesting ports on dhcp-117.lab.evilrouters.net (203.0.113.117): Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds
Even one step better than a shared administrative account is to use external authentication. Any network device that isn’t a piece of crap (and a lot that are) have the ability to use an external source such as Active Directory, LDAP, etc. for authentication, mostly through RADIUS or TACACS. While a number of ProCurve network devices (supposedly) support TACACS, I have never attempted to use it. Instead, I use RADIUS (FreeRADIUS, to be exact). Once you have your RADIUS server configured to support your NAS (see “Configuring FreeRADIUS to support Cisco AAA Clients” and “Authenticating Cisco Devices Against Active Directory”), the switch side configuration is rather straightforward and simple (and similar to Cisco). The RADIUS server is “192.168.5.50” and the shared secret is “AewieV3taez9fa”, in this example.
Switch(config)# radius-server host 192.168.5.50 key AewieV3taez9fa Switch(config)# aaa authentication console login radius local Switch(config)# aaa authentication console enable radius local Switch(config)# aaa authentication ssh login radius local Switch(config)# aaa authentication ssh enable radius local
NOTE: Even if you have disabled other methods of access (telnet, web, etc.), you should also set up authentication methods for them, in the event that someone else (accidentally or purposefully) enables them in the future. For that, just re-issue the above commands, substituting “telnet” and “web” for “ssh”.
As mentioned in the original article, you should also implement syslog and change logging. Hopefully you already have a central syslog server in your network, in which case configuring your ProCurve device to send logs to it is a simple matter:
Switch(config)# logging 192.168.42.42
On the subject of change management, SANS specifically mentions using RANCID, which I also use and recommend. See my previous article “Installing RANCID on Ubuntu 10.04 LTS” for more details.
Did I miss anything? Let me know and I’ll be happy to cover it as well.