Image of Cortney & Jeremy

Access Controls for HP ProCurve Devices

by Jeremy L. Gaddis on August 6, 2010 · 6 comments

in Security

Yesterday, the Internet Storm Center published a diary called “Access Controls for Network Infrastructure”. That particular diary is Cisco-centric, so I thought I’d put together something similar for HP ProCurve gear (at least the 2650, 2910s, and 5400s I’ve worked with).

Default Credentials

HP ProCurve gear ships without any type of authentication, by default. This is similar to Cisco, however Cisco gear will not let us login via the network if a password has not been configured. HP ProCurve gear will.

For example, I have a ProCurve 2650 here that I completely reset to factory defaults and connected to my home lab. The switch is configured to use DHCP to obtain an IP address. Once the device has a valid IP address on the network, we are able to telnet to the device and gain complete access to it without having to authenticate.

In short, you cannot login with default credentials because there are none. Just telnet in and gain administrative access!

While not quite as good as per-user authentication backended to your directory service of choice (see below), we can set up two accounts on the device: one unprivileged, one privileged. The “operator” user is unprivileged, while the “manager” user is privileged. You can choose to use these same usernames, or create your own, e.g.:

Switch(config)# password operator
Switch(config)# password operator user-name junior
Switch(config)# password manager
Switch(config)# password manager user-name admin

In any of those instances, you’ll be prompted twice for the password you wish to set.

I should also note that every ProCurve switch I’ve seen ships with SNMP read/write enabled by default with a community string of “public”. Seriously, HP? You can (and should) turn that off with “no snmp-server community public“.

Prevent Access in the First Place

Similar to Cisco’s “access-class”, we can restrict management of our HP devices down to specific hosts or subnets, e.g.:

Switch(config)# ip authorized-managers 192.168.7.42 255.255.255.255 access manager
Switch(config)# ip authorized-managers 192.168.7.0 255.255.255.0 access operator

Some devices will allow us to specify the “access-method” (e.g. SSH, SNMP, etc.):

Switch(config)# ip authorized-managers 192.168.38.0 255.255.255.0 access manager access-method ssh
Switch(config)# ip authorized-managers 192.168.55.183 255.255.255.255 access operator access-method snmp

This would allow “manager” SSH access from 192.168.38.0/24, while also allowing the host 192.168.55.183 read-only access to the device via SNMP.

Encrypt all Administrative Access

As mentioned above, SNMP and telnet are enabled by default (never a good thing). If you’re going to use SNMP, then you should only be using SNMPv3 (see my article, “SNMPv3 Configuration for ProCurve 5400s”, for an example of how to do that). Likewise, you should never use telnet, but instead use SSH (and only version 2). Setting up SSH is simple:

Switch(config)# ip ssh version 2
Switch(config)# ip ssh

Once you’ve done that, you should also disable telnet:

Switch(config)# no telnet-server

I’m not a big fan of using web interfaces to manage network devices, but I know that some people are. Device management by HTTP is also enabled by default. If you are going to use the web interface, you should disable the “plaintext” HTTP server and enable only the encrypted HTTPS server instead:

Switch(config)# no web-management plaintext
Switch(config)# crypto key generate cert 1024
Switch(config)# crypto host-cert generate self-signed
Validity start date [01/01/1970]: 08/06/2010
Validity end date   [08/09/2011]: 08/06/2015
Common name            [0.0.0.0]: switch.lab.evilrouters.net
Organizational unit  [Dept Name]: Networking
Organization      [Company Name]: Evil Routers
City or location          [City]: Bloomington
State name               [State]: Indiana
Country code                [US]: US
Switch(config)# web-management ssl

A quick port scan of the switch now shows that only ports 22/TCP and 443/TCP are open:

$ nmap -sT 203.0.113.117

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-06 17:38 EDT
Interesting ports on dhcp-117.lab.evilrouters.net (203.0.113.117):
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds

Back-end Authentication

Even one step better than a shared administrative account is to use external authentication. Any network device that isn’t a piece of crap (and a lot that are) have the ability to use an external source such as Active Directory, LDAP, etc. for authentication, mostly through RADIUS or TACACS. While a number of ProCurve network devices (supposedly) support TACACS, I have never attempted to use it. Instead, I use RADIUS (FreeRADIUS, to be exact). Once you have your RADIUS server configured to support your NAS (see “Configuring FreeRADIUS to support Cisco AAA Clients” and “Authenticating Cisco Devices Against Active Directory”), the switch side configuration is rather straightforward and simple (and similar to Cisco). The RADIUS server is “192.168.5.50” and the shared secret is “AewieV3taez9fa”, in this example.

Switch(config)# radius-server host 192.168.5.50 key AewieV3taez9fa
Switch(config)# aaa authentication console login radius local
Switch(config)# aaa authentication console enable radius local
Switch(config)# aaa authentication ssh login radius local
Switch(config)# aaa authentication ssh enable radius local

NOTE: Even if you have disabled other methods of access (telnet, web, etc.), you should also set up authentication methods for them, in the event that someone else (accidentally or purposefully) enables them in the future. For that, just re-issue the above commands, substituting “telnet” and “web” for “ssh”.

Logging

As mentioned in the original article, you should also implement syslog and change logging. Hopefully you already have a central syslog server in your network, in which case configuring your ProCurve device to send logs to it is a simple matter:

Switch(config)# logging 192.168.42.42

On the subject of change management, SANS specifically mentions using RANCID, which I also use and recommend. See my previous article “Installing RANCID on Ubuntu 10.04 LTS” for more details.

Did I miss anything? Let me know and I’ll be happy to cover it as well.

{ 6 comments… read them below or add one }

Leave a Comment

Previous post:

Next post: