HP Procurve L3 Switch

Check ID Name Severity

SW-01 Device password not set High

SW-02 Unused ports are enabled(Later) High

SW-03 Older version of Software is installed(later) High

SW-04 Insecure CLI access privileges Medium

SW-05 SNMP service is not secured Medium

SW-06 MediumNetwork access to the device is not restricted

SW-07 Unsafe log generation and log collection Medium

SW-08 Time server not designated Medium

SW-09 Non-Essential services running Medium

SW-10 Dynamic ARP Protection not enabled(later) Medium

SW-11 System statutory warning not set Medium

SW-12 SSH disabled for remote administration Medium

SW-13 Spanning-tree protocol not secured(later) Medium

SW-14 Device processes directed broadcasts(later) Medium

SW-15 Proxy ARP is enabled(later) Medium

SW-16 MediumVirus Throttling (Connection-Rate Filtering) not set(later)

SW-17 DHCP snooping not enabled(later) Medium

SW-18 Secure Management VLAN not configured(later) Medium

SW-19 Medium

SW-20 Insecure ACE are configured Medium

SW-21 Insecure hostname Low

Console inactivity timeout not set(Configured)

SW-22 Radius authentication is not used(later) Low

Sample Finding Description

"password manager" and "password operator" is not set

Login to a switch should always be an authenticated access.The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface.

All Ethernet ports are enabled, unused Ethernet ports should be disabled.

Only required interfaces should be enabled on the device, an unused interface is not monitored or controlled, this might expose the device to unknown attacks on those interfaces. Disabling unused interfaces creates a more secure environment than when leaving them up and opening them to hacking attempts.

Older IOS version K.12.14 installed.

Procurve devices should always be updated with latest version of IOS, that include fixes for known issues, vulnerabilities bugs etc. Also include new features.

Telnet is used for remote administration.

The following command were not set on this deviceno telnet-server

Telnet protocol transmits all information, including login credentials in clear text. To prevent password stealing, SSH should be used for remote administration, as SSH encrypts all the traffic between the device and the SSH client.

snmp server version 3 not used, default "public" community string is used with unrestricted access and easy to guess community string "AdaniInfra" is used.

snmp-server community "public" Unrestricted snmp-server community "AdaniInfra" Operator

SNMPv1 and SNMPv2 use very weak authentication scheme based on community strings. Most SNMP implementations send those strings repeatedly as part of periodic polling. SNMPv1 and SNMPv2 use clear-text authentication strings. Moreover, they are easily spoofable, datagram-based transaction protocols. Better to disable SNMP but if SNMP is required then SNMPv3 should be used. If SNMPv1 or SNMP v2 is required to be used then then configure strong non-guessable SNMP strings.

"ip authorized-managers" command is not set

To prevent unauthorized access, remote administration of the device should be restricted only to the specific IP addresses.

"time timezone" not set.

System Logging is enabled for all activities.

logging 132.132.49.5

All important device logs should be enabled and collected to monitor all critical information and system level activity.

Time server is used for synchronizing the system time on all devices and servers across the organisation. Once the time server is designated, the device refers to time server for system time, instead of its local clock.

ftpd, telnetd, tftpd, rlogind are not running

By default many unnecessary services like FTP Daemon, Telnet Daemon, etc are installed and enabled in this device. These services are not required for normal operation of the device and can be safely disabled.

"arp-protect" is not set

On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded.

Custom banner "banner motd" is not set.

Displaying appropriate warning messages when users access a system assists in prosecuting computer crime cases and defending legal issues involving the system.

"ip ssh" is not set.

Unexcrypted protocol for remote administration like Telnet transmits all information, including login credentials in clear text. To prevent password stealing, SSH should be used for remote administration, as SSH encrypts all the traffic between the device and the SSH client.

spanning-tree <port-list | all> bpdu-filter is not set.

Spanning tree protocol prevents the layer 2 loops and “broadcast storm” that can bring down the network. By attacking the Spanning-Tree Protocol, the network attacker hopes to spoof his or her system as the root bridge in the topology.

The STP security features prevent the switch from malicious attacks or configuration errors: • BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port. • STP Tcn Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.

"no ip directed-broadcast" is not set.

Directed broadcast is a packet destined for a specified broadcast IP address. A single copy of a directed broadcast is routed to the specified network, where it is broadcast to all terminals on that network. This can be used by attackers to flood the network with the broadcast packets. Directed broadcast is rarely used for legitimate purposes. Hence, Procurve devices should be configured not to process directed broadcast packets.

"no ip arp-proxy" not set, per VLAN basis.

Proxy ARP is a method by which routers may make themselves available to hosts. Procurve device can act as intermediary for ARP, responding to ARP queries on selected interfaces and thus enabling transparent access between multiple LAN segments.

"connection-rate-filter" is not defined.

Connection-rate filtering enables notification of worm-like behavior detected in inbound IP traffic, also throttles or blocks such traffic. This feature also provides a method for allowing legitimate, high connection-rate traffic from a given host while still protecting your network from possibly malicious traffic from other hosts.

"dhcp-snooping" is not set.

"management-vlan" is not set.

DHCP snooping can be used to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped.

Configuring a secure Management VLAN creates an isolated network for managing the ProCurve switches that support this feature. If you configure a secure Management VLAN, access to the VLAN and to the switch’s management functions (Menu, CLI, and web browser interface) is available only through ports configured as members. Multiple ports can belong to the Management VLAN. Only traffic from the Management VLAN can manage the switch, i.e. only the workstations connected to ports belonging to the Management VLAN can manage and reconfigure the switch.

"console inactivity-timer" not set.

Idle Console, Telnet and Ssh connections should be disconnected, if session remains in-active for pre-defined time duration.

Lot of ACEs are configured with allow all access

ip access-list extended "151" 10 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 20 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 20

These ACLs are listed below do not end with "deny all and log" * 151 * 152

Access Control Entries can be configured to restrict access from specific hosts to specific hosts and services. The ACEs are processed sequentially, with the first ACE that matches taking effect. If a match is not made, the switch will deny access by default.

Host name of the device is set to "FHDCHP5406ZL", location, name and model number of HP Procurve device in use

Device hostnames some times reflects the firewall models and OS versions. This may help an attacker to narrow down the list of attack procedures on the device. The attacker can now focus on a specific device and concentrate on exploiting only that device thus saving a lot of time.

"radius server" is not set.

RADIUS (Remote Authentication Dial-In User Service) enables the use of multiple servers for centralized authentication, this allows a different password for each user instead of having to rely on maintaining and distributing switch-specific passwords to all users. For accounting, this can help you track network resource usage. RADIUS can facilitate, Commands Authorization and accounting also.

Impact Solution

If the switch has neither a Manager nor an Operator password, anyone having access to the switch through either Telnet, the serial port, or the web browser interface can access the switch with full manager privileges. Also, if you configure only an Operator password, entering the Operator password enables full manager privileges.

Set password for Manager and operator accounts. At the config prompt, enter the command (config)#password < manager | operator | all > accordingly to enable authenticated access to the switch.

If any port is enabled and not in use then a malicious user can plug into an open port and access all resources in the network.

The following command can be used to disable the unused network interfaces, at the config prompt:

(config)# interface <interface name> <interface number> disable(config)# write memoryFor serial console: (config)#serial-console disableFor usb port:(config)#usb-host-port disable(config)# write memory

If the IOS is not updated then an attacker can expolit known vulnerabilties in the IOS to get unauthorized access to the router.

It is strongly recommends that the IOS should be patched / upgraded to the latest software version. Refere the admin guide for software download and upgrade procedure.

A malicious user can sniff traffic on the wire and can steal manager or operator passwords of the device.

Enable SSH with the following commnds:(1) A public/private key pair has been generated on the switch with command generate (config)#ssh [dsa | rsa](2) To enable SSH enter command (config)#ip ssh.Then disable telnet access:(config)#no telnet-server

A malicious user can gain administrative access of the device by stealing the community strings and/or spoofing the IP address of SNMP manager.

SNMP is not required, then disable it by entering following command:(1) no snmp enableIf SNMP is required, configure the device to use SNMPv3 for communicating with SNMP manager using the following command:(2) snmpv3 enableConfigure SNMP user and configure a strong password for the user.(3) snmpv3 user <user_name> [auth <md5 | sha> <auth_pass>] [priv <des | aes> <priv_pass>]Configure SNMP group:(4) snmpv3 group <group_name> user <user_name> sec-model <ver1 | ver2c | ver3>To configure strong SNMP community enter the following command:SNMPv3 Communities:(5.1) snmpv3 community index <index_name> name <community_name> sec-name <security_name> tag <tag_value>

An unauthorized user can connect to the device remotely. An unauthorized user can initiate multiple simultaneous login attempts and cause denial of service.

At the config prompt, enter the command(config)#ip authorized-managers <ip-address> <ip-mask>> access [manager | operator] accordingly to enable only authorized access to the switch.

Malicious activities may go unnoticed in the absence of logs. No information available for investigation and forensics in case any intrusion occurs.

At the config enter the following commands to enable logging on a HP device:(config)#logging <ip address>(config)#logging facility syslog(config)#debug destination session(config)#debug event

Mismatch in the time information in the logs from different devices, can lead to errors in the correlated event information.

At the config enter the following commands to enable sntp timesync on the switch:(config)#timesync sntp(config)# sntp unicast(config)# sntp server <sntp ip address>

A malicious user can compromise the device by exploiting the vulnerabilities of the unnecessary services.

Using the ip ssh filetransfer command to enable Secure FTP (SFTP) automatically disables TFTP and auto-TFTP. (config)# ip ssh filetransfer

When this feature is not enabled, a maliciou user may be able to excute layer 2 attacks like MAC address spoofing, DHCP starvation attack. The attacker can intercept traffic for other hosts in a "man-in-the-middle" attack.

To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect vlan command at the global configuration level. (config)# arp-protect vlan (vlan-range)

Absence of a statutory warning may lead to failure in the implication of an accused malicious user.

Create an appropriate login warning message banner which shows that the system is for authorized use only and all the activities on the system are being monitored.Use either of the commands: (config)#banner motd <delimiter> <message>

A malicious user can sniff traffic on the wire and can steal operator and manager passwords of the device.

For Operator: "ssh login"For Manager: "ssh enable"

Generating a public/private key pair on the switch(config)#crypto key generate <autorun-key [rsa] | cert [rsa] <keysize> | ssh [dsa | rsa] bits <keysize>>

Enabling SSH (config)#ssh enable local | radius

(config)#ip ssh cipher <cipher-type> filetransfer ip-version mac <mac-type> timeout < 5 - 120 > listen <oobm | data | both> Enabling user authentication (config)#aaa authentication ssh login < local | tacacs | radius >[< local | none >] (config)#aaa authentication ssh enable < local | tacacs | radius>[< local | none >]

If STP security is not eanbled then an attacker can announce his system root bridge and can see a variety of frames.

The bpdu-filter option forces a port to always stay in the forwarding state and be excluded from standard STP operation. The following command is used to configure BPDU filters: (config)#spanning-tree <port-list | all> bpdu-filter Enables/disables the BPDU filter feature on the specified port(s).

When tcn-guard is enabled for a port, it causes the port to stop propagating received topology change notifications and topology changes to other ports. The following command is used to configure tcn-guard: (config)# spanning-tree < port-list > tcn-guard

A malicious user can perform DoS attack using directed broadcast packets.

Configure the device not to process directed broadcasts by the entering following command in the interface configuration mode:(config)#no ip directed-broadcastEnter this command for every physical interface of the device.

It breaks the LAN security perimeter; effectively extending a LAN at layer 2 across multiple segments. Security can be undermined. A machine can claim to be another in order to intercept packets.

Proxy ARP is disabled by default on ProCurve routing switches, if found enabled then the following command is used to disable the proxy arp on per valn basis:(config)# vlan <vlan number>ProCurve(vlan-1)# no ip proxy-arp

If this feature is not enabled, any virus/ worm can be sperad network without any detection.

The following command enables connection-rate filtering and sets the global sensitivity level:(config)#filter connection-rate < port-list > < notify-only | throttle | block > (config)#connection-rate-filter sensitivity < low | medium | high | aggressive >(config)#connection-rate-filter unblock < all | host | ip-addr >

low: Sets the connection-rate sensitivity to the lowest possible sensitivity, i.e. 54 destinations in less than 0.1 seconds.

medium: Sets the connection-rate sensitivity to allow a mean of 37 destinations in less than 1 second.

high: Sets the connection-rate sensitivity to allow a mean of 22 destinations in less than 1 second.

An attacker with rougue DHCP server can successfully intercept traffic for other hosts in a "man-in-the-middle" attack.

DHCP snooping is enabled globally by entering this command: (config)# dhcp-snooping

Enabling DHCP Snooping on VLANS (config)# dhcp-snooping vlan <vlan-id-range>

Configuring Authorized Server Addresses (config)# dhcp-snooping authorized-server <ip-address>

Configuring DHCP Snooping Trusted Ports(config)# dhcp-snooping trust <port-list>

Managing the switch from common VLAN posses a risk of manager credential getting sniffed. A malicious user can sniff traffic on the wire and can steal manager or operator passwords of the device.

Note: Configuring Management VLAN on a switch by using a Telnet connection through a port that is not in the Management VLAN, then you will lose management contact with the switch if you log off your Telnet connection or execute write memory and reboot the switch. (config)# management-vlan <vlan number>(config)# vlan 100 tagged <port number>

Un-authorized user can gain access to the firewall using un-attended sessions.

Timeout period of 10 minutes should be configured for connections to HPProCurve. The following command is used to set the console inactivity time out:(config)#console inactivity-timer 10

A weak ACL configuration could allow a malicious user or an attacker to gain unauthorized access to network services. With weak network filtering configured, the device would not prevent access from the unauthorized hosts.

It is recommends that, where possible, all ACEs should be configured to restrict access to network addresses and services from only those hosts that require access and ACLs are configured to ensure that:

* ACEs do not allow access from any source; * ACEs do not allow access from a source network address; * ACEs do not allow access to any destination; * ACEs do not allow access to a destination network address; * ACEs do not allow access to any destination service; * ACEs do not allow access to a range of destination services; * ACEs do not allow any network protocol; * ACEs do not allow any ICMP message types; * ACEs log all denied access; * ACEs log all allowed access;

An attacker can try known attacks specific to that device model and OS version. Time required for device and OS fingerprinting will be very less.

The following command is used to change the hostname of the switch: (config)#hostname < ascii-string >

Without RADIUS server it is difficult to manage passwords for multiple administrator users on various network devices. For enforcing password policies, and password updates, the administrators have to change the password locally across all the devices, that multiplies the tasks.

Following set of command is used to setup RADIUS authentication for various management access:(config)#aaa authentication console | telnet | ssh | web | < enable | login radius> (config)#radius-server host < IP-address > [auth-port < port-number >] [acct-port < port-number >] [key < server-specific key-string >] (config)#radius-server key < global key-string > (config)#radius-server timeout < 1 - 15> (config)#radius-server retransmit < 1 - 5 > (config)#radius-server dead-time < 1 - 1440 > (config)#show radius [< host < ip-address>](config)#show authentication(config)#show radius authentication

Impact In Axis Bank Commands

As a security measure only authorized ip's will be able to access the switches throug ssh.

HP Procurve---- (config)# password operator user-name

NAME (config)# password manager user-name NAME Juniper------ root# set user admin-ro class read-

only authentication plain-text-password root# set

user cyrus class super-user authentication plain-text-

password H3C--------- [Switch] role name

NAME [Switch-role-NAME] rule 1 permit read feature

[Switch-role-role1] rule 2 permit command system-view

FOR MANAGER-- [Switch] local-user user1 class manage [Switch-luser-manage-user1]

password simple aabbcc

No impact will be there as it a part of a security measure. unauthorized network access can be stopped through physical

and logical barriers.

HP Procurve----->(config)#interface PORT-LIST(eth-PORT-LIST)# disable.

Juniper---- > set interfaces PORT-LIST disable

H3C----- >(config)# interface PORT-LIST(port-list)#shutdown

We should upgrade when the network is stable and steady. Ensure that everyone who has access to the switch or the

network is not configuring the switch or the network during this time. You cannot configure a switch during an upgrade.

HP Procurve-- >(config)#copy tftp flash <ip address of TFTP server> <full

filename including .swi> pri or sec

(config)#boot sys flash pri or sec

Juniper---- >

HP Procurve ----- (config)# ip ssh version 2

(config)# ip ssh Telnet Disable--- (config)# no

telnet-server Juniper---- user@switch#

set system services ssh Telnet Disable-------

user@switch#delete system services telnet H3C-------- ssh [Sysname] server enable Telnet

Disable------ [Sysname] telnet server disable

HP Procurve------ (config)#snmp-server

community STRING restricted (config)# snmpv3 enable

(config)# snmpv3 only (config)# snmpv3 restricted-

access (config)# snmpv3 user cacti auth sha AUTHPASS

priv aes PRIVPASS Juniper-----

#set snmp community COMMUNITY_NAME

authorization read-only #set snmp community

COMMUNITY_NAME #set usm local-engine user nms1 authentication-sha

authentication- password $1991poppI

H3C------- [Switch]snmp-agent trap

enabl3 [Switch]snmp-agent targethost

trap address udp-domain 10.0.100.21 udp-port 161 pa

rams securityname public [Comware5]snmp-agent

targethost trap address udp-domain

10.0.100.21 udp-port 161 pa rams securityname public

[Comware5]snmp-agent targethost trap address udp-

domain 10.0.100.21 udp-port 161 pa

rams securityname public [Switch]snmp-agent

[Switch]snmp-agent sys-info version v3 [Switch]snmp-

agent usm-user v3 test managerpriv

authentication-mode md5 password privacy-mode 3des

password HP Procurve-----

Switch(config)# ip authorized-managers IP SUBNET access

manager Juniper----- #set term NAME from

source-address IP/24 #set term NAME from destination-

port ssh #set then accept H3C------

HP Procurve------ (config)# logging

IP-ADDRESS (config)#logging facility syslog

(config)# logging severity Juniper----

user@host# set security log stream trafficlogs host IP H3C-------

[Switch]info-center loghost IP

HP Procurve---- (config)# sntp

server priority 1 IP (config)#

sntp unicast

Juniper----- #set ntp server IP H3C-----

[Switch]ntp-service unicast-server 10.0.100.251

HP Procurve----- (config)# ip ssh (config)# ip ssh

filetransfer Juniper---- #host sftphost IP sftp abc

xyz #crypto key generate dss SSH-server #crypto key generate dss

SFTP-client H3C----- [Sysname] sftp server enable [Sysname] ssh user client001

service-type sftp [Sysname] ssh user client001

authentication-type password

HP Procurve--- (config)# arp-protect (config)#

arpprotect vlan ID (config)# arpprotect trust 9 Juniper----- #set vlan ID arp-

inspection H3C----- (config)#ip arp

inspection vlan 220 (config)#interface f0/9

(config-if)#ip arp inspection trust

HP Procurve---- (config)# banner motd #Enter TEXT message. End with the

character'#' Juniper----- #set message

"MESSAGE" H3C----- [Comware5]header motd #

MESSAGE#

HP Procurve----- (config)# crypto key

generate ssh (config)# ip ssh Juniper------ #set system services ssh #set system root-authentication ssh PASS H3C-------

[Comware5]public-key local create rsa

[Comware5]ssh server enable [Comware5]user-

interface vty 0 4 [Comware5-ui-vty0-

4]authentication-mode scheme [Comware5-ui-vty0-4]protocol

inbound ssh [Comware5]local-user

sshmanager [Comware5-luser-

sshmanager]password simple password

[Comware5-luser-sshmanager]service-type ssh

[Comware5-luser-sshmanager]authorizationattrib

ute level 3

HP Procurve----- (config)# spanningtree bpdu-

protection-timeout 300 (config)#

spanningtree 6 bpdu-protection (config)# spanningtree 6

bpdu-filter Juniper----- # set protocols rstp interface ID

disable# set protocols rstp interface ID

disable# set ethernet-switching-

options bpdu-block interface ID drop

# set ethernet-switching-options bpdu-block interface ID drop H3C--------

[Comware5]stp bpdu-protection

HP Procurve------ (config)# no ip directed-broadcast

Juniper---- #set interfaces ID family inet

targeted-broadcast H3C------- By defult

disable

HP Procurve----- (config-vlan-ID)#no ip arp-proxy-arp Juniper----- set interfaces ge-0/0/3 unit 0 proxy-arp restricted H3C-----

[Comware5]arp protective-down recover enable

[Comware5] arp protective-down recover interval 200

[Comware5]interface Ethernet1/0/1

[Comware5]dhcp-snooping trust

[Comware5]arp detection trust

HP Procurve ------ (config)# connection-rate-filter

sensitivity medium (config)# filter

connection-rate 6 notify-only (config)# filter connection-rate 10 block

(config)# filter connection-rate 20 throttle Juniper----- #set

ethernet-switching-options storm-control interface ge-

0/0/0 bandwidth 15000 H3C------ No

exact H3C feature compared to this ProVision

feature. Comware 5 ARP Defense & ARP

Packet Rate Limit features provide rate limiting

capability of incoming ARP packets. [Switch]arp source-suppression enable [Switch]arp sourcesuppression

limit 15 [Switch-GigabitEthernet1/0/20]arp rate-limit rate 150 drop

HP Procurve------ (config)# dhcp-snooping

(config)# dhcp-snooping authorized-server

IP (config)# dhcp-snooping database file tftp://10.0.100.21/ProVisio_

dhcp.txt (config)# dhcp-snooping vlan 220

(config)# dhcp-snooping trust 9

Juniper----- # set interface ge-0/0/8 dhcp-

trusted # set vlan employee-vlan examine-dhcp # set vlan employee-

vlan arp-inspection H3C------ [Switch]dhcp-

snooping [Switch]interface g1/0/9 [Switch-

GigabitEthernet1/0/9]dhcpsnooping trust

HP Procurve----- (config)#

HP Procurve----- (config)# console

inactivity-timer 10 Juniper----- #set system login class super-user-

local idle-timeout 10 H3C-------

[Switch]user-interface aux 0 [Switch-

aux0]idletimeout 10

HP Procurve------

(config)# ip accesslist standard 1 (config-std-nacl)#

permit IP IP Juniper---- #set firewall family ethernet-switching filter block-to-server term 1 from source-

address 20.20.20.0/24 #set firewall family ethernet-switching filter block-to-server

term 1 from destination-address 10.10.10.0/24 #set firewall family ethernet-switching filter block-to-server

term 1 then discard H3C------

[Switch]acl number 2000 [Switch-acl-basic-

2000]rule permit source 10.0.100.111

0.0.0.0

HP Procurve----- (config)# hostname "NAME" Juniper----- #set host-name NAME

H3C------ [switch]sysname NAME

HP Procurve------ (config)# radiusserver host IP key

password (config)# aaa

authentication telnet login radius none (config)#

aaa authentication telnet enable

radius none Juniper----- #set system radius-server address IP

#set system radius-server IP secret Radius-secret1 #set system radius-server

IP source-address IP H3C------ (If

you are planning to use SSH, you should configure it before you configure AAA

support.) [Switch-radius-radiusauth]primary

authentication IP 1812

[Switch-radius-radiusauth]primary accounting

IP 1813 [Switch-radius-radiusauth]key

authentication password

[Switch-radius-radiusauth]key accounting password

[Switch-radius-radiusauth]user-name-format

without-domain [Switch-radius-

radiusauth]server-type extended

[Swtich]domain lab Switch-isplab]authentication

login radius-scheme radius-auth

[Switchisplab]authorization

login radius-scheme radius-auth [Switch-isp-lab]accounting

login radius-scheme radiusauth [Switch]domain default

enable lab