HP Procurve L3 Switch

Check ID Name Severity

SW-01

Device password not set

High

SW-02

Unused ports are enabled(Later)

High

SW-03

Older version of Software is installed(later)

High

SW-04

Insecure CLI access privileges

Medium

SW-05

SNMP service is not secured

Medium

SW-06

Network access to the device is not restricted

Medium

SW-07

Unsafe log generation and log collection

Medium

SW-08

Time server not designated

Medium

SW-09

Non-Essential services running

Medium

SW-10

Dynamic ARP Protection not enabled(later)

Medium

SW-11

System statutory warning not set

Medium

SW-12

SSH disabled for remote administration

Medium

SW-13

Spanning-tree protocol not secured(later)

Medium

SW-14

Device processes directed broadcasts(later)

Medium

SW-15

Proxy ARP is enabled(later)

Medium

SW-16

Virus Throttling (Connection-Rate Filtering) not set(later)

Medium

SW-17

DHCP snooping not enabled(later)

Medium

SW-18

Secure Management VLAN not configured(later)

Medium

SW-19

Console inactivity timeout not set(Configured)

Medium

SW-20

Insecure ACE are configured

Medium

SW-21

Insecure hostname

Low

SW-22

Radius authentication is not used(later)

Low

Sample Finding

Description

Login to a switch should always be an authenticated access.The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface.

"password manager" and "password operator" is not set

Only required interfaces should be enabled on the device, an unused interface is not monitored or controlled, this might expose the device to unknown attacks on those interfaces. Disabling unused interfaces creates a more secure environment than when leaving them up and opening them to hacking attempts. All Ethernet ports are enabled, unused Ethernet ports should be disabled.

Older IOS version K.12.14 installed.

Procurve devices should always be updated with latest version of IOS, that include fixes for known issues, vulnerabilities bugs etc. Also include new features.

Telnet is used for remote administration. The following command were not set on this device no telnet-server

Telnet protocol transmits all information, including login credentials in clear text. To prevent password stealing, SSH should be used for remote administration, as SSH encrypts all the traffic between the device and the SSH client.

snmp server version 3 not used, default "public" community string is used with unrestricted access and easy to guess community string "AdaniInfra" is used. snmp-server community "public" Unrestricted snmp-server community "AdaniInfra" Operator

SNMPv1 and SNMPv2 use very weak authentication scheme based on community strings. Most SNMP implementations send those strings repeatedly as part of periodic polling. SNMPv1 and SNMPv2 use clear-text authentication strings. Moreover, they are easily spoofable, datagram-based transaction protocols. Better to disable SNMP but if SNMP is required then SNMPv3 should be used. If SNMPv1 or SNMP v2 is required to be used then then configure strong non-guessable SNMP strings.

To prevent unauthorized access, remote administration of the device should be restricted only to the specific IP addresses.

"ip authorized-managers" command is not set

All important device logs should be enabled and collected to monitor all critical information and system level activity. System Logging is enabled for all activities. logging 132.132.49.5

Time server is used for synchronizing the system time on all devices and servers across the organisation. Once the time server is designated, the device refers to time server for system time, instead of its local clock. "time timezone" not set.

By default many unnecessary services like FTP Daemon, Telnet Daemon, etc are installed and enabled in this device. These services are not required for normal operation of the device and can be safely disabled.

ftpd, telnetd, tftpd, rlogind are not running

"arp-protect" is not set

On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded.

Displaying appropriate warning messages when users access a system assists in prosecuting computer crime cases and defending legal issues involving the system. Custom banner "banner motd" is not set.

Unexcrypted protocol for remote administration like Telnet transmits all information, including login credentials in clear text. To prevent password stealing, SSH should be used for remote administration, as SSH encrypts all the traffic between the device and the SSH client.

"ip ssh" is not set.

Spanning tree protocol prevents the layer 2 loops and broadcast storm that can bring down the network. By attacking the SpanningTree Protocol, the network attacker hopes to spoof his or her system as the root bridge in the topology. The STP security features prevent the switch from malicious attacks or configuration errors: BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port. STP Tcn Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.

spanning-tree <port-list | all> bpdu-filter is not set.

Directed broadcast is a packet destined for a specified broadcast IP address. A single copy of a directed broadcast is routed to the specified network, where it is broadcast to all terminals on that network. This can be used by attackers "no ip directed-broadcast" is not to flood the network with the broadcast packets. Directed broadcast is rarely used for set. legitimate purposes. Hence, Procurve devices should be configured not to process directed broadcast packets.

Proxy ARP is a method by which routers may make themselves available to hosts. Procurve device can act as intermediary for ARP, responding to ARP queries on selected interfaces and thus enabling transparent access between multiple LAN segments.

"no ip arp-proxy" not set, per VLAN basis.

Connection-rate filtering enables notification of worm-like behavior detected in inbound IP traffic, also throttles or blocks such traffic. This feature also provides a method for allowing legitimate, high connection-rate traffic from a given host while still protecting your network from possibly malicious traffic from other hosts.

"connection-rate-filter" is not defined.

"dhcp-snooping" is not set.

DHCP snooping can be used to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped.

"management-vlan" is not set.

Configuring a secure Management VLAN creates an isolated network for managing the ProCurve switches that support this feature. If you configure a secure Management VLAN, access to the VLAN and to the switchs management functions (Menu, CLI, and web browser interface) is available only through ports configured as members. Multiple ports can belong to the Management VLAN. Only traffic from the Management VLAN can manage the switch, i.e. only the workstations connected to ports belonging to the Management VLAN can manage and reconfigure the switch.

Idle Console, Telnet and Ssh connections should be disconnected, if session remains in-active for pre-defined time duration. "console inactivity-timer" not set.

Access Control Entries can be configured to restrict access from specific hosts to specific hosts and services. The ACEs are processed sequentially, with the first ACE that matches taking effect. If a match is not made, the switch will deny access by default. Lot of ACEs are configured with allow all access ip access-list extended "151" 10 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 20 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 20 These ACLs are listed below do not end with "deny all and log" * 151 * 152

Device hostnames some times reflects the Host name of the device is set to firewall models and OS versions. This may help an attacker to narrow down the list of attack "FHDCHP5406ZL", location, name and model number of HP procedures on the device. The attacker can now focus on a specific device and concentrate on Procurve device in use exploiting only that device thus saving a lot of time.

RADIUS (Remote Authentication Dial-In User Service) enables the use of multiple servers for centralized authentication, this allows a different password for each user instead of having to rely on maintaining and distributing switch-specific passwords to all users. For accounting, this can help you track network resource usage. RADIUS can facilitate, Commands Authorization and accounting also.

"radius server" is not set.

Impact

Solution

If the switch has neither a Manager nor an Operator password, anyone having access to the switch through either Telnet, the serial port, or the web browser interface can access the switch with full manager privileges. Also, if you configure only an Operator password, entering the Operator password enables full manager privileges.

Set password for Manager and operator accounts. At the config prompt, enter the command (config)#password < manager | operator | all > accordingly to enable authenticated access to the switch.

If any port is enabled and not in use then a malicious user can plug into an open port and access all resources in the network.

The following command can be used to disable the unused network interfaces, at the config prompt: (config)# interface <interface name> <interface number> disable (config)# write memory For serial console: (config)#serial-console disable For usb port: (config)#usb-host-port disable (config)# write memory

If the IOS is not updated then an attacker can expolit known vulnerabilties in the IOS to get unauthorized access to the router.

It is strongly recommends that the IOS should be patched / upgraded to the latest software version. Refere the admin guide for software download and upgrade procedure.

A malicious user can sniff traffic on the wire and can steal manager or operator passwords of the device.

Enable SSH with the following commnds: (1) A public/private key pair has been generated on the switch with command generate (config)#ssh [dsa | rsa] (2) To enable SSH enter command (config)#ip ssh. Then disable telnet access: (config)#no telnet-server

A malicious user can gain administrative access of the device by stealing the community strings and/or spoofing the IP address of SNMP manager.

SNMP is not required, then disable it by entering following command: (1) no snmp enable If SNMP is required, configure the device to use SNMPv3 for communicating with SNMP manager using the following command: (2) snmpv3 enable Configure SNMP user and configure a strong password for the user. (3) snmpv3 user <user_name> [auth <md5 | sha> <auth_pass>] [priv <des | aes> <priv_pass>] Configure SNMP group: (4) snmpv3 group <group_name> user <user_name> sec-model <ver1 | ver2c | ver3> To configure strong SNMP community enter the following command: SNMPv3 Communities: (5.1) snmpv3 community index <index_name> name An unauthorized user can At the config prompt, connect to the device enter the command remotely. An (config)#ip authorizedunauthorized user can managers <ip-address> initiate multiple <ip-mask>> access simultaneous login [manager | operator] attempts and cause accordingly to enable only denial of service. authorized access to the switch.

Malicious activities may go unnoticed in the absence of logs. No information available for investigation and forensics in case any intrusion occurs.

At the config enter the following commands to enable logging on a HP device: (config)#logging <ip address> (config)#logging facility syslog (config)#debug destination session (config)#debug event

Mismatch in the time information in the logs from different devices, can lead to errors in the correlated event information.

At the config enter the following commands to enable sntp timesync on the switch: (config)#timesync sntp (config)# sntp unicast (config)# sntp server <sntp ip address>

A malicious user can Using the ip ssh compromise the device by filetransfer command to exploiting the enable Secure FTP (SFTP) vulnerabilities of the automatically disables unnecessary services. TFTP and auto-TFTP. (config)# ip ssh filetransfer

When this feature is not enabled, a maliciou user may be able to excute layer 2 attacks like MAC address spoofing, DHCP starvation attack. The attacker can intercept traffic for other hosts in a "man-in-the-middle" attack.

To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect vlan command at the global configuration level. (config)# arp-protect vlan (vlan-range)

Absence of a statutory warning may lead to failure in the implication of an accused malicious user.

Create an appropriate login warning message banner which shows that the system is for authorized use only and all the activities on the system are being monitored. Use either of the commands: (config)#banner motd <delimiter> <message>

A malicious user can sniff traffic on the wire and can steal operator and manager passwords of the device.

For Operator: "ssh login" For Manager: "ssh enable" Generating a public/private key pair on the switch (config)#crypto key generate <autorun-key [rsa] | cert [rsa] <keysize> | ssh [dsa | rsa] bits <keysize>> Enabling SSH (config)#ssh enable local | radius (config)#ip ssh cipher <cipher-type> filetransfer ip-version mac <mac-type> timeout < 5 - 120 > listen <oobm | data | both> Enabling user authentication (config)#aaa authentication ssh login < local | tacacs | radius >[< local | none >]

If STP security is not eanbled then an attacker can announce his system root bridge and can see a variety of frames.

The bpdu-filter option forces a port to always stay in the forwarding state and be excluded from standard STP operation. The following command is used to configure BPDU filters: (config)#spanning-tree <port-list | all> bpdufilter Enables/disables the BPDU filter feature on the specified port(s).

When tcn-guard is enabled for a port, it causes the port to stop propagating received topology change notifications and topology changes to other ports. The following command is used to configure tcnguard: (config)# spanning-tree < port-list > tcn-guard A malicious user can Configure the device not perform DoS attack using to process directed directed broadcast broadcasts by the packets. entering following command in the interface configuration mode: (config)#no ip directedbroadcast Enter this command for every physical interface of the device.

It breaks the LAN security perimeter; effectively extending a LAN at layer 2 across multiple segments. Security can be undermined. A machine can claim to be another in order to intercept packets.

Proxy ARP is disabled by default on ProCurve routing switches, if found enabled then the following command is used to disable the proxy arp on per valn basis: (config)# vlan <vlan number> ProCurve(vlan-1)# no ip proxy-arp

If this feature is not enabled, any virus/ worm can be sperad network without any detection.

The following command enables connection-rate filtering and sets the global sensitivity level: (config)#filter connectionrate < port-list > < notifyonly | throttle | block > (config)#connection-ratefilter sensitivity < low | medium | high | aggressive > (config)#connection-ratefilter unblock < all | host | ip-addr > low: Sets the connectionrate sensitivity to the lowest possible sensitivity, i.e. 54 destinations in less than 0.1 seconds. medium: Sets the connection-rate sensitivity to allow a mean of 37 destinations in less than 1 second. high: Sets the connectionrate sensitivity to allow a mean of 22 destinations

An attacker with rougue DHCP server can successfully intercept traffic for other hosts in a "man-in-the-middle" attack.

DHCP snooping is enabled globally by entering this command: (config)# dhcp-snooping Enabling DHCP Snooping on VLANS (config)# dhcp-snooping vlan <vlan-id-range> Configuring Authorized Server Addresses (config)# dhcp-snooping authorized-server <ipaddress> Configuring DHCP Snooping Trusted Ports (config)# dhcp-snooping trust <port-list>

Managing the switch from common VLAN posses a risk of manager credential getting sniffed. A malicious user can sniff traffic on the wire and can steal manager or operator passwords of the device.

Note: Configuring Management VLAN on a switch by using a Telnet connection through a port that is not in the Management VLAN, then you will lose management contact with the switch if you log off your Telnet connection or execute write memory and reboot the switch. (config)# managementvlan <vlan number> (config)# vlan 100 tagged <port number> Timeout period of 10 minutes should be configured for connections to HPProCurve. The following command is used to set the console inactivity time out: (config)#console inactivity-timer 10

Un-authorized user can gain access to the firewall using un-attended sessions.

A weak ACL configuration could allow a malicious user or an attacker to gain unauthorized access to network services. With weak network filtering configured, the device would not prevent access from the unauthorized hosts.

It is recommends that, where possible, all ACEs should be configured to restrict access to network addresses and services from only those hosts that require access and ACLs are configured to ensure that:

* ACEs do not allow access from any source; * ACEs do not allow access from a source network address; * ACEs do not allow access to any destination; * ACEs do not allow access to a destination network address; * ACEs do not allow access to any destination service; * ACEs do not allow access to a range of destination services; * ACEs do not allow any network protocol; * ACEs do not allow any ICMP message types; * ACEs log all denied An attacker can try The following command is known attacks specific to used to change the that device model and OS hostname of the switch: version. Time required for (config)#hostname < device and OS ascii-string > fingerprinting will be very less.

Without RADIUS server it is difficult to manage passwords for multiple administrator users on various network devices. For enforcing password policies, and password updates, the administrators have to change the password locally across all the devices, that multiplies the tasks.

Following set of command is used to setup RADIUS authentication for various management access: (config)#aaa authentication console | telnet | ssh | web | < enable | login radius> (config)#radius-server host < IP-address > [auth-port < portnumber >] [acct-port < port-number >] [key < server-specific key-string >] (config)#radius-server key < global key-string > (config)#radius-server timeout < 1 - 15> (config)#radius-server retransmit < 1 - 5 > (config)#radius-server dead-time < 1 - 1440 > (config)#show radius [< host < ip-address>] (config)#show authentication (config)#show radius authentication

Impact In Axis Bank

Commands

HP Procurve---(config)# password operator user-name NAME (config)# password manager user-name NAME Juniper-----root# set user admin-ro class readonly authentication plain-textpassword root# set user cyrus class super-user As a security measure only authorized ip's will be able to access authentication plain-textthe switches throug ssh. password H3C--------[Switch] role name NAME [Switch-role-NAME] rule 1 permit read feature [Switchrole-role1] rule 2 permit command system-view FOR MANAGER-[Switch] local-user user1 class manage [Switch-luser-manage-user1] password simple aabbcc

HP Procurve---->(config)#interface PORT-LIST (eth-PORT-LIST)# disable. No impact will be there as it a part of a security measure. Juniper---unauthorized network access can be stopped through physical > set interfaces PORT-LIST and logical barriers. disable H3C---->(config)# interface PORT-LIST (port-list)#shutdown

HP Procurve->(config)#copy tftp flash <ip We should upgrade when the network is stable and steady. address of TFTP server> <full Ensure that everyone who has access to the switch or the filename including .swi> pri or network is not configuring the switch or the network during this sec time. You cannot configure a switch during an upgrade. (config)#boot sys flash pri or sec Juniper---> HP Procurve ----(config)# ip ssh version 2 (config)# ip ssh Telnet Disable--(config)# no telnet-server Juniper--user@switch# set system services ssh Telnet Disable------user@switch#delete system services telnet H3C-------ssh [Sysname] server enable Telnet Disable-----[Sysname] telnet server disable

HP Procurve-----(config)#snmp-server community STRING restricted (config)# snmpv3 enable (config)# snmpv3 only (config)# snmpv3 restrictedaccess (config)# snmpv3 user cacti auth sha AUTHPASS priv aes PRIVPASS Juniper----#set snmp community COMMUNITY_NAME authorization read-only #set snmp community COMMUNITY_NAME #set usm local-engine user nms1 authentication-sha authenticationpassword $1991poppI H3C-----[Switch]snmpagent trap enabl3 [Switch]snmpagent targethost trap address udp-domain 10.0.100.21 udp-port 161 pa rams securityname public [Comware5]snmp-agent targethost trap address udpHP Procurve----Switch(config)# ip authorizedmanagers IP SUBNET access manager Juniper----#set term NAME from sourceaddress IP/24 #set term NAME from destination-port ssh #set then accept H3C-----

HP Procurve-----(config)# logging IP-ADDRESS (config)#logging facility syslog (config)# logging severity Juniper---user@host# set security log stream trafficlogs host IP H3C------[Switch]infocenter loghost IP HP Procurve---(config)# sntp server priority 1 IP (config)# sntp unicast Juniper----#set ntp server IP H3C----[Switch]ntp-service unicast-server 10.0.100.251 HP Procurve----(config)# ip ssh (config)# ip ssh filetransfer Juniper---#host sftphost IP sftp abc xyz #crypto key generate dss SSHserver #crypto key generate dss SFTP-client H3C----[Sysname] sftp server enable [Sysname] ssh user client001 service-type sftp [Sysname] ssh user client001 authentication-type password

HP Procurve--(config)# arp-protect (config)# arpprotect vlan ID (config)# arpprotect trust 9 Juniper----#set vlan ID arp-inspection H3C----(config)#ip arp inspection vlan 220 (config)#interface f0/9 (config-if)#ip arp inspection trust

HP Procurve---(config)# banner motd #Enter TEXT message. End with the character'#' Juniper----#set message "MESSAGE" H3C---[Comware5]header motd # MESSAGE#

HP Procurve----(config)# crypto key generate ssh (config)# ip ssh Juniper-----#set system services ssh #set system root-authentication ssh PASS H3C------[Comware5]public-key local create rsa [Comware5]ssh server enable [Comware5]user-interface vty 0 4 [Comware5-ui-vty04]authentication-mode scheme [Comware5-ui-vty0-4]protocol inbound ssh [Comware5]local-user sshmanager [Comware5-lusersshmanager]password simple password [Comware5-lusersshmanager]service-type ssh [Comware5-lusersshmanager]authorizationattrib ute level 3

HP Procurve----(config)# spanningtree bpduprotection-timeout 300 (config)# spanningtree 6 bpdu-protection (config)# spanningtree 6 bpdufilter Juniper----# set protocols rstp interface ID disable # set protocols rstp interface ID disable # set ethernet-switching-options bpdu-block interface ID drop # set ethernet-switching-options bpdu-block interface ID drop H3C-------[Comware5]stp bpdu-protection

HP Procurve-----(config)# no ip directed-broadcast Juniper---#set interfaces ID family inet targeted-broadcast H3C------By defult disable

HP Procurve----(configvlan-ID)#no ip arp-proxy-arp Juniper----set interfaces ge-0/0/3 unit 0 proxyarp restricted H3C----[Comware5]arp protectivedown recover enable [Comware5] arp protectivedown recover interval 200 [Comware5]interface Ethernet1/0/1 [Comware5]dhcp-snooping trust [Comware5]arp detection trust

HP Procurve -----(config)# connection-rate-filter sensitivity medium (config)# filter connection-rate 6 notify-only (config)# filter connection-rate 10 block (config)# filter connection-rate 20 throttle Juniper----#set ethernet-switching-options storm-control interface ge-0/0/0 bandwidth 15000 H3C----No exact H3C feature compared to this ProVision feature. Comware 5 ARP Defense & ARP Packet Rate Limit features provide rate limiting capability of incoming ARP packets. [Switch]arp source-suppression enable [Switch]arp sourcesuppression limit 15 [SwitchGigabitEthernet1/0/20]arp rate-limit rate 150 drop

HP Procurve-----(config)# dhcp-snooping (config)# dhcpsnooping authorized-server IP (config)# dhcp-snooping database file tftp://10.0.100.21/ProVisio_ dhcp.txt (config)# dhcp-snooping vlan 220 (config)# dhcp-snooping trust 9 Juniper----# set interface ge-0/0/8 dhcptrusted # set vlan employee-vlan examine-dhcp # set vlan employee-vlan arpinspection H3C-----[Switch]dhcp-snooping [Switch]interface g1/0/9 [SwitchGigabitEthernet1/0/9]dhcpsnoo ping trust

HP Procurve----(config)#

HP Procurve----(config)# console inactivity-timer 10 Juniper---#set system login class super-user-local idletimeout 10 H3C-----[Switch]user-interface aux 0 [Switchaux0]idletimeout 10

HP Procurve-----(config)# ip accesslist standard 1 (config-std-nacl)# permit IP IP Juniper---#set firewall family ethernetswitching filter block-to-server term 1 from source-address 20.20.20.0/24 #set firewall family ethernetswitching filter block-to-server term 1 from destination-address 10.10.10.0/24 #set firewall family ethernetswitching filter block-to-server term 1 then discard H3C-----[Switch]acl number 2000 [Switch-acl-basic-2000]rule permit source 10.0.100.111 0.0.0.0

HP Procurve----(config)# hostname "NAME" Juniper----#set host-name NAME H3C-----[switch]sysname NAME

HP Procurve-----(config)# radiusserver host IP key password (config)# aaa authentication telnet login radius none (config)# aaa authentication telnet enable radius none Juniper----#set system radius-server address IP #set system radius-server IP secret Radius-secret1 #set system radius-server IP source-address IP H3C-----(If you are planning to use SSH, you should configure it before you configure AAA support.) [Switchradius-radiusauth]primary authentication IP 1812 [Switch-radiusradiusauth]primary accounting IP 1813 [Switch-radius-radiusauth]key authentication password [Switch-radius-radiusauth]key