HP ProCurve Switch 5300xl Series Reviewer’s Guide
2.5.6 SSL – Secure Sockets Layer
SSL can be used to encrypt the exchange between a web browser and the 5300 switch when using the
HP ProCurve Switch 5300xl Series web GUI.
A facility is provided on the GUI interface to generate a self-signed RSA certificate for use during a SSL
browser session.
2.5.7 Management VLAN
The HP ProCurve Switch 5300xl Series can be configured to designate one of the VLANs to be the
management VLAN. When this is configured the internal IP address of the switch becomes a member
solely of the management VLAN. Since access to the switch IP address is necessary for telnet/SSH,
GUI, and SNMP access, other members of this VLAN are the only ones that can manage the switch.
The management VLAN is useful when higher switch security is desired. It prevents general switch
function access by anyone other than those on the management VLAN. The management VLAN cannot
be designated an XRRP backup VLAN.
2.5.8 SNMPv3
Many functions of the HP ProCurve Switch 5300xl Series can be monitored and the switch
configuration can even be changed through the switch’s MIBs. The standard method of querying the
switch’s MIBs for network management is through SNMP, the simple network management protocol.
Before version 3 of SNMP, SNMP has used clear text across the network. On some networks this has
been viewed as a possible serious security concern. A way around this has been to use a network
management specific VLAN (see the section above on Management VLAN), but this can be restrictive
and is not a viable solution in many environments, particularly remote environments.
SNMPv3 provides security for the SNMP communications across the web, including an encryption
mechanism to encrypt packet information. The three levels of security available in SNMPv3 are:
•
Authentication between the SNMP initiator and the 5300 switch based on username. Not very
secure.
•
Authentication between the SNMP initiator and the 5300 switch based on MD5 or SHA
algorithms. Better security for the passwords as they are encrypted. Actual SNMP
communication after login is still clear text and not secure.
•
Authentication between the SNMP initiator and the 5300 switch based on MD5 or SHA
algorithms and encryption via 56 bit key DES. Passwords are protected and further SNMP
communication is encrypted across the network. Querying and control via SNMP cannot be
viewed outside the encrypted session.
With SNMPv3 those sites that are concerned with the possibility of packet snooping can turn on
encryption allowing secure communication between the network management application and the
switch.
2.5.9 Manager Authorized List
The HP ProCurve Switch 5300xl Series Manager Authorized List can be configured with up to ten IP
addresses that have management access to the switch. The list, along with Management VLANs and
console passwords, provides a way to tightly limit who has access to the switch console.
If no addresses are in this list (the default) any source IP address can send a packet to the switch’s
management agent. If you do have addresses in this list and you are using a management VLAN,
addresses on the list must be a member of the management VLAN to obtain switch login.
© Hewlett-Packard Co. 2002, 2003
Rev 1.1 – 2/11/2003
http://www.hp.com/go/hpprocurve
Page 23 of 35
Содержание 5300
Страница 34: ......
