Manualshelf

Common Criteria for HP Networking Switches

ManualsBrandsHP ManualsComputer AccessoriesHP 20-port 10/100/1000 PoE+ / 4-port Mini-GBIC zl Module
11121314151617181920
12
HTTP vs. HTTPS
HP switches and routers can be configured through the HTTP interface. The HTTP interface that is
started by default has the same limitations as Telnet. It is recommended that the HTTPS interface be
configured and the HTTP interface be disabled. HTTPS is HTTP traffic running over a Secure Sockets Layer
(SSL). Follow these steps to enable HTTPS and disable HTTP:
HP Switch(config)# crypto key generate cert rsa bits < 1024|2048 >
HP Switch(config)# crypto host-cert generate self-signed
HP Switch(config)# web-management ssl
HP Switch(config)# no web-management plaintext
TFTP vs. SFTP and SCP
TFTP client and server should be disabled as they do not require any authentication. Secure File Transfer
Protocol (SFTP) and Secure Copy Protocol (SCP) are part of the SSH protocol suite. They provide an
encrypted session using public/private keys between client and server just like SSH. In this case, the
switch would be the server, and your PC would be the client. Please note that you will need a secure
terminal client program running on your PC. Follow these steps to enable SFTP and SCP and disable
TFTP:
HP Switch(config)# crypto key generate ssh
HP Switch(config)# ip ssh filetransfer
HP Switch(config)# no tftp server
HP Switch(config)# no tftp client
When executing ip ssh filetransfer, the TFTP client and server will be disabled automatically. To disable
the TFTP client and server manually, execute the following commands:
HP Switch(config)# no tftp server
HP Switch(config)# no tftp client
SNMPv1/2c vs. SNMPv3
SNMP version 2 is enabled by default. This protocol is used to manage switches and routers from a
central management server such as PCM+. SNMPv2 uses community names for read and write access,
much like passwords are used for authentication. These community names are sent across the wire as
clear text. If a malicious user were to capture these community names, they could issue SNMP set
commands to reconfigure your network device.
SNMP version 3 was developed to overcome these weaknesses. It uses asymmetric cryptography to
encrypt SNMP traffic over the wire. Follow these steps to enable SnmpV3:
HP Switch(config)# snmpv3 enable
HP Switch(config)# snmpv3 only
For additional configuration examples for SNMPv3, please reference the product manual. It is important
to consider user names, groups and privileges when configuring SNMPv3. Further considerations should