Common Criteria for HP Networking Switches Read Me First 3500yl switches 3800 switches 5400zl switches 6200yl switches 6600 switches 8200zl switches Software version: KA.15.09.0004 HP Part Number: 5998-2311 rev.
© Copyright 2013 Hewlett-Packard Development Company, L.P. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. Acknowledgements Microsoft, Windows, and Microsoft Windows NT are US registered trademarks of Microsoft Corporation. Java™ is a US trademark of Oracle and/or its affiliates.
Contents Scope ........................................................................................................................................ 5 Purpose ..................................................................................................................................... 5 Security Audit Functions ......................................................................................................... 6 Cryptographic Functions .........................................................
Dynamic ARP Protection .......................................................................................................18 Physical Security ...................................................................................................................19 Password Clear Protection – Front-Panel Security.............................................................19 USB Port ............................................................................................................................
Scope HP Networking Switches are intelligent network switches that provide a set of platform and software features that make them suited for enterprise edge, distribution/aggregation layer, and small core deployments. The Target of Evaluation (TOE) for the Common Criteria (CC) evaluation was the family of HP Networking Switch Models 3500yl, 5400zl, 6200yl, 6600, 8200zl running Version K.15.09.0004 of the HP Networking software and the Model 3800 series running version KA.15.09.
Identification and Authentication Functions Security Management Functions TOE Access Functions Protection of the TSF Functions Security Audit Functions The TOE records relevant security event data in an Event Log. The audit records in the Event Log serve as a tool to isolate and troubleshoot problems. The audit trail is stored on the switch and is accessible via the protected management functional interfaces.
addresses, configured IP addresses and source-ports, and through the use of access control lists (ACLs). Identification and Authentication Functions The TOE enforces password-based authentication before allowing access to the command line, menu, and web-based management interfaces. The TOE also allows the use of an optional external authentication server (RADIUS or TACACS+) for TOE user identification and authentication. The TOE enhances user login security by masking passwords during entry on user login.
TOE Access Functions The TOE displays a banner regarding unauthorized use of the TOE before establishing a user session. The TOE also terminates a user’s session after an administrator-configured period of inactivity expires. Protection of the TSF Functions The TOE, in conjunction with the operational environment, protects TSF data from unauthorized disclosure when transmitted between itself and trusted external IT entities.
SNMP v3 with encryption should be enabled if remote SNMP Management is used. Refer to “SNMPv1/2c vs. SNMPv3” on page 12. Replace the default community name (“public”) with a non-default community name. Refer to “SNMPv1/2c vs. SNMPv3” on page 12. Manager and Operator access levels must have a password assigned. Refer to “Local Authentication” on page 16.
Evaluation Exclusions Testmode interface This interface is for maintenance and troubleshooting only and is not included in the scope of the evaluation. Undocumented functionality that should only be initiated when directed by HP support. Must have a legitimate administrator account on the switch. HP PCM+ Network Management Software HP PCM+ is a network management application that can optionally be used to manage and monitor HPN switches via SNMP from an MS Windows-based workstation/server.
Access Security Guide Advanced Traffic Management Guide IPv6 Configuration Guide Management and Configuration Guide Multicast and Routing Guide Hardening HP Networking Switches Executive Summary and Purpose Security is a growing concern in today’s Information Technology (IT) infrastructure. Upper level managers and IT managers alike are held to a higher accountability for the integrity and availability of their data.
HTTP vs. HTTPS HP switches and routers can be configured through the HTTP interface. The HTTP interface that is started by default has the same limitations as Telnet. It is recommended that the HTTPS interface be configured and the HTTP interface be disabled. HTTPS is HTTP traffic running over a Secure Sockets Layer (SSL).
include encryption settings. If for any reason SNMPv3 is not an option for your network, you can enable SNMPv2 in restricted mode. This will allow management devices to “get” information from a networking device, but not “set” or change any settings on the networking device.
Access Control Secure Management VLAN Secure Management VLANs are designed to restrict management access to the switch to only those nodes connected to the Management VLAN. That is, only clients who are connected to ports who are members of the Secure Management VLAN can be allowed to gain management access to the HP switch. This sharply limits the universe of devices that can attempt unauthorized access.
unauthorized access through the serial console. It’s recommended that this feature be used in conjunction with a secondary authentication scheme, such as password protection. Consider the following standard ACL: ip access-list standard "mgmt-traffic" 10 permit 10.1.1.0 0.0.0.255 20 permit 10.1.0.50 0.0.0.0 exit This list, when applied inbound on the VLAN or port on which the management interface resides, will allow only hosts from 10.1.1.0/24 or 10.1.0.50 to access the switch.
Port-Access Webui SSH Web-Auth MAC-Auth Access Task ----------Console Telnet Webui SSH | | | | | | Local Local Local ChapRadius radius ChapRadius radius Local None None None None None None | | + | | | | Enable Enable Enable Primary Server Group Secondary ---------- ------------ ---------Local None Local None Local None Local None Note: Port-access (802.
RADIUS Authentication Authenticating users via RADIUS provides a centralized way to manage access to the switch. This allows the administrator to make modifications to the set of authorized users without having to make changes on every network device.
command: HP Switch(config)# aaa authentication login privilege-mode To supply a privilege level via RADIUS, specify the “Service-Type” attribute in the user’s credentials.
normally without validating their authenticity, provided no authorized servers are configured. Note: Enabling ARP protection without first configuring DHCP Snooping and/or static bindings will cause all ARP packets to be dropped. ARP Protection also can be configured to drop: ARP request or response packets, where the source MAC address in the Ethernet header does not match the sender MAC address in the body of the ARP packet.
USB Port The switch includes a USB port to receive a flash drive for deploying, troubleshooting, backing up configurations, or updating switches. This port should be disabled when not in use. The port can be temporarily enabled when needed and then immediately disabled after the required task is completed. To disable the port, use the switch’s no usb-port CLI command. HP Switch # no usb-port To enable the port, use the usb-port command.
Appendix A: List of CC certified SKU Numbers Note: Transceivers, Cables, Power Supplies, Fan Modules, Mounting Kits, and Licenses are not included in this list. These components cannot be certified.
HP 20-port Gig-T PoE+ / 2-port 10-GbE SFP+ v2 zl Module HP 24-port SFP v2 zl Module HP 8-port 10 GbE SFP+ v2 zl Module HP 24-port 10/100 PoE+ v2 zl Module HP 12-port Gig-T PoE+ / 12-port SFP v2 zl Module HP 24-port 10/100/1000 PoE zl Module HP 4-port 10GbE CX4 zl Module HP 24-port 10/100 PoE+ zl Module HP 20p 10/100/1000 PoE+/4p SFP zl Mod HP 4-port 10GbE SFP+ zl Module HP 20-p Gig-T / 4-p Mini-GBIC zl Module HP 24-port Mini-GBIC zl Module HP 4-port 10GbE X2 zl Module HP 24-port 10/100/1000 PoE+ zl Module H
HP 24-port Gig-T PoE+ v2 zl Module HP 24-port Gig-T v2 zl Module HP 24-port 10/100 PoE+ v2 zl Module HP 24-port 10/100/1000 PoE zl Module HP 4-port 10GbE CX4 zl Module HP 20-p Gig-T / 4-p Mini-GBIC zl Module HP 24-port Mini-GBIC zl Module HP 4-port 10GbE X2 zl Module HP 8200 zl Management Module HP 8200 zl Fabric Module HP 8200 zl System Support Module HP 24-port 10/100/1000 PoE+ zl Module HP 24-port 10/100 PoE+ zl Module HP 20p 10/100/1000 PoE+/4p SFP zl Mod HP 4-port 10GbE SFP+ zl Module J9534A J9550A J9
Appendix B: User Documentation Title Software Version Publication Date K.15.09 K.15.09 K.15.09 K.15.09 K.15.09 K.15.09 K.15.09 K.15.10.0022 June 2012 July 2012 April 2009 June 2013 June 2012 June 2012 June 2012 Oct 2013 K.15.09.0019 June 2013 K.15.09.0004 November 2013 N/A N/A N/A N/A N/A N/A April 2012 March 2012 Aug.
Title 8200 zl Switches Read Me First for 8212zl K.12.31 or greater Read Me First for 8206zl K.14.34 or greater Read Me First for zl Switch v2 Modules K.15.04 or greater Read Me First for E8206 zl K.15.02 or greater Read Me First for E8212 zl K.15.02 or greater Read Me First for zl Modules K.11.00 or greater Read Me First for 8200zl K.12.
Technology for better business outcomes To learn more, visit www.hp.