Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Procurve Security

Richard001
Occasional Contributor

Procurve Security

Hi,
I’m thinking of implementing VLAN’s across all our switches to carry internet traffic to all servers / firewalls that require internet traffic, thus reduce the cable run between racks. However I have concerns about the security aspects, esp VLAN Hopping. I’ve done some reading but cannot find anything related to HP, only Cisco. I’ve had opinion on it as a weak solution. The internet VLAN’s will all connect to either Cisco ASA’s or ISA Servers. I was also thinking of not allocating an IP to any of the VLAN’s that carry internet traffic. Also what about other security risks, such as ARP poisoning etc?
Many thanks
3 REPLIES
Evert Goor
Trusted Contributor

Re: Procurve Security

In mine personal view i would not add in any switch/router an ip address in that vlan. No ip adress means no option to get in contact with l3/management part of the switch/router. And allways make sure you boost up the security on those switches like only ssh and management ip adresses.

But for the rest i do not know any security risks when using the switches just for l2.

There can allways be security risks in the firmware so allways keep an eye on the firmware levels.

Good Luck
Richard001
Occasional Contributor

Re: Procurve Security

Thank you for the reply. What I've done for now is to create 4 VLAN's on the required switches, with no IP address in the VLAN that carries internet traffic, the VLAN's that carry traffic for internal processing have IP's. I've also enabled SSH. Is that woud you recommend.
Case Van Horsen
Frequent Advisor

Re: Procurve Security

Here are some other suggestions. They may or may not apply to your environment.

1) Disable spanning tree (bpdu-filter or bpdu-guard) on all interfaces going to servers.

2) Disable CDP or LLDP.

3) If the switches support it, statically assign MAC addresses to ports and disable mac address learning.

4) If used by the switches, disable any "stacking" protocol that automatically allows multiple switches be managed as one.

The motivation for 1, 2, and 4 is to eliminate as many methods as possible for an attacker to send packets that need to be processed by the switch.

casevh