HP 6125G HP Networking guide to hardening Comware-based devices
HP 6125G Manual
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 6125G manual content summary:
- HP 6125G | HP Networking guide to hardening Comware-based devices - Page 1
Technical white paper HP Networking guide to hardening Comware-based devices Table of contents Introduction 2 Management plane Simple Network Management Protocol 11 Logging best practices 13 HP Comware software configuration management 15 Control plane 16 General control plane hardening - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 2
the security features and configurations available in Comware-based HP software that help fortify user can log in to a device and obtain its configuration file, from which the user can view user names and plain-text passwords. Cipher-text passwords are therefore recommended, especially when password - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 3
-number 3 type-length 5 # Configure a super password. [Sysname] super password level 3 simple 12345ABGFTweuix # Create a local user named test. [Sysname] local-user test # Set the service type of the user to Telnet. [Sysname-luser-test] service-type telnet # Set the minimum password length to 12 for - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 4
# Configure the password of the local user in interactive mode. [Sysname-luser-test] password Password Confirm Updating user(s) information, please wait........ [Sysname-luser-test] quit Disable unused services As a security best practice, any unnecessary service must be disabled. These unneeded - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 5
to detect and be notified when the CPU load on a device crosses a configured threshold. When the threshold is crossed, the device generates and sends an SNMP trap message. Comware does not support the manual modification of threshold for CPU Threshold Notification, which is determined by the system - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 6
to other organizations, remote access segments, user segments, and data center segments. ICMP in general. While the network troubleshooting tools ping and traceroute use ICMP, external ICMP HP Comware software uses a specific method to check non-initial fragments against configured access lists. HP - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 7
to a device. Console ports on HP Comware devices have special privileges. By default, an administrator can access a device through its console port without password authentication. You can configure authentication, authorization, and accounting (AAA) to authenticate users accessing the console port - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 8
user must first pass local password authentication by default. You can configure AAA to authenticate users accessing the AUX port as follows: # user-interface aux 0 authentication-mode scheme idle-timeout 1 0 user remote network connections supported by the both VTY lines. HP Comware devices have - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 9
originally designed for dial-in user access. With the diversification of access methods, RADIUS has been extended to support more access methods, for example, Ethernet access and ADSL access. It provides access authentication and authorization services. Information exchanged between a RADIUS client - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 10
efficiency. Encrypts only the user password field in an authentication packet. Protocol packets are simple, and authorization is combined with authentication. Does not support authorization of configuration commands. Which commands a user can use depends on the user's level. A user can use all the - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 11
password control function to secure user passwords within HP Comware devices Command Reference Guide. SNMP community strings with ACLs In addition to the community string, an ACL should be applied that further restricts SNMP access to a select group of source IP addresses. The following configuration - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 12
and Monitoring Command Reference Guide. SNMP Version supported, SNMPv3 can be used to add another layer of security when deploying SNMP. SNMPv3 consists of three primary configuration user accounts must be reconfigured. The next step is to configure an SNMPv3 group. This command configures an HP - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 13
command configures an SNMPv3 user snmpv3user with an MD5 authentication password of authpassword and a 3DES encryption password of privpassword: # snmp-agent usm-user Configuration Guide. Logging level Each log message that is generated by an HP view configuration command info-center source default - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 14
off info-center source default channel monitor log state off # server: # info-center loghost # For more information on log correlation, see "Information Center" in the Network Management and Monitoring Configuration Guide. Use buffered logging HP Comware software supports the use of - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 15
archive by using the archive configuration command. The archived configurations can be viewed by using the display archive configuration command. The following example illustrates the configuration of automatic configuration archiving. This example instructs the HP Comware device to store archived - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 16
device. You can display the change trap with the display trapbuffer command. Use the snmp-agent trap enable command to enable configuration change notification. # [HP]display trapbuffer Trapping buffer configuration and contents:enabled Allowed max buffer size : 1024 Actual buffer size : 1024 - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 17
HP product documentation. NTP maximum dynamic sessions-Use the ntp-service max-dynamic-sessions command to set the maximum number of dynamic NTP sessions that are allowed to be established locally. Please see "NTP" in the Network Management and Monitoring Configuration Guide and Command Reference - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 18
control plane traffic To properly protect the control plane of HP Comware devices, it is essential to understand the types of the Fundamentals Configuration Guide. The tftp-server acl command can be used to control the device's access to a specific TFTP server using an ACL. User interface ACLs - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 19
the Security Command Reference Guide. HTTPS ACLs Use the ip https acl command to control HTTPS access with an ACL. Only the clients permitted by the ACL can access the HTTPS server on the device. Control plane protection The control plane policing feature allows you to configure a quality of service - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 20
of this command is illustrated as follows: # bgp peer as-number peer password cipher # For more information, see "Enabling MD5 Authentication for TCP Connections in BGP" in the Layer-3 IP Routing Configuration Guide. Configuring maximum prefixes - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 21
configured for each BGP peer. When configuring this feature using the peer route-limit command the Layer-3 IP Routing Configuration Guide. Filtering BGP prefixes with configuration example that follows uses prefix lists to limit the routes that are learned and advertised. Specifically, only a default - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 22
this view. By default, IGPs are dynamic support authentication. # interface rip authentication-mode md5 rfc2543 # For more information, see "Configuring RIPv2 Message Authentication in RIP" in the Layer-3 IP Routing Configuration Guide. Following is an example configuration - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 23
area-authentication-mode md5 domain-authentication-mode md5 # For more information, see "Enhancing IS-IS Network Security in ISIS" in the Layer-3 IP Routing Configuration Guide. Silent-interface commands Information leaks, or the introduction of false information into an IGP, - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 24
redirects be disabled. By default, HP Comware software does not send a redirect if it receives a packet that must be routed through the interface it was received from. ICMP redirects are disabled using the undo ip redirects command in system view, as shown in the following example configuration: 24 - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 25
udp source 192.168.1.0 0.0.0.255 # interface Ethernet 0/1/0 ip forward-broadcast acl 3001 # For more information about the ip forward-broadcast command, see "IP Performance Optimization Configuration" in the Layer-3 IP Services Configuration Guide. Filtering transit traffic with Transit ACLs ICMP - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 26
hinder accurate traceback. HP Comware provides Unicast Reverse deployed as a manual means of spoofing prevention switch configured globally or on the interface, depending on the device model. For more information about the configuration and use of URPF, see "URPF" in the Security Configuration Guide - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 27
such as IP spoofing) and improve port security. HP IP source guard supports static and dynamic entries. You can configure static entries in scenarios where there are only a few hosts in a LAN and their IP addresses are manually configured. For example, you can configure a static entry on a port that - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 28
control. The port services only one user passing 802.1X authentication 1X and MAC users to have access. The following configuration example enables HP]port-security enable Please wait Done. [HP-Ethernet0/4/1]port-security max-mac-count 10 [HP-Ethernet0/4/1]port-security port-mode autolearn [HP - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 29
users such as servers or printers that use manually configured IP addresses. In such environments, static client entries are also the requisites when enabling ARP Detection. The following command 0.0.255.255 # # For Switch, port ACL command is "packet-filter" interface packet-filter name - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 30
Using HP manual intervention switches, functions by performing analysis on specific attributes within IP packets and creating flows. Version 9 is the most flexible format and allows users to define templates with different statistics fields. The following example illustrates the basic configuration - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 31
Approach II, enable NetStream through QoS policy. # ip netstream { inbound | outbound } # traffic behavior mirror-to interface net-stream # Approach III, enable NetStream through port mirroring. # ip { inbound | outbound } # interface Ethernet0/1/0 ip - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 32
the Network Management and Monitoring Configuration Guide. sFlow sFlow is a traffic advantages: • Supporting traffic monitoring on Gigabit Ethernet and higher- supported on HP Comware devices Only the sFlow agent is supported on HP Comware devices. The following example shows the basic configuration - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 33
, see "sFlow" in the Network Management and Monitoring Configuration Guide. Classification ACLs Classification ACLs provide visibility into traffic that with display acl and reset acl counter commands. The following example illustrates the configuration of a classification ACL to identify traffic: - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 34
direction on Layer 2 physical interfaces of a switch. The syntax for creating PACLs, which take precedence over VLAN QoS policies and router ACLs, is the same as it is for router ACLs. An ACL applied to a Layer-2 interface is referred to as a PACL. Configuration involves creating an IPv4, IPv6, or - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 35
can be applied on an IP network and instructs the forwarding engine to not inspect the IP header networks that support guests. This configuration example configures VLAN 11 configures interface GigabitEthernet1/0/1 as an isolated port in VLAN 11: # vlan 11 isolated-vlan enable # vlan 20 isolate-user - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 36
community VLAN and configures switch port GigabitEthernet1/0/2 as a member of that VLAN. The community VLAN, VLAN 12, is a secondary VLAN to primary VLAN 20. Note: A secondary VLAN is considered a community VLAN by default. # vlan 12 # vlan 20 isolate-user-vlan enable # interface GigabitEthernet1 - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 37
user-vlan 20 secondary 11 12 # When implementing PVLANs, it is important to ensure that the Layer 3 configuration in place supports the restrictions that are imposed by PVLANs and does not allow the PVLAN configuration , and isolation groups. HP Comware supports creating multiple isolation groups, - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 38
the uplink port without needing Layer 3 forwarding. If your device does not support an uplink port feature, the isolated ports in a Layer 2 VLAN need Layer 3 forwarding to access other networks. The following configuration example configures G1/0/10 and G1/0/11 in VLAN 20 as isolated ports, and - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 39
Port of Group2 *** port access vlan 20 port-isolate uplink-port group 2 # For more information about port isolation, see "Port Isolation" in the Layer-2 LAN Switching Configuration Guide. 39 - HP 6125G | HP Networking guide to hardening Comware-based devices - Page 40
/go/getconnected Current HP driver, support, and security alerts delivered directly to your desktop © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the
Technical white paper
HP Networking guide to hardening
Comware-based devices
Table of contents
Introduction
2
Management plane
2
General management plane hardening
2
Limiting access to the network with
infrastructure ACLs
5
Securing interactive management
sessions
7
Fortifying Simple Network
Management Protocol
11
Logging best practices
13
HP Comware software configuration
management
15
Control plane
16
General control plane hardening
16
Limiting the CPU impact of control
plane traffic
18
Securing BGP
20
Securing Interior Gateway Protocols
22
Securing Virtual Router Redundancy
Protocol
24
Data plane
24
General data plane hardening
24
Filtering transit traffic with Transit
ACLs
25
Anti-spoofing protections
26
Limiting the CPU impact of data plane
traffic
30
Traffic identification and traceback
30
Access control with VLAN QoS policy
and port access control lists
34
Using private VLANs
35
Port isolation
37