HP 6125G HP Networking guide to hardening Comware-based devices - Page 11

Authentication fallback If all authentication servers are unavailable, local authentication can be used. Local authentication can use the password control function to secure user passwords. Redundant AAA servers You can specify multiple RADIUS or HWTACACS authentication/authorization servers to achieve redundancy. When the primary authentication/authorization server is unreachable, the access device contacts the secondary server to perform authentication/authorization. You can specify one primary server, and up to 16 secondary servers. You can also specify a server as the primary authentication/authorization server in a scheme, and at the same time specify it as the secondary authentication/authorization server in another scheme. Fortifying Simple Network Management Protocol This section highlights several methods that can be used to secure the deployment of SNMP within HP Comware devices. It is critical that SNMP be properly secured to protect the confidentiality, integrity, and availability of both the network data and the network devices through which this data transits. SNMP provides you with a wealth of information on the health of network devices. This information should be protected from malicious users who want to leverage this data to perform attacks against the network. SNMP community strings Community strings are passwords that are applied to a Comware device to restrict access (both read-only and read-write access) to the SNMP data on the device. These community strings, as with all passwords, should be carefully chosen to ensure they are not trivial. Community strings should be changed at regular intervals and in accordance with network security policies. For example, the strings should be changed when a network administrator changes roles or leaves the company. These configuration lines configure a read-only community string of READONLY and a read/write community string of READWRITE: # snmp-agent community read READONLY snmp-agent community write READWRITE # Note that the preceding community string examples have been chosen to clearly explain the use of these strings. For production environments, community strings should be chosen with caution and should consist of a series of alphabetical, numerical, and nonalphanumeric symbols. For more information about this feature, see "SNMP" in the Network Management and Monitoring Command Reference Guide. SNMP community strings with ACLs In addition to the community string, an ACL should be applied that further restricts SNMP access to a select group of source IP addresses. The following configuration restricts SNMP read-only access to end host devices that reside in the 192.168.100.0/24 address space and restricts SNMP read/write access to only the end host device at 192.168.100.1. Note that the devices that are permitted by these ACLs require the proper community string to access the requested SNMP information: # acl number 2001 rule 1 permit source 192.168.100.0 0.0.0.255 acl number 2002 rule 1 permit source 192.168.100.1 0 # snmp-agent community read READONLY acl 2001 11