HP 6125G HP Networking guide to hardening Comware-based devices - Page 16

Configuration change notification, Control plane, General control plane hardening, IP ICMP redirects

Get HP 6125G PDF manuals and user guides View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals

Page 16 highlights

Configuration change notification The configuration change notification feature can log the configuration changes made to an HP Comware device. You can display the change trap with the display trapbuffer command. Use the snmp-agent trap enable command to enable configuration change notification. # [HP]display trapbuffer Trapping buffer configuration and contents:enabled Allowed max buffer size : 1024 Actual buffer size : 1024 Channel number : 3 , channel name : trapbuffer Dropped messages : 0 Overwritten messages : 0 Current messages : 31 #Aug 27 04:01:50:785 2010 HP DEVM/4/SYSTEM WARM START: Trap 1.3.6.1.4.1.25506.6.8.5: system warm start. #Aug 27 04:01:54:374 2010 HP SHELL/4/LOGIN: Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console #Aug 27 04:02:10:277 2010 HP CFGMAN/4/TRAP: 1.3.6.1.4.1.25506.2.4.2.1 configure changed: EventIndex=1,CommandSource=1,ConfigSource=2,ConfigDestination=4 # Control plane Control plane functions consist of the protocols and processes that communicate between network devices to move data from source to destination, including routing protocols such as the Border Gateway Protocol, as well as protocols like ICMP and the Resource Reservation Protocol (RSVP). It is important that events in the management and data planes do not adversely affect the control plane. If a data plane event such as a DoS attack impacts the control plane, the entire network can become unstable. This information about HP Comware software features and configurations can help ensure the resilience of the control plane. General control plane hardening Protection of a network device's control plane is critical because the control plane helps ensure that the management and data planes are maintained and operational. If the control plane were to become unstable during a security incident, it can be impossible for you to recover the stability of the network. In many cases, disabling the reception and transmission of certain types of messages on an interface can reduce the amount of CPU load that is required to process unneeded packets. IP ICMP redirects An ICMP redirect message can be generated by a router when a packet is received and transmitted on the same interface. In this situation, the router forwards the packet and sends an ICMP redirect message back to the sender of the original packet. This behavior allows the sender to bypass the router and forward future packets directly to the destination (or to a router closer to the destination). In a properly functioning IP network, a router sends redirects only to hosts on its own local subnets. In other words, ICMP redirects should never go beyond a Layer 3 boundary. 16

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
16
Configuration change notification
The configuration change notification feature can log the configuration changes made to an HP Comware device. You can
display the change trap with the
display trapbuffer
command. Use the
snmp-agent trap enable
command to enable
configuration change notification.
#
[HP]display trapbuffer
Trapping buffer configuration and contents:enabled
Allowed max buffer size : 1024
Actual buffer size : 1024
Channel number : 3 , channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 31
#Aug 27 04:01:50:785 2010 HP DEVM/4/SYSTEM WARM START:
Trap 1.3.6.1.4.1.25506.6.8.5: system warm start.
#Aug 27 04:01:54:374 2010 HP SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console
#Aug 27 04:02:10:277 2010 HP CFGMAN/4/TRAP:
1.3.6.1.4.1.25506.2.4.2.1 configure changed:
EventIndex=1,CommandSource=1,ConfigSource=2,ConfigDestination=4
#
Control plane
Control plane functions consist of the protocols and processes that communicate between network devices to move
data from source to destination, including routing protocols such as the Border Gateway Protocol, as well as protocols
like ICMP and the Resource Reservation Protocol (RSVP).
It is important that events in the management and data planes do not adversely affect the control plane. If a data plane
event such as a DoS attack impacts the control plane, the entire network can become unstable. This information about
HP Comware software features and configurations can help ensure the resilience of the control plane.
General control plane hardening
Protection of a network device’s control plane is critical because the control plane helps ensure that the management
and data planes are maintained and operational. If the control plane were to become unstable during a security incident,
it can be impossible for you to recover the stability of the network.
In many cases, disabling the reception and transmission of certain types of messages on an interface can reduce the
amount of CPU load that is required to process unneeded packets.
IP ICMP redirects
An ICMP redirect message can be generated by a router when a packet is received and transmitted on the same
interface. In this situation, the router forwards the packet and sends an ICMP redirect message back to the sender of the
original packet. This behavior allows the sender to bypass the router and forward future packets directly to the
destination (or to a router closer to the destination). In a properly functioning IP network, a router sends redirects only
to hosts on its own local subnets. In other words, ICMP redirects should never go beyond a Layer 3 boundary.