HP 6125G HP Networking guide to hardening Comware-based devices - Page 17

ICMP unreachables, ICMP TTL-expiry, Proxy ARP, Network time protocol

Get HP 6125G PDF manuals and user guides View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals

Page 17 highlights

There are two types of ICMP redirect messages: redirect for a host address and redirect for an entire subnet. A malicious user can exploit the ability of the router to send ICMP redirects by continually sending packets to the router, forcing the router to respond with ICMP redirect messages. This produces an adverse impact on the CPU and on the performance of the router. In order to prevent the router from sending ICMP redirects, use the undo ip redirects command. For more information on ICMP redirects, see "IP Performance Optimization" in the Layer-3 IP Services Command Reference Guide. ICMP unreachables Generating ICMP unreachable messages can increase CPU load on the device. ICMP unreachable message generation can be disabled using the undo ip unreachables command. ICMP TTL-expiry Generating ICMP timeout messages can increase CPU load on the device. ICMP TTL timeout message generation can be disabled using the undo ip ttl-expires command. Proxy ARP Proxy ARP is the technique in which one device, usually a router, answers ARP requests that are intended for another device. By "faking" its identity, the router accepts responsibility for routing packets to the real destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway. Proxy ARP is defined in RFC 1027. There are several disadvantages to utilizing proxy ARP. Doing so can result in an increase in the amount of ARP traffic on the network segment, as well as resource exhaustion and man-in-the-middle attacks. Proxy ARP presents a resource exhaustion attack vector because each proxied ARP request consumes a small amount of memory. An attacker can exhaust all available memory by sending a large number of ARP requests. Man-in-the-middle attacks enable a host on the network to spoof the MAC address of the router, resulting in unsuspecting hosts sending traffic to the attacker. Proxy ARP can be disabled using the undo proxy-arp enable command in interface view. For more information on this feature, see "ARP Configuration" in the Layer-3 IP Services Command Reference Guide. Network time protocol Network Time Protocol (NTP) is not an especially dangerous service, but any unneeded service can represent an attack vector. If NTP is used, it is important to explicitly configure a trusted time source and to use proper authentication. Accurate and reliable time is required for syslog purposes, such as during forensic investigations of potential attacks, as well as for successful VPN connectivity when depending on certificates for Phase 1 authentication. NTP time zone-When you configure NTP, the time zone needs to be configured so that timestamps can be accurately correlated. There are usually two approaches to configuring the time zone for devices in a network with a global presence. One method is to configure all network devices with the Coordinated Universal Time (UTC-previously Greenwich Mean Time [GMT]). The other approach is to configure network devices with the local time zone. More information on this feature can be found in "clock timezone" in the HP product documentation. NTP maximum dynamic sessions-Use the ntp-service max-dynamic-sessions command to set the maximum number of dynamic NTP sessions that are allowed to be established locally. Please see "NTP" in the Network Management and Monitoring Configuration Guide and Command Reference Guide. NTP access control-Configure the access control right to restrict the NTP peers. The access control right mechanism provides only a minimum degree of security protection for the system running NTP. A more secure method is identity authentication. For more information, see "NTP" in the Network Management and Monitoring Configuration Guide and Command Reference Guide. NTP authentication-Configuring NTP authentication provides some assurance that NTP messages are exchanged between trusted NTP peers. For more information on how to configure NTP authentication, see "NTP" in the Network Management and Monitoring Configuration Guide and Command Reference Guide. 17

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
17
There are two types of ICMP redirect messages: redirect for a host address and redirect for an entire subnet. A malicious
user can exploit the ability of the router to send ICMP redirects by continually sending packets to the router, forcing the
router to respond with ICMP redirect messages. This produces an adverse impact on the CPU and on the performance of
the router. In order to prevent the router from sending ICMP redirects, use the
undo ip redirects
command.
For more information on ICMP redirects, see “IP Performance Optimization” in the
Layer-3 IP Services Command
Reference Guide
.
ICMP unreachables
Generating ICMP unreachable messages can increase CPU load on the device. ICMP unreachable message generation can
be disabled using the
undo ip unreachables
command.
ICMP TTL-expiry
Generating ICMP timeout messages can increase CPU load on the device. ICMP TTL timeout message generation can be
disabled using the
undo ip ttl-expires
command.
Proxy ARP
Proxy ARP is the technique in which one device, usually a router, answers ARP requests that are intended for another
device. By "faking" its identity, the router accepts responsibility for routing packets to the real destination. Proxy ARP
can help machines on a subnet reach remote subnets without configuring routing or a default gateway. Proxy ARP is
defined in RFC 1027.
There are several disadvantages to utilizing proxy ARP. Doing so can result in an increase in the amount of ARP traffic on
the network segment, as well as resource exhaustion and man-in-the-middle attacks. Proxy ARP presents a resource
exhaustion attack vector because each proxied ARP request consumes a small amount of memory. An attacker can
exhaust all available memory by sending a large number of ARP requests.
Man-in-the-middle attacks enable a host on the network to spoof the MAC address of the router, resulting in
unsuspecting hosts sending traffic to the attacker. Proxy ARP can be disabled using the
undo proxy-arp enable
command in interface view.
For more information on this feature, see “ARP Configuration” in the
Layer-3 IP Services Command Reference Guide
.
Network time protocol
Network Time Protocol (NTP) is not an especially dangerous service, but any unneeded service can represent an attack
vector. If NTP is used, it is important to explicitly configure a trusted time source and to use proper authentication.
Accurate and reliable time is required for syslog purposes, such as during forensic investigations of potential attacks, as
well as for successful VPN connectivity when depending on certificates for Phase 1 authentication.
NTP time zone
—When you configure NTP, the time zone needs to be configured so that timestamps can be accurately
correlated. There are usually two approaches to configuring the time zone for devices in a network with a global
presence. One method is to configure all network devices with the Coordinated Universal Time (UTC—previously
Greenwich Mean Time [GMT]). The other approach is to configure network devices with the local time zone. More
information on this feature can be found in “clock timezone” in the HP product documentation.
NTP maximum dynamic sessions
—Use the
ntp-service max-dynamic-sessions
command to set the maximum number
of dynamic NTP sessions that are allowed to be established locally. Please see “NTP” in the
Network Management and
Monitoring Configuration Guide and Command Reference Guide
.
NTP access control
—Configure the access control right to restrict the NTP peers. The access control right mechanism
provides only a minimum degree of security protection for the system running NTP. A more secure method is identity
authentication. For more information, see “NTP” in the
Network Management and Monitoring Configuration Guide and
Command Reference Guide
.
NTP authentication
—Configuring NTP authentication provides some assurance that NTP messages are exchanged
between trusted NTP peers. For more information on how to configure NTP authentication, see “NTP” in the
Network
Management and Monitoring Configuration Guide and Command Reference Guide
.