HP 6125G HP Networking guide to hardening Comware-based devices - Page 26

26

Filtering IP fragments

As detailed previously in the “Limiting access to the network with infrastructure ACLs” section of this document, the

filtering of fragmented IP packets can pose a challenge to security devices.

Because of the nonintuitive nature of fragment handling, IP fragments are often inadvertently permitted by ACLs.

Fragmentation is also often used in attempts to evade detection by intrusion detection systems. It is for these reasons

that IP fragments are often used in attacks and should be explicitly filtered at the top of any configured traffic ACLs. The

example ACL that follows includes comprehensive filtering of IP fragments. The functionality illustrated in this example

must be used in conjunction with the functionality of the previous examples:

#

acl number 3000 name ACL-TRANSIT-IN

#

# Deny IP fragments using protocol-specific ACEs to aid in classification of attack traffic.

#

rule deny tcp fragment

rule deny udp fragment

rule deny icmp fragment

rule deny ip fragment

#

Anti-spoofing protections

Many attacks utilize source IP address spoofing to be effective or to conceal the true source of an attack and hinder

accurate traceback. HP Comware provides Unicast Reverse Path Forwarding (URPF) and IP Source Guard (IPSG) to deter

attacks that rely on source IP address spoofing. In addition, ACLs and null routing are often deployed as a manual means

of spoofing prevention.

IP Source Guard is effective at reducing spoofing for networks that are under direct administrative control by performing

switch port, MAC address, and source address verification. URPF provides source network verification and can reduce

spoofed attacks from networks that are not under direct administrative control. Port security can be used in order

to validate MAC addresses at the access layer. ARP detection mitigates attack vectors that utilize ARP poisoning on

local segments.

URPF

URPF enables a device to verify that the source address of a forwarded packet can be reached through the interface that

received the packet. You must not rely on URPF as the only protection against spoofing. Spoofed packets could enter the

network through a URPF-enabled interface if an appropriate return route to the source IP address exists.

URPF can be configured in one of two modes: loose or strict. In cases where there is asymmetric routing, loose mode

configuration is preferred because strict mode is known to drop packets in these situations.

The following example illustrates configuration of this feature:

#

interface Ethernet0/1/0

ip urpf loose

#

URPF can be configured globally or on the interface, depending on the device model.

For more information about the configuration and use of URPF, see “URPF” in the

Security Configuration Guide

.

IP source guard

IP source guard is an effective means of spoofing prevention in Layer 2 access mode.

Section	Page
Introduction	2
Management plane	2
General management plane hardening	2
Password control	2
Disable unused services	4
EXEC timeout	4
Using management interfaces	4
Memory Threshold Notification	5
CPU Threshold Notification	5
Limiting access to the network with infrastructure ACLs	5
ICMP packet filtering	6
Filtering IP fragments	6
Securing interactive management sessions	7
Console and AUX ports	7
Control VTY and TTY lines	8
Warning banners	9
Using authentication, authorization, and accounting	9
Authentication, authorization, and accounting with RADIUS	9
Authentication, authorization, and accounting with HWTACACS	10
Authentication and authorization with LDAP	10
Authentication fallback	11
Redundant AAA servers	11
Fortifying Simple Network Management Protocol	11
SNMP community strings	11
SNMP community strings with ACLs	11
SNMP Views	12
SNMP Version 3	12
Logging best practices	13
Send logs to a central location	13
Logging level	13
Do not log to console or monitor sessions	14
Use buffered logging	14
Configure logging source interface	14
Configure logging timestamps	15
HP Comware software configuration management	15
Configuration Replace and Configuration Rollback	15
Backup configuration file and boot file	15
Configuration change notification	16
Control plane	16
General control plane hardening	16
IP ICMP redirects	16
ICMP unreachables	17
ICMP TTL-expiry	17
Proxy ARP	17
Network time protocol	17
Limiting the CPU impact of control plane traffic	18
Understanding control plane traffic	18
FTP and TFTP ACLs	18
User interface ACLs	18
HTTPS ACLs	19
Control plane protection	19
Rate limiting packets on network management interfaces	19
TCP SYN Cookie and protection against Naptha attacks	19
Securing BGP	20
Generalized TTL Security Mechanism	20
BGP peer authentication with MD5	20
Configuring maximum prefixes	20
Filtering BGP prefixes with prefix lists	21
Filtering BGP prefixes with autonomous system path access lists	21
Securing Interior Gateway Protocols	22
Routing protocol authentication and verification with MD5	22
Silent-interface commands	23
Route filtering	23
Securing Virtual Router Redundancy Protocol	24
Data plane	24
General data plane hardening	24
Disable ICMP redirects	24
Disable or limit IP Directed broadcasts	25
Filtering transit traffic with Transit ACLs	25
ICMP packet filtering	25
Filtering IP fragments	26
Anti-spoofing protections	26
URPF	26
IP source guard	26
Port security	27
ARP Detection	29
Anti-spoofing ACLs	29
Limiting the CPU impact of data plane traffic	30
Features and traffic types that impact the CPU	30
Traffic identification and traceback	30
NetStream	30
sFlow	32
Classification ACLs	33
Access control with VLAN QoS policy and port access control lists	34
Access control with VLAN QoS policy	34
Access control with PACLs	34
Access control with MAC	35
Using private VLANs	35
Isolated VLANs	35
Community VLANs	36
Promiscuous ports	36
Port isolation	37
Isolated ports	37
Uplink port	38

HP 6125G HP Networking guide to hardening Comware-based devices - Page 26

Filtering IP fragments, Anti-spoofing protections, URPF, IP source guard

Page 26 highlights