HP 6125G HP Networking guide to hardening Comware-based devices - Page 27

27

After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address, source MAC

address, and VLAN tag) of the packet and then looks up the binding entries of the IP source guard for a match. If there is

a match, the port forwards the packet; otherwise, the port discards the packet. You can enable this feature on a port

connected to terminals to block illegal access (such as IP spoofing) and improve port security.

HP IP source guard supports static and dynamic entries. You can configure static entries in scenarios where there are

only a few hosts in a LAN and their IP addresses are manually configured. For example, you can configure a static entry

on a port that connects a server so that the port receives and sends packets from/to only the server.

Following is an example of static entry configuration:

#

# Configure Ethernet 1/2 on Device B to allow only packets from host A with MAC address 00010203-0406 and IP

address 192.168.1.1 to pass.

<DeviceB> system-view

[DeviceB] interface ethernet 1/2

[DeviceB-Ethernet1/2] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406

[DeviceB-Ethernet1/2] quit

#

Dynamic IP source guard entries are generated dynamically according to client entries on the DHCP snooping or DHCP

relay agent device. They are suitable for scenarios where many hosts are in a LAN and DHCP is used to allocate IP

addresses to the hosts. Once DHCP allocates an IP address to a client, IP source guard automatically adds the entry to

allow the client to access the network. A person using an IP address not obtained through DHCP cannot access the

network. Dynamic IPv6 source guard entries are obtained from client entries on the ND snooping device.

Following is a dynamic entry configuration example (DHCP snooping must have been enabled.)

#

# Enable dynamic entry generation on Ethernet 1/1.

[Device] interface ethernet 1/1

[Device-Ethernet1/1] ip check source ip-address mac-address

[Device-Ethernet1/1] quit

#

Port security

Port security is a MAC address-based network access control mechanism. It is an extension to IEEE 802.1X and MAC

authentication. It prevents access from unauthorized devices by checking the source MAC address of inbound traffic and

access to unauthorized devices by checking the destination MAC address of outbound traffic.

With port security enabled, frames whose source MAC addresses cannot be learned by the device in a security mode

are considered illegal. The events that users do not pass IEEE 802.1X authentication or MAC authentication are

considered illegal.

Upon detection of illegal frames or events, the device takes the predefined action automatically. While enhancing the

system security, this reduces your maintenance burden greatly. The illegal packets include:

•

Packets whose source MAC addresses are not learned

•

Packets failing authentication

Section	Page
Introduction	2
Management plane	2
General management plane hardening	2
Password control	2
Disable unused services	4
EXEC timeout	4
Using management interfaces	4
Memory Threshold Notification	5
CPU Threshold Notification	5
Limiting access to the network with infrastructure ACLs	5
ICMP packet filtering	6
Filtering IP fragments	6
Securing interactive management sessions	7
Console and AUX ports	7
Control VTY and TTY lines	8
Warning banners	9
Using authentication, authorization, and accounting	9
Authentication, authorization, and accounting with RADIUS	9
Authentication, authorization, and accounting with HWTACACS	10
Authentication and authorization with LDAP	10
Authentication fallback	11
Redundant AAA servers	11
Fortifying Simple Network Management Protocol	11
SNMP community strings	11
SNMP community strings with ACLs	11
SNMP Views	12
SNMP Version 3	12
Logging best practices	13
Send logs to a central location	13
Logging level	13
Do not log to console or monitor sessions	14
Use buffered logging	14
Configure logging source interface	14
Configure logging timestamps	15
HP Comware software configuration management	15
Configuration Replace and Configuration Rollback	15
Backup configuration file and boot file	15
Configuration change notification	16
Control plane	16
General control plane hardening	16
IP ICMP redirects	16
ICMP unreachables	17
ICMP TTL-expiry	17
Proxy ARP	17
Network time protocol	17
Limiting the CPU impact of control plane traffic	18
Understanding control plane traffic	18
FTP and TFTP ACLs	18
User interface ACLs	18
HTTPS ACLs	19
Control plane protection	19
Rate limiting packets on network management interfaces	19
TCP SYN Cookie and protection against Naptha attacks	19
Securing BGP	20
Generalized TTL Security Mechanism	20
BGP peer authentication with MD5	20
Configuring maximum prefixes	20
Filtering BGP prefixes with prefix lists	21
Filtering BGP prefixes with autonomous system path access lists	21
Securing Interior Gateway Protocols	22
Routing protocol authentication and verification with MD5	22
Silent-interface commands	23
Route filtering	23
Securing Virtual Router Redundancy Protocol	24
Data plane	24
General data plane hardening	24
Disable ICMP redirects	24
Disable or limit IP Directed broadcasts	25
Filtering transit traffic with Transit ACLs	25
ICMP packet filtering	25
Filtering IP fragments	26
Anti-spoofing protections	26
URPF	26
IP source guard	26
Port security	27
ARP Detection	29
Anti-spoofing ACLs	29
Limiting the CPU impact of data plane traffic	30
Features and traffic types that impact the CPU	30
Traffic identification and traceback	30
NetStream	30
sFlow	32
Classification ACLs	33
Access control with VLAN QoS policy and port access control lists	34
Access control with VLAN QoS policy	34
Access control with PACLs	34
Access control with MAC	35
Using private VLANs	35
Isolated VLANs	35
Community VLANs	36
Promiscuous ports	36
Port isolation	37
Isolated ports	37
Uplink port	38

HP 6125G HP Networking guide to hardening Comware-based devices - Page 27

Port security

Page 27 highlights