HP 6125G HP Networking guide to hardening Comware-based devices - Page 5

exclusively for the management plane. This allows the administrator to apply policies throughout the network for the management plane. Once the loopback interface is configured on a device, it can be used by management plane protocols such as SSH, SNMP, and syslog to send and receive traffic. Memory Threshold Notification The Memory Threshold Notification feature allows you to mitigate low-memory conditions on a device. This feature uses two methods to accomplish this: Memory Threshold Notification and Memory Reservation. Memory Threshold Notification generates a log message to indicate that free memory on a device has fallen below the configured threshold. Memory Reservation is used so that sufficient memory is available for critical notifications. Comware does not support the manual modification of thresholds for Memory Threshold Notification and Memory Reservation, which are determined by the system during startup. CPU Threshold Notification The CPU Threshold Notification feature allows you to detect and be notified when the CPU load on a device crosses a configured threshold. When the threshold is crossed, the device generates and sends an SNMP trap message. Comware does not support the manual modification of threshold for CPU Threshold Notification, which is determined by the system during startup. Limiting access to the network with infrastructure ACLs Devised to prevent unauthorized direct communication to network devices, infrastructure access control lists (ACLs) are one of the most critical security controls that can be implemented in networks. Infrastructure ACLs leverage the idea that nearly all network traffic traverses the network and is not destined to the network itself. An infrastructure ACL is constructed and applied to specify connections from hosts or networks that need to be allowed access to network devices. Common examples of these types of connections are eBGP, SSH, and SNMP. After the required connections have been permitted, all other traffic to the infrastructure is explicitly denied. All transit traffic that crosses the network and is not destined to infrastructure devices is then explicitly permitted. The protections provided by infrastructure ACLs are relevant to both the management and control planes. The implementation of infrastructure ACLs can be made easier through the use of distinct addressing for network infrastructure devices. The following example ACL configuration illustrates the structure that must be used as a starting point when you begin the ACL implementation process: # acl number 3000 name ACL-INFRASTRUCTURE-IN # # Permit required connections for routing protocols and network management # rule permit tcp source 0 destination 0 destination-port eq 179 rule permit tcp source 0 source-port eq 179 destination 0 rule permit tcp source 0 destination-port eq 22 rule permit udp source 0 destination-port eq 161 # # Deny all other IP traffic to any network device # rule deny ip destination # 5