HP 6125G HP Networking guide to hardening Comware-based devices - Page 9

Warning banners In some legal jurisdictions, it can be impossible to prosecute and illegal to monitor malicious users unless they have been notified that they are not permitted to use the system. One method to provide this notification is to place this information into a banner message that is configured with the HP Comware software header legal command. Legal notification requirements are complex, vary by jurisdiction and situation, and should be discussed with legal counsel. Even within jurisdictions, legal opinions can differ. In cooperation with counsel, a banner can provide some or all of the necessary information. The notice should indicate that the system is to be logged into or used only by specifically authorized personnel; it can also contain information about who can authorize use: • Notice that any unauthorized use of the system is unlawful and can be subject to civil and criminal penalties. • Notice that any use of the system can be logged or monitored without further notice and that the resulting logs can be used as evidence in court. • Specific notices required by local laws. • From a security point of view, rather than a legal one, a login banner should not contain any specific information about the router name, model, software, or ownership. This information can be abused by malicious users. Note: You can use the undo copyright-info enable command to disable displaying copyright information upon login. Using authentication, authorization, and accounting The authentication, authorization, and accounting (AAA) framework is critical to securing interactive access to network devices. The AAA framework provides a highly configurable environment that can be tailored depending on the needs of the network. Authentication, authorization, and accounting with RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and port 1813 for accounting. RADIUS was originally designed for dial-in user access. With the diversification of access methods, RADIUS has been extended to support more access methods, for example, Ethernet access and ADSL access. It provides access authentication and authorization services. Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network to enhance security. In addition, to prevent user passwords from being intercepted in non-secure networks, RADIUS encrypts passwords before transmitting them. The following gives an example RADIUS configuration: # radius scheme radius primary authentication 192.168.0.1 primary accounting 192.168.0.1 secondary accounting 192.168.0.2 key authentication HP key accounting HP user-name-format without-domain # 9