Home » HP Manuals » Servers » HP 6125G » Manual Viewer

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 233

Configuring TCP attack protection, Overview, Enabling the SYN Cookie feature

Add to My Manuals
Save this manual to your list of manuals

Page 233 highlights

Configuring TCP attack protection Overview An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. 1. The request originator sends a SYN message to the target server. 2. After receiving the SYN message, the target server establishes a TCP connection in the SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response. 3. After receiving the SYN ACK message, the originator returns an ACK message, establishing the TCP connection. Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number of SYN messages to the server to establish TCP connections, but they never make any response to SYN ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in heavy resource consumption and making the server unable to handle services normally. The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only after receiving an ACK message from the client can the server establish a connection, and then enter the ESTABLISHED state. In this way, incomplete TCP connections could be avoided to protect the server against SYN Flood attacks. Follow these guidelines when you enable the SYN Cookie feature: • If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically becomes effective. For more information about MD5 authentication, see Layer 3-IP Routing Configuration Guide. • With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during TCP connection establishment, instead of the window's zoom factor and timestamp. To enable the SYN Cookie feature: Step 1. Enter system view. 2. Enable the SYN Cookie feature. Command system-view tcp syn-cookie enable Remarks N/A Enabled by default Displaying and maintaining TCP attack protection 223

Section	Page
Title Page	1
Security Configuration Guide	3
Configuring AAA	11
AAA overview	11
RADIUS	12
Client/server model	12
Security and authentication mechanisms	12
Basic RADIUS message exchange process	12
RADIUS packet format	13
Extended RADIUS attributes	16
HWTACACS	17
Differences between HWTACACS and RADIUS	17
Basic HWTACACS message exchange process	17
Domain-based user management	19
AAA for MPLS L3VPNs	20
Protocols and standards	20
RADIUS attributes	21
Commonly used standard RADIUS attributes	21
HP proprietary RADIUS sub-attributes	22
AAA configuration considerations and task list	24
Configuring AAA schemes	25
Configuring local users	25
Local user configuration task list	26
Configuring local user attributes	26
Configuring user group attributes	28
Displaying and maintaining local users and local user groups	29
Configuring RADIUS schemes	30
RADIUS scheme configuration task list	30
Creating a RADIUS scheme	30
Specifying the RADIUS authentication/authorization servers	31
Specifying the RADIUS accounting servers and the relevant parameters	31
Specifying the shared keys for secure RADIUS communication	33
Specifying the VPN to which the servers belong	33
Setting the username format and traffic statistics units	33
Setting the supported RADIUS server type	34
Setting the maximum number of RADIUS request transmission attempts	34
Setting the status of RADIUS servers	35
Specifying the source IP address for outgoing RADIUS packets	36
Setting timers for controlling communication with RADIUS servers	37
Configuring RADIUS accounting-on	38
Configuring the IP address of the security policy server	39
Configuring interpretation of RADIUS class attribute as CAR parameters	39
Enabling the trap function for RADIUS	40
Enabling the RADIUS listening port of the RADIUS client	40
Setting the DSCP value for RADIUS protocol packets	40
Displaying and maintaining RADIUS	41
Configuring HWTACACS schemes	41
HWTACACS configuration task list	41
Creating an HWTACACS scheme	42
Specifying the HWTACACS authentication servers	42
Specifying the HWTACACS authorization servers	43
Specifying the HWTACACS accounting servers and the relevant parameters	43
Specifying the shared keys for secure HWTACACS communication	44
Specifying the VPN to which the servers belong	45
Setting the username format and traffic statistics units	45
Specifying a source IP address for outgoing HWTACACS packets	46
Setting timers for controlling communication with HWTACACS servers	47
Displaying and maintaining HWTACACS	47
Configuring AAA methods for ISP domains	48
Configuration prerequisites	48
Creating an ISP domain	48
Configuring ISP domain attributes	49
Configuring AAA authentication methods for an ISP domain	50
Configuring AAA authorization methods for an ISP domain	52
Configuring AAA accounting methods for an ISP domain	53
Tearing down user connections	54
Configuring a NAS ID-VLAN binding	55
Displaying and maintaining AAA	55
AAA configuration examples	55
AAA for Telnet users by an HWTACACS server	55
Network requirements	55
Configuration procedure	56
AAA for Telnet users by separate servers	57
Network requirements	57
Configuration procedure	57
Authentication/authorization for SSH/Telnet users by a RADIUS server	58
Network requirements	58
Configuring the RADIUS server	58
Configuring the switch	60
Verifying the configuration	61
AAA for 802.1X users by a RADIUS server	61
Network requirements	61
Configuration prerequisites	62
Configuring the RADIUS server	62
Configuring the switch	66
Verifying the configuration	67
Level switching authentication for Telnet users by an HWTACACS server	68
Network requirements	68
Configuration considerations	68
Configuration procedure	68
RADIUS authentication and authorization for Telnet users by a switch	71
Network requirements	71
Configuration procedure	72
Troubleshooting AAA	73
Troubleshooting RADIUS	73
Symptom 1	73
Analysis	73
Solution	73
Symptom 2	73
Analysis	74
Solution	74
Symptom 3	74
Analysis	74
Solution	74
Troubleshooting HWTACACS	74
802.1X overview	75
802.1X architecture	75
Controlled/uncontrolled port and port authorization status	75
802.1X-related protocols	76
Packet formats	77
EAP packet format	77
EAPOL packet format	77
EAP over RADIUS	78
EAP-Message	78
Message-Authenticator	78
Initiating 802.1X authentication	78
802.1X client as the initiator	78
Access device as the initiator	79
802.1X authentication procedures	79
A comparison of EAP relay and EAP termination	80
EAP relay	80
EAP termination	83
Configuring 802.1X	84
HP implementation of 802.1X	84
Access control methods	84
Using 802.1X authentication with other features	84
VLAN assignment	84
Guest VLAN	85
Auth-Fail VLAN	86
Critical VLAN	87
ACL assignment	89
Configuration prerequisites	89
802.1X configuration task list	89
Enabling 802.1X	90
Configuration guidelines	90
Configuration procedure	90
Enabling EAP relay or EAP termination	90
Setting the port authorization state	91
Specifying an access control method	92
Setting the maximum number of concurrent 802.1X users on a port	92
Setting the maximum number of authentication request attempts	92
Setting the 802.1X authentication timeout timers	93
Configuring the online user handshake function	93
Configuration guidelines	94
Configuration procedure	94
Configuring the authentication trigger function	94
Configuration guidelines	94
Configuration procedure	95
Specifying a mandatory authentication domain on a port	95
Configuring the quiet timer	95
Enabling the periodic online user re-authentication function	96
Configuration guidelines	96
Configuration procedure	96
Configuring an 802.1X guest VLAN	97
Configuration guidelines	97
Configuration prerequisites	97
Configuration procedure	97
Configuring an 802.1X Auth-Fail VLAN	98
Configuration guidelines	98
Configuration prerequisites	98
Configuration procedure	98
Configuring an 802.1X critical VLAN	99
Configuration guidelines	99
Configuration prerequisites	99
Configuration procedure	99
Specifying supported domain name delimiters	100
Displaying and maintaining 802.1X	100
802.1X authentication configuration example	100
Network requirements	100
Configuration procedure	101
Verifying the configuration	103
802.1X with guest VLAN and VLAN assignment configuration example	103
Network requirements	103
Configuration procedure	104
Verifying the configuration	105
802.1X with ACL assignment configuration example	106
Network requirements	106
Configuration procedure	106
Verifying the configuration	107
Configuring EAD fast deployment	108
Overview	108
Free IP	108
URL redirection	108
Configuration prerequisites	108
Configuring a free IP	108
Configuring the redirect URL	109
Setting the EAD rule timer	109
Displaying and maintaining EAD fast deployment	109
EAD fast deployment configuration example	110
Network requirements	110
Configuration procedure	111
Verifying the configuration	111
Troubleshooting EAD fast deployment	112
Web browser users cannot be correctly redirected	112
Symptom	112
Analysis	112
Solution	112
Configuring MAC authentication	113
Overview	113
User account policies	113
Authentication approaches	113
MAC authentication timers	114
Using MAC authentication with other features	114
VLAN assignment	114
ACL assignment	114
Configuration task list	114
Basic configuration for MAC authentication	115
Configuring MAC authentication globally	115
Configuring MAC authentication on a port	115
Specifying a MAC authentication domain	116
Displaying and maintaining MAC authentication	116
MAC authentication configuration examples	117
Local MAC authentication configuration example	117
Network requirements	117
Configuration procedure	117
Verifying the configuration	118
RADIUS-based MAC authentication configuration example	118
Network requirements	118
Configuration procedure	119
Verifying the configuration	120
ACL assignment configuration example	120
Network requirements	120
Configuration procedure	121
Verifying the configuration	122
Configuring port security	123
Overview	123
Port security features	123
NTK	123
Intrusion protection	123
Port security traps	123
Port security modes	123
Controlling MAC address learning	125
Performing 802.1X authentication	125
Performing MAC authentication	125
Performing a combination of MAC authentication and 802.1X authentication	125
Working with guest VLAN and Auth-Fail VLAN	126
Configuration task list	126
Enabling port security	126
Setting port security's limit on the number of MAC addresses on a port	127
Setting the port security mode	127
Configuration prerequisites	128
Configuration procedure	128
Configuring port security features	128
Configuring NTK	128
Configuring intrusion protection	129
Enabling port security traps	129
Configuring secure MAC addresses	130
Configuration prerequisites	131
Configuration procedure	131
Ignoring authorization information	132
Displaying and maintaining port security	132
Port security configuration examples	133
Configuring the autoLearn mode	133
Network requirements	133
Configuration procedure	133
Verifying the configuration	133
Configuring the userLoginWithOUI mode	135
Network requirements	135
Configuration procedure	136
Verifying the configuration	136
Configuring the macAddressElseUserLoginSecure mode	139
Network requirements	139
Configuration procedure	139
Verifying the configuration	140
Troubleshooting port security	142
Cannot set the port security mode	142
Symptom	142
Analysis	142
Solution	142
Cannot configure secure MAC addresses	142
Symptom	142
Analysis	143
Solution	143
Cannot change port security mode when a user is online	143
Symptom	143
Analysis	143
Solution	143
Configuring a user profile	144
Overview	144
User profile configuration task list	144
Creating a user profile	144
Applying a QoS policy	145
Enabling a user profile	145
Displaying and maintaining user profiles	146
Configuring password control	147
Overview	147
Password control configuration task list	149
Configuring password control	150
Enabling password control	150
Setting global password control parameters	151
Setting user group password control parameters	152
Setting local user password control parameters	152
Setting super password control parameters	153
Setting a local user password in interactive mode	154
Displaying and maintaining password control	154
Password control configuration example	154
Network requirements	154
Configuration procedure	155
Verifying the configuration	156
Managing public keys	157
Overview	157
Configuration task list	157
Creating a local asymmetric key pair	158
Displaying or exporting the local host public key	158
Displaying and recording the host public key information	159
Displaying the host public key in a specific format and saving it to a file	159
Exporting the host public key in a specific format to a file	159
Destroying a local asymmetric key pair	160
Specifying the peer public key on the local device	160
Displaying and maintaining public keys	161
Public key configuration examples	161
Manually specifying the peer public key on the local device	161
Network requirements	161
Configuration procedure	161
Importing a peer public key from a public key file	163
Network requirements	163
Configuration procedure	163
Configuring PKI	166
Overview	166
PKI terms	166
PKI architecture	167
PKI operation	167
PKI applications	168
PKI configuration task list	168
Configuring an entity DN	169
Configuring a PKI domain	170
Configuration guidelines	171
Configuration procedure	171
Submitting a PKI certificate request	171
Submitting a certificate request in auto mode	172
Submitting a certificate request in manual mode	172
Configuration guidelines	172
Configuration procedure	173
Retrieving a certificate manually	173
Configuration guidelines	173
Configuration procedure	174
Configuring PKI certificate verification	174
Configuration guidelines	174
Configuring CRL-checking-enabled PKI certificate verification	174
Configuring CRL-checking-disabled PKI certificate verification	175
Destroying a local RSA key pair	175
Deleting a certificate	176
Configuring an access control policy	176
Displaying and maintaining PKI	176
PKI configuration examples	177
Certificate request from an RSA Keon CA server	177
Network requirements	177
Configuring the CA server	177
Configuring the switch	178
Verifying the configuration	179
Certificate request from a Windows 2003 CA server	180
Network requirements	180
Configuring the CA server	180
Configuring the switch	181
Verifying the configuration	182
Certificate attribute access control policy configuration example	183
Network requirements	183
Configuration procedure	184
Troubleshooting PKI	185
Failed to retrieve a CA certificate	185
Symptom	185
Analysis	185
Solution	185
Failed to request a local certificate	185
Symptom	185
Analysis	185
Solution	186
Failed to retrieve CRLs	186
Symptom	186
Analysis	186
Solution	186
Configuring SSH2.0	187
Overview	187
SSH operation	187
Version negotiation	187
Key and algorithm negotiation	188
Authentication	188
Session request	189
Interaction	189
SSH connection across VPNs	189
Configuring the switch as an SSH server	190
SSH server configuration task list	190
Generating DSA or RSA key pairs	190
Configuration guidelines	190
Configuration procedure	191
Enabling the SSH server function	191
Configuring the user interfaces for SSH clients	191
Configuration guidelines	191
Configuration procedure	191
Configuring a client public key	192
Configuring a client public key manually	192
Importing a client public key from a public key file	193
Configuring an SSH user	193
Configuration guidelines	193
Configuration procedure	194
Setting the SSH management parameters	194
Setting the DSCP value for packets sent by the SSH server	195
Configuring the switch as an SSH client	195
SSH client configuration task list	195
Specifying a source IP address/interface for the SSH client	195
Configuring whether first-time authentication is supported	196
Enabling the switch to support first-time authentication	196
Disabling first-time authentication	196
Establishing a connection between the SSH client and server	197
Setting the DSCP value for packets sent by the SSH client	197
Displaying and maintaining SSH	198
SSH server configuration examples	198
When the switch acts as a server for password authentication	198
Network requirements	198
Configuration procedure	198
When the switch acts as a server for publickey authentication	200
Network requirements	200
Configuration procedure	201
SSH client configuration examples	205
When switch acts as client for password authentication	205
Network requirements	205
Configuration procedure	205
When switch acts as client for publickey authentication	208
Network requirements	208
Configuration procedure	208
Configuring SFTP	211
Overview	211
Configuring the switch as an SFTP server	211
Enabling the SFTP server	211
Configuring the SFTP connection idle timeout period	211
Configuring the switch as an SFTP client	212
Specifying a source IP address or interface for the SFTP client	212
Establishing a connection to the SFTP server	212
Working with SFTP directories	213
Working with SFTP files	214
Displaying help information	214
Terminating the connection to the remote SFTP server	215
Setting the DSCP value for packets sent by the SFTP client	215
SFTP client configuration example	215
Network requirements	215
Configuration procedure	216
SFTP server configuration example	219
Network requirements	219
Configuration procedure	219
Configuring SCP	222
Overview	222
Configuring the switch as an SCP server	222
Configuring the switch as the SCP client	223
SCP client configuration example	223
Network requirements	223
Configuration procedure	224
SCP server configuration example	224
Network requirements	224
Configuration procedure	224
Configuring SSL	226
Overview	226
SSL security mechanism	226
SSL protocol stack	226
Configuration task list	227
Configuring an SSL server policy	227
SSL server policy configuration example	229
Network requirements	229
Configuration considerations	229
Configuration procedure	229
Configuring an SSL client policy	230
Displaying and maintaining SSL	231
Troubleshooting SSL	231
Symptom	231
Analysis	232
Solution	232
Configuring TCP attack protection	233
Overview	233
Enabling the SYN Cookie feature	233
Displaying and maintaining TCP attack protection	233
Configuring IP source guard	235
Overview	235
Static IP source guard entries	235
Dynamic IP source guard entries	235
Configuration task list	236
Configuring the IPv4 source guard function	236
Configuring IPv4 source guard on a port	236
Configuring a static IPv4 source guard entry	237
Setting the maximum number of IPv4 source guard entries	238
Displaying and maintaining IP source guard	238
IP source guard configuration examples	238
Static IPv4 source guard configuration example	238
Network requirements	238
Configuration procedure	239
Verifying the configuration	240
Dynamic IPv4 source guard using DHCP snooping configuration example	240
Network requirements	240
Configuration procedure	241
Verifying the configuration	241
Dynamic IPv4 source guard using DHCP relay configuration example	242
Network requirements	242
Configuration procedure	242
Verifying the configuration	242
Troubleshooting IP source guard	243
Symptom	243
Analysis	243
Solution	243
Configuring ARP attack protection	244
Overview	244
ARP attack protection configuration task list	244
Configuring ARP defense against IP packet attacks	245

Match case Limit results 1 per page

223

Configuring TCP attack protection

Overview

An attacker can attack the switch during the process of establishing a TCP connection. To prevent such

an attack, the switch provides the SYN Cookie feature.

Enabling the SYN Cookie feature

As a general rule, the establishment of a TCP connection involves the following three handshakes.

The request originator sends a SYN message to the target server.

After receiving the SYN message, the target server establishes a TCP connection in the

SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.

After receiving the SYN ACK message, the originator returns an ACK message, establishing the

TCP connection.

Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large number

of SYN messages to the server to establish TCP connections, but they never make any response to SYN

ACK messages. As a result, a large number of incomplete TCP connections are established, resulting in

heavy resource consumption and making the server unable to handle services normally.

The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the

server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection. Only

after receiving an ACK message from the client can the server establish a connection, and then enter the

ESTABLISHED state. In this way, incomplete TCP connections could be avoided to protect the server

against SYN Flood attacks.

Follow these guidelines when you enable the SYN Cookie feature:

•

If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective.

Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration

automatically becomes effective. For more information about MD5 authentication, see

Layer 3—IP

Routing Configuration Guide.

•

With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during

TCP connection establishment, instead of the window’s zoom factor and timestamp.

To enable the SYN Cookie feature:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enable the SYN Cookie feature.

tcp syn-cookie enable

Enabled by default

Displaying and maintaining TCP attack protection

HP 6125G HP 6125G &amp; 6125G/XG Blade Switches Security Configuration Gui - Page 233

Configuring TCP attack protection, Overview, Enabling the SYN Cookie feature

Page 233 highlights

HP 6125G HP 6125G & 6125G/XG Blade Switches Security Configuration Gui - Page 233