Home » HP Manuals » Servers » HP 6120G/XG » Manual Viewer

HP 6120G/XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 422

Protection Against IP Source Address Spoofing, Prerequisite: DHCP Snooping, Therefore

Add to My Manuals
Save this manual to your list of manuals

Page 422 highlights

Configuring Advanced Threat Protection Dynamic IP Lockdown Protection Against IP Source Address Spoofing Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD "r" protocols (rlogin, rcp, rsh) rely on the IP source address for packet authentication. SNMPv1 and SNMPv2c also frequently use authorized IP address lists to limit management access. An attacker that is able to send traffic that appears to originate from an authorized IP source address may gain access to network services for which he is not authorized. Dynamic IP lockdown provides protection against IP source address spoofing by means of IP-level port security. IP packets received on a port enabled for dynamic IP lockdown are only forwarded if they contain a known IP source address and MAC address binding for the port. Dynamic IP lockdown uses information collected in the DHCP Snooping lease database and through statically configured IP source bindings to create inter nal, per-port lists. The internal lists are dynamically created from known IP to-MAC address bindings to filter VLAN traffic on both the source IP address and source MAC address. Prerequisite: DHCP Snooping Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on ports and VLAN traffic: ■ Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already stored in the lease database created by DHCP snooping or added through a static configuration of an IP-to-MAC binding. Therefore, if you enable DHCP snooping after dynamic IP lockdown is enabled, clients with an existing DHCP-assigned address must either request a new leased IP address or renew their existing DHCP-assigned address. Otherwise, a client's leased IP address is not contained in the DHCP binding database. As a result, dynamic IP lockdown will not allow inbound traffic from the client. ■ It is recommended that you enable DHCP snooping a week before you enable dynamic IP lockdown to allow the DHCP binding database to learn clients' leased IP addresses. You must also ensure that the lease time for the information in the DHCP binding database lasts more than a week. Alternatively, you can configure a DHCP server to re-allocate IP addresses to DHCP clients. In this way, you repopulate the lease database with current IP-to-MAC bindings. 10-24

Section	Page
HP ProCurve 6120G/XG Switch 6120XG Switch Access Security Guide	1
Front Cover	1
Title Page	3
Copyright, Notices, & Publication Data	4
Contents	5
Feature Index	24
1. Security Overview	29
Contents	29
Introduction	30
About This Guide	30
For More Information	30
Access Security Features	31
Network Security Features	35
Getting Started with Access Security	37
Physical Security	37
Quick Start: Using the Management Interface Wizard	38
CLI: Management Interface Wizard	38
Web: Management Interface Wizard	40
SNMP Security Guidelines	43
Precedence of Security Options	45
Precedence of Port-Based Security Options	45
Precedence of Client-Based Authentication: Dynamic Configuration Arbiter	45
Network Immunity Manager	46
Arbitrating Client-Specific Attributes	47
ProCurve Identity-Driven Manager (IDM)	49
2. Configuring Username and Password Security	51
Contents	51
Overview	53
Configuring Local Password Security	56
Menu: Setting Passwords	56
CLI: Setting Passwords and Usernames	58
Web: Setting Passwords and Usernames	59
SNMP: Setting Passwords and Usernames	59
Saving Security Credentials in a Config File	60
Benefits of Saving Security Credentials	60
Enabling the Storage and Display of Security Credentials	61
Security Settings that Can Be Saved	61
Local Manager and Operator Passwords	62
Password Command Options	62
SNMP Security Credentials	63
802.1X Port-Access Credentials	64
TACACS+ Encryption Key Authentication	65
RADIUS Shared-Secret Key Authentication	65
SSH Client Public-Key Authentication	66
Operating Notes	69
Restrictions	71
Front-Panel Security	73
When Security Is Important	73
Front-Panel Button Functions	74
Clear Button	75
Reset Button	75
Restoring the Factory Default Configuration	75
Configuring Front-Panel Security	77
Disabling the Clear Password Function of the Clear Button	79
Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation	80
Changing the Operation of the Reset+Clear Combination	81
Password Recovery	82
Disabling or Re-Enabling the Password Recovery Process	82
Password Recovery Process	84
3. Web and MAC Authentication	85
Contents	85
Overview	87
Web Authentication	87
MAC Authentication	88
Concurrent Web and MAC Authentication	88
Authorized and Unauthorized Client VLANs	89
RADIUS-Based Authentication	90
Wireless Clients	90
How Web and MAC Authentication Operate	90
Web-based Authentication	91
MAC-based Authentication	93
Terminology	95
Operating Rules and Notes	96
Setup Procedure for Web/MAC Authentication	98
Before You Configure Web/MAC Authentication	98
Configuring the RADIUS Server To Support MAC Authentication	101
Configuring the Switch To Access a RADIUS Server	101
Configuring Web Authentication	104
Overview	104
Configuration Commands for Web Authentication	105
Show Commands for Web Authentication	112
Customizing Web Authentication HTML Files (Optional)	118
Implementing Customized Web-Auth Pages	118
Operating Notes and Guidelines	118
Customizing HTML Templates	119
Customizable HTML Templates	120
Configuring MAC Authentication on the Switch	134
Overview	134
Configuration Commands for MAC Authentication	135
Configuring the Global MAC Authentication Password	135
Configuring a MAC-based Address Format	137
Show Commands for MAC-Based Authentication	139
Client Status	146
4. TACACS+ Authentication	147
Contents	147
Overview	148
Terminology Used in TACACS Applications:	149
General System Requirements	151
General Authentication Setup Procedure	151
Configuring TACACS+ on the Switch	154
Before You Begin	154
CLI Commands Described in this Section	155
Viewing the Switch’s Current Authentication Configuration	155
Viewing the Switch’s Current TACACS+ Server Contact Configuration	156
Configuring the Switch’s Authentication Methods	157
Using the Privilege-Mode Option for Login	157
Authentication Parameters	158
Configuring the TACACS+ Server for Single Login	159
Configuring the Switch’s TACACS+ Server Access	164
How Authentication Operates	170
General Authentication Process Using a TACACS+ Server	170
Local Authentication Process	172
Using the Encryption Key	173
General Operation	173
Encryption Options in the Switch	173
Controlling Web Browser Interface Access When Using TACACS+ Authentication	174
Messages Related to TACACS+ Operation	175
Operating Notes	175
5. RADIUS Authentication, Authorization, and Accounting	177
Contents	177
Overview	179
Authentication Services	179
Accounting Services	180
RADIUS-Administered CoS and Rate-Limiting	180
RADIUIS-Administered Commands Authorization	180
SNMP Access to the Switch’s Authentication Configuration MIB	180
Terminology	181
Switch Operating Rules for RADIUS	182
General RADIUS Setup Procedure	183
Configuring the Switch for RADIUS Authentication	184
Outline of the Steps for Configuring RADIUS Authentication	185
1. Configure Authentication for the Access Methods You Want RADIUS To Protect	186
2. Enable the (Optional) Access Privilege Option	189
3. Configure the Switch To Access a RADIUS Server	190
4. Configure the Switch’s Global RADIUS Parameters	193
Using Multiple RADIUS Server Groups	197
Commands	197
Enhanced Commands	198
Displaying the RADIUS Server Group Information	200
Cached Reauthentication	202
Timing Considerations	203
Using SNMP To View and Configure Switch Authentication Features	206
Changing and Viewing the SNMP Access Configuration	207
Local Authentication Process	209
Controlling Web Browser Interface Access	210
Commands Authorization	211
Enabling Authorization	212
Displaying Authorization Information	213
Configuring Commands Authorization on a RADIUS Server	213
Using Vendor Specific Attributes (VSAs)	213
Example Configuration on Cisco Secure ACS for MS Windows	215
Example Configuration Using FreeRADIUS	217
VLAN Assignment in an Authentication Session	219
Tagged and Untagged VLAN Attributes	220
Additional RADIUS Attributes	221
Configuring RADIUS Accounting	223
Operating Rules for RADIUS Accounting	225
Steps for Configuring RADIUS Accounting	225
1. Configure the Switch To Access a RADIUS Server	226
2. Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server	228
3. (Optional) Configure Session Blocking and Interim Updating Options	230
Viewing RADIUS Statistics	232
General RADIUS Statistics	232
RADIUS Authentication Statistics	234
RADIUS Accounting Statistics	235
Changing RADIUS-Server Access Order	236
Messages Related to RADIUS Operation	239
6. Configuring RADIUS Server Support for Switch Services	241
Contents	241
Overview	243
RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate- Limiting	244
Applied Rates for RADIUS-Assigned Rate Limits	245
Viewing the Currently Active Per-Port CoS and Rate- Limiting Configuration Specified by a RADIUS Server	246
Configuring and Using RADIUS-Assigned Access Control Lists	249
Introduction	249
Terminology	249
Overview of RADIUS-Assigned, Dynamic ACLs	252
Contrasting Dynamic (RADIUS-Assigned) and Static ACLs	253
How a RADIUS Server Applies a RADIUS-Assigned ACL to a Switch Port	254
General ACL Features, Planning, and Configuration	255
The Packet-filtering Process	256
Operating Rules for RADIUS-Assigned ACLs	256
Configuring an ACL in a RADIUS Server	257
Nas-Filter-Rule-Options	258
Configuring ACE Syntax in RADIUS Servers	258
Example Using the Standard Attribute (92) In an IPv4 ACL	260
Example of Configuring a RADIUS-assigned ACL Using the FreeRADIUS Application	261
Format Details for ACEs Configured in a RADIUS-Assigned ACL	263
Configuration Notes	264
Configuring the Switch To Support RADIUS-Assigned ACLs	264
Displaying the Current RADIUS-Assigned ACL Activity on the Switch	266
ICMP Type Numbers and Keywords	268
Event Log Messages	269
Causes of Client Deauthentication Immediately After Authenticating	270
Monitoring Shared Resources	270
7. Configuring Secure Shell (SSH)	271
Contents	271
Overview	272
Terminology	273
Prerequisite for Using SSH	275
Public Key Formats	275
Steps for Configuring and Using SSH for Switch and Client Authentication	276
General Operating Rules and Notes	278
Configuring the Switch for SSH Operation	279
1. Assigning a Local Login (Operator) and Enable (Manager) Password	280
2. Generating the Switch’s Public and Private Key Pair	280
Configuring Key Lengths	283
3. Providing the Switch’s Public Key to Clients	283
4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior	285
5. Configuring the Switch for SSH Authentication	290
6. Use an SSH Client To Access the Switch	294
Further Information on SSH Client Public-Key Authentication	294
Messages Related to SSH Operation	300
Logging Messages	301
Debug Logging	302
8. Configuring Secure Socket Layer (SSL)	303
Contents	303
Overview	304
Terminology	305
Prerequisite for Using SSL	307
Steps for Configuring and Using SSL for Switch and Client Authentication	307
General Operating Rules and Notes	308
Configuring the Switch for SSL Operation	309
1. Assigning a Local Login (Operator) and Enabling (Manager) Password	309
2. Generating the Switch’s Server Host Certificate	310
To Generate or Erase the Switch’s Server Certificate with the CLI	311
Comments on Certificate Fields.	312
Generate a Self-Signed Host Certificate with the Web browser interface	314
Generate a CA-Signed server host certificate with the Web browser interface	317
3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior	319
Using the CLI Interface to Enable SSL	321
Using the Web Browser Interface to Enable SSL	321
Common Errors in SSL setup	323
9. IPv4 Access Control Lists (ACLs)	325
Contents	325
Introduction	328
ACL Applications	328
Optional Network Management Applications	328
Optional PCM and IDM Applications	329
General Application Options	329
Terminology	331
Overview	334
Types of IP ACLs	334
ACL Inbound Application Points	334
Features Common to All ACLs	335
General Steps for Planning and Configuring ACLs	336
ACL Operation	337
Introduction	337
The Packet-Filtering Process	338
Planning an ACL Application	341
Switch Resource Usage	341
Prioritizing and Monitoring ACL and QoS, Feature Usage	341
ACL Resource Usage and Monitoring	341
Rule Usage	342
Managing ACL Resource Consumption	343
Oversubscribing Available Resources	343
Troubleshooting a Shortage of Resources	343
Example of ACL Resource Usage	344
Viewing the Current Rule Usage	344
Traffic Management and Improved Network Performance	347
Security	347
Guidelines for Planning the Structure of an ACL	348
ACL Configuration and Operating Rules	349
How an ACE Uses a Mask To Screen Packets for Matches	350
What Is the Difference Between Network (or Subnet) Masks and the Masks Used with ACLs?	351
Rules for Defining a Match Between a Packet and an Access Control Entry (ACE)	352
Configuring and Assigning an ACL	357
Overview	357
General Steps for Implementing ACLs	357
Types of ACLs	357
ACL Configuration Structure	358
Standard ACL Structure	359
Extended ACL Configuration Structure	359
ACL Configuration Factors	361
ACL Resource Consumption	361
The Sequence of Entries in an ACL Is Significant	361
In Any ACL, There Will Always Be a Match	362
A Configured ACL Has No Effect Until You Apply It to an Interface	362
Using the CLI To Create an ACL	363
General ACE Rules	363
Using CIDR Notation To Enter the ACL Mask	363
Configuring and Assigning a Numbered, Standard ACL	364
Configuring and Assigning a Numbered, Extended ACL	369
Configuring a Named ACL	375
Enabling or Disabling ACL Filtering on an Interface	377
Deleting an ACL from the Switch	378
Displaying ACL Data	379
Display an ACL Summary	379
Display the Content of All ACLs on the Switch	380
Display the ACL Assignments for an Interface	381
Displaying the Content of a Specific ACL	382
Displaying the Current ACL Resources	384
Display All ACLs and Their Assignments in the Switch Startup-Config File and Running-Config File	385
Editing ACLs and Creating an ACL Offline	385
Using the CLI To Edit ACLs	385
General Editing Rules	386
Deleting Any ACE from an ACL	386
Working Offline To Create or Edit an ACL	388
Creating an ACL Offline	389
Enable ACL “Deny” Logging	392
Requirements for Using ACL Logging	392
ACL Logging Operation	393
Enabling ACL Logging on the Switch	393
Operating Notes for ACL Logging	395
General ACL Operating Notes	396
10. Configuring Advanced Threat Protection	399
Contents	399
Introduction	401
DHCP Snooping	402
Overview	402
Enabling DHCP Snooping	403
Enabling DHCP Snooping on VLANS	405
Configuring DHCP Snooping Trusted Ports	406
Configuring Authorized Server Addresses	407
Using DHCP Snooping with Option 82	407
Changing the Remote-id from a MAC to an IP Address	409
Disabling the MAC Address Check	409
The DHCP Binding Database	410
Operational Notes	411
Log Messages	412
Dynamic ARP Protection	414
Introduction	414
Enabling Dynamic ARP Protection	416
Configuring Trusted Ports	416
Adding an IP-to-MAC Binding to the DHCP Database	418
Configuring Additional Validation Checks on ARP Packets	419
Verifying the Configuration of Dynamic ARP Protection	419
Displaying ARP Packet Statistics	420
Monitoring Dynamic ARP Protection	421
Dynamic IP Lockdown	421
Protection Against IP Source Address Spoofing	422
Prerequisite: DHCP Snooping	422
Filtering IP and MAC Addresses Per-Port and Per-VLAN	423
Enabling Dynamic IP Lockdown	424
Operating Notes	424
Adding an IP-to-MAC Binding to the DHCP Binding Database	426
Potential Issues with Bindings	426
Adding a Static Binding	427
Verifying the Dynamic IP Lockdown Configuration	427
Displaying the Static Configuration of IP-to-MAC Bindings	428
Debugging Dynamic IP Lockdown	429
Using the Instrumentation Monitor	431
Operating Notes	432
Configuring Instrumentation Monitor	433
Examples	434
Viewing the Current Instrumentation Monitor Configuration	435
11. Traffic/Security Filters and Monitors	437
Contents	437
Overview	438
Introduction	438
Filter Limits	438
Using Port Trunks with Filters	438
Filter Types and Operation	439
Source-Port Filters	440
Operating Rules for Source-Port Filters	440
Example	441
Named Source-Port Filters	442
Operating Rules for Named Source-Port Filters	442
Defining and Configuring Named Source-Port Filters	443
Viewing a Named Source-Port Filter	444
Using Named Source-Port Filters	445
Configuring Traffic/Security Filters	451
Configuring a Source-Port Traffic Filter	452
Example of Creating a Source-Port Filter	453
Configuring a Filter on a Port Trunk	453
Editing a Source-Port Filter	454
Filter Indexing	455
Displaying Traffic/Security Filters	456
12. Configuring Port-Based and User-Based Access Control (802.1X)	457
Contents	457
Overview	460
Why Use Port-Based or User-Based Access Control?	460
General Features	460
User Authentication Methods	461
802.1X User-Based Access Control	461
802.1X Port-Based Access Control	462
Alternative To Using a RADIUS Server	463
Accounting	463
Terminology	463
General 802.1X Authenticator Operation	466
Example of the Authentication Process	466
VLAN Membership Priority	467
General Operating Rules and Notes	469
General Setup Procedure for 802.1X Access Control	471
Do These Steps Before You Configure 802.1X Operation	471
Overview: Configuring 802.1X Authentication on the Switch	474
Configuring Switch Ports as 802.1X Authenticators	475
1. Enable 802.1X Authentication on Selected Ports	476
A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication	476
B. Specify User-Based Authentication or Return to Port-Based Authentication	477
Example: Configuring User-Based 802.1X Authentication	478
Example: Configuring Port-Based 802.1X Authentication	478
2. Reconfigure Settings for Port-Access	478
3. Configure the 802.1X Authentication Method	481
4. Enter the RADIUS Host IP Address(es)	482
5. Enable 802.1X Authentication on the Switch	482
6. Optional: Reset Authenticator Operation	483
7. Optional: Configure 802.1X Controlled Directions	483
Wake-on-LAN Traffic	484
Operating Notes	484
Example: Configuring 802.1X Controlled Directions	485
Unauthenticated VLAN Access (Guest VLAN Access)	485
Characteristics of Mixed Port Access Mode	486
Configuring Mixed Port Access Mode	487
802.1X Open VLAN Mode	488
Introduction	488
VLAN Membership Priorities	489
Use Models for 802.1X Open VLAN Modes	490
Operating Rules for Authorized-Client and Unauthorized-Client VLANs	495
Setting Up and Configuring 802.1X Open VLAN Mode	499
802.1X Open VLAN Operating Notes	503
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices	504
Port-Security	505
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches	506
Example	506
Supplicant Port Configuration	508
Displaying 802.1X Configuration, Statistics, and Counters	510
Show Commands for Port-Access Authenticator	510
Viewing 802.1X Open VLAN Mode Status	519
Show Commands for Port-Access Supplicant	523
How RADIUS/802.1X Authentication Affects VLAN Operation	524
VLAN Assignment on a Port	525
Operating Notes	525
Example of Untagged VLAN Assignment in a RADIUS- Based Authentication Session	527
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions	530
Messages Related to 802.1X Operation	532
13. Configuring and Monitoring Port Security	533
Contents	533
Overview	535
Port Security	536
Basic Operation	536
Eavesdrop Prevention	537
Disabling Eavesdrop Prevention	537
Feature Interactions When Eavesdrop Prevention is Disabled	538
MIB Support	539
Blocking Unauthorized Traffic	539
Trunk Group Exclusion	540
Planning Port Security	541
Port Security Command Options and Operation	542
Port Security Display Options	542
Configuring Port Security	546
Retention of Static Addresses	551
MAC Lockdown	556
Differences Between MAC Lockdown and Port Security	558
MAC Lockdown Operating Notes	559
Deploying MAC Lockdown	560
MAC Lockout	560
Port Security and MAC Lockout	563
Web: Displaying and Configuring Port Security Features	564
Reading Intrusion Alerts and Resetting Alert Flags	564
Notice of Security Violations	564
How the Intrusion Log Operates	565
Keeping the Intrusion Log Current by Resetting Alert Flags	566
Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags	567
CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags	568
Using the Event Log To Find Intrusion Alerts	570
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags	571
Operating Notes for Port Security	572
14. Using Authorized IP Managers	575
Contents	575
Overview	576
Options	577
Access Levels	577
Defining Authorized Management Stations	578
Overview of IP Mask Operation	578
Menu: Viewing and Configuring IP Authorized Managers	579
CLI: Viewing and Configuring Authorized IP Managers	580
Listing the Switch’s Current Authorized IP Manager(s)	580
Configuring IP Authorized Managers for the Switch	581
Web: Configuring IP Authorized Managers	583
Web Proxy Servers	583
How to Eliminate the Web Proxy Server	583
Using a Web Proxy Server to Access the Web Browser Interface	584
Web-Based Help	584
Building IP Masks	584
Configuring One Station Per Authorized Manager IP Entry	584
Configuring Multiple Stations Per Authorized Manager IP Entry	585
Additional Examples for Authorizing Multiple Stations	587
Operating Notes	587
Index	589
Numerics	589
A	591
B	593
C	593
D	593
E	595
F	595
G	595
H	596
I	596
L	596
M	596
N	597
O	597
P	597
R	598
S	599
T	601
U	602
V	602

Match case Limit results 1 per page

Configuring Advanced Threat Protection

Dynamic IP Lockdown

Protection Against IP Source Address Spoofing

Many network attacks occur when an attacker injects packets with forged IP

source addresses into the network. Also, some network services use the IP

source address as a component in their authentication schemes. For example,

the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source address for packet

authentication. SNMPv1 and SNMPv2c also frequently use authorized IP

address lists to limit management access. An attacker that is able to send

traffic that appears to originate from an authorized IP source address may gain

access to network services for which he is not authorized.

Dynamic IP lockdown provides protection against IP source address spoofing

by means of IP-level port security. IP packets received on a port enabled for

dynamic IP lockdown are only forwarded if they contain a known IP source

address and MAC address binding for the port.

Dynamic IP lockdown uses information collected in the DHCP Snooping lease

database and through statically configured IP source bindings to create inter-

nal, per-port lists. The internal lists are dynamically created from known IP-

to-MAC address bindings to filter VLAN traffic on both the source IP address

and source MAC address.

Prerequisite: DHCP Snooping

Dynamic IP lockdown requires that you enable DHCP snooping as a

prerequisite for its operation on ports and VLAN traffic:

■

Dynamic IP lockdown only enables traffic for clients whose leased IP

addresses are already stored in the lease database created by DHCP

snooping or added through a static configuration of an IP-to-MAC binding.

Therefore, if you enable DHCP snooping after dynamic IP lockdown is

enabled, clients with an existing DHCP-assigned address must either

request a new leased IP address or renew their existing DHCP-assigned

address. Otherwise, a client’s leased IP address is not contained in the

DHCP binding database. As a result, dynamic IP lockdown will not allow

inbound traffic from the client.

■

It is recommended that you enable DHCP snooping a week before you

enable dynamic IP lockdown to allow the DHCP binding database to learn

clients’ leased IP addresses. You must also ensure that the lease time for

the information in the DHCP binding database lasts more than a week.

Alternatively, you can configure a DHCP server to re-allocate IP addresses

to DHCP clients. In this way, you repopulate the lease database with

current IP-to-MAC bindings.

10-24