Home » HP Manuals » Servers » HP 6120XG » Manual Viewer

HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 289

Dynamic ARP Protection, Introduction

Add to My Manuals
Save this manual to your list of manuals

Page 289 highlights

Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded. For more information about the ARP cache, refer to "ARP Cache Table" in the Multicast and Routing Guide. ARP requests are ordinarily broadcast and received by all devices in a broadcast domain. Most ARP devices update their IP-to-MAC address entries each time they receive an ARP packet even if they did not request the information. This behavior makes an ARP cache vulnerable to attacks. Because ARP allows a node to update its cache entries on other systems by broadcasting or unicasting a gratuitous ARP reply, an attacker can send his own IP-to-MAC address binding in the reply that causes all traffic destined for a VLAN node to be sent to the attacker's MAC address. As a result, the attacker can intercept traffic for other hosts in a classic "man-in-the-middle" attack. The attacker gains access to any traffic sent to the poisoned address and can capture passwords, e-mail, and VoIP calls or even modify traffic before resending it. Another way in which the ARP cache of known IP addresses and associated MAC addresses can be poisoned is through unsolicited ARP responses. For example, an attacker can associate the IP address of the network gateway with the MAC address of a network node. In this way, all outgoing traffic is prevented from leaving the network because the node does not have access to outside networks. As a result, the node is overwhelmed by outgoing traffic destined to another network. Dynamic ARP protection is designed to protect your network against ARP poisoning attacks in the following ways: ■ Allows you to differentiate between trusted and untrusted ports. ■ Intercepts all ARP requests and responses on untrusted ports before forwarding them. ■ Verifies IP-to-MAC address bindings on untrusted ports with the information stored in the lease database maintained by DHCP snooping and userconfigured static bindings (in non-DHCP environments): 8-16

Section	Page
Security Overview	23
Contents	23
Introduction	24
About This Guide	24
For More Information	24
Access Security Features	25
Network Security Features	29
Getting Started with Access Security	31
Physical Security	31
Quick Start: Using the Management Interface Wizard	32
SNMP Security Guidelines	37
Precedence of Security Options	39
Precedence of Port-Based Security Options	39
Precedence of Client-Based Authentication: Dynamic Configuration Arbiter	39
ProCurve Identity-Driven Manager (IDM)	43
Configuring Username and Password Security	44
Contents	44
Overview	46
Configuring Local Password Security	49
Menu: Setting Passwords	49
CLI: Setting Passwords and Usernames	51
Web: Setting Passwords and Usernames	52
SNMP: Setting Passwords and Usernames	52
Saving Security Credentials in a Config File	53
Benefits of Saving Security Credentials	53
Enabling the Storage and Display of Security Credentials	54
Security Settings that Can Be Saved	54
Local Manager and Operator Passwords	55
Password Command Options	55
SNMP Security Credentials	56
802.1X Port-Access Credentials	57
TACACS+ Encryption Key Authentication	58
RADIUS Shared-Secret Key Authentication	58
SSH Client Public-Key Authentication	59
Operating Notes	62
Restrictions	64
Front-Panel Security	66
When Security Is Important	66
Front-Panel Button Functions	67
Configuring Front-Panel Security	70
Password Recovery	75
Disabling or Re-Enabling the Password Recovery Process	75
Password Recovery Process	77
Web and MAC Authentication	78
Contents	78
Overview	80
Web Authentication	80
MAC Authentication	81
Concurrent Web and MAC Authentication	81
Authorized and Unauthorized Client VLANs	82
RADIUS-Based Authentication	83
Wireless Clients	83
How Web and MAC Authentication Operate	83
Web-based Authentication	84
MAC-based Authentication	86
Terminology	88
Operating Rules and Notes	89
Setup Procedure for Web/MAC Authentication	91
Before You Configure Web/MAC Authentication	91
Configuring the RADIUS Server To Support MAC Authentication	93
Configuring the Switch To Access a RADIUS Server	94
Configuring Web Authentication	97
Overview	97
Configuration Commands for Web Authentication	98
Show Commands for Web Authentication	105
Customizing Web Authentication HTML Files (Optional)	111
Implementing Customized Web-Auth Pages	111
Operating Notes and Guidelines	111
Customizing HTML Templates	112
Configuring MAC Authentication on the Switch	127
Overview	127
Configuration Commands for MAC Authentication	128
Show Commands for MAC-Based Authentication	131
Client Status	137
TACACS+ Authentication	138
Contents	138
Overview	139
Terminology Used in TACACS Applications:	140
General System Requirements	142
General Authentication Setup Procedure	142
Configuring TACACS+ on the Switch	145
Before You Begin	145
CLI Commands Described in this Section	146
Viewing the Switch’s Current Authentication Configuration	146
Viewing the Switch’s Current TACACS+ Server Contact Configuration	147
Configuring the Switch’s Authentication Methods	148
Configuring the TACACS+ Server for Single Login	150
Configuring the Switch’s TACACS+ Server Access	155
How Authentication Operates	161
General Authentication Process Using a TACACS+ Server	161
Local Authentication Process	163
Using the Encryption Key	164
Controlling Web Browser Interface Access When Using TACACS+ Authentication	165
Messages Related to TACACS+ Operation	166
Operating Notes	166
RADIUS Authentication, Authorization, and Accounting	168
Contents	168
Overview	170
Authentication Services	170
Accounting Services	171
RADIUS-Administered CoS and Rate-Limiting	171
RADIUIS-Administered Commands Authorization	171
SNMP Access to the Switch’s Authentication Configuration MIB	171
Terminology	172
Switch Operating Rules for RADIUS	173
General RADIUS Setup Procedure	174
Configuring the Switch for RADIUS Authentication	175
Outline of the Steps for Configuring RADIUS Authentication	176
1. Configure Authentication for the Access Methods You Want RADIUS To Protect	177
2. Enable the (Optional) Access Privilege Option	180
3. Configure the Switch To Access a RADIUS Server	181
4. Configure the Switch’s Global RADIUS Parameters	184
Using SNMP To View and Configure Switch Authentication Features	188
Changing and Viewing the SNMP Access Configuration	189
Local Authentication Process	191
Controlling Web Browser Interface Access	192
Commands Authorization	193
Enabling Authorization	194
Displaying Authorization Information	195
Configuring Commands Authorization on a RADIUS Server	195
VLAN Assignment in an Authentication Session	201
Tagged and Untagged VLAN Attributes	202
Additional RADIUS Attributes	203
Configuring RADIUS Accounting	204
Operating Rules for RADIUS Accounting	206
Steps for Configuring RADIUS Accounting	206
Viewing RADIUS Statistics	213
General RADIUS Statistics	213
RADIUS Authentication Statistics	215
RADIUS Accounting Statistics	216
Changing RADIUS-Server Access Order	217
Messages Related to RADIUS Operation	220
Configuring Secure Shell (SSH)	221
Contents	221
Overview	222
Terminology	223
Prerequisite for Using SSH	225
Public Key Formats	225
Steps for Configuring and Using SSH for Switch and Client Authentication	226
General Operating Rules and Notes	228
Configuring the Switch for SSH Operation	229
1. Assigning a Local Login (Operator) and Enable (Manager) Password	230
2. Generating the Switch’s Public and Private Key Pair	230
3. Providing the Switch’s Public Key to Clients	233
4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior	235
5. Configuring the Switch for SSH Authentication	240
6. Use an SSH Client To Access the Switch	244
Further Information on SSH Client Public-Key Authentication	244
Messages Related to SSH Operation	250
Logging Messages	251
Debug Logging	252
Configuring Secure Socket Layer (SSL)	253
Contents	253
Overview	254
Terminology	255
Prerequisite for Using SSL	257
Steps for Configuring and Using SSL for Switch and Client Authentication	257
General Operating Rules and Notes	258
Configuring the Switch for SSL Operation	259
1. Assigning a Local Login (Operator) and Enabling (Manager) Password	259
2. Generating the Switch’s Server Host Certificate	260
3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior	269
Common Errors in SSL setup	273
Configuring Advanced Threat Protection	274
Contents	274
Introduction	276
DHCP Snooping	277
Overview	277
Enabling DHCP Snooping	278
Enabling DHCP Snooping on VLANS	280
Configuring DHCP Snooping Trusted Ports	281
Configuring Authorized Server Addresses	282
Using DHCP Snooping with Option 82	282
The DHCP Binding Database	285
Operational Notes	286
Log Messages	287
Dynamic ARP Protection	289
Introduction	289
Enabling Dynamic ARP Protection	291
Configuring Trusted Ports	291
Adding an IP-to-MAC Binding to the DHCP Database	293
Configuring Additional Validation Checks on ARP Packets	294
Verifying the Configuration of Dynamic ARP Protection	294
Displaying ARP Packet Statistics	295
Monitoring Dynamic ARP Protection	296
Dynamic IP Lockdown	296
Protection Against IP Source Address Spoofing	297
Prerequisite: DHCP Snooping	297
Filtering IP and MAC Addresses Per-Port and Per-VLAN	298
Enabling Dynamic IP Lockdown	299
Operating Notes	299
Adding an IP-to-MAC Binding to the DHCP Binding Database	301
Verifying the Dynamic IP Lockdown Configuration	302
Displaying the Static Configuration of IP-to-MAC Bindings	303
Debugging Dynamic IP Lockdown	304
Using the Instrumentation Monitor	306
Operating Notes	307
Configuring Instrumentation Monitor	308
Viewing the Current Instrumentation Monitor Configuration	310
Traffic/Security Filters and Monitors	311
Contents	311
Overview	312
Introduction	312
Filter Limits	312
Using Port Trunks with Filters	312
Filter Types and Operation	313
Source-Port Filters	314
Named Source-Port Filters	316
Configuring Traffic/Security Filters	325
Configuring a Source-Port Traffic Filter	326
Editing a Source-Port Filter	328
Filter Indexing	329
Displaying Traffic/Security Filters	330
Configuring Port-Based and User-Based Access Control (802.1X)	331
Contents	331
Overview	333
Why Use Port-Based or User-Based Access Control?	333
General Features	333
User Authentication Methods	334
Terminology	336
General 802.1X Authenticator Operation	339
Example of the Authentication Process	339
VLAN Membership Priority	340
General Operating Rules and Notes	342
General Setup Procedure for 802.1X Access Control	344
Do These Steps Before You Configure 802.1X Operation	344
Overview: Configuring 802.1X Authentication on the Switch	347
Configuring Switch Ports as 802.1X Authenticators	348
1. Enable 802.1X Authentication on Selected Ports	349
2. Reconfigure Settings for Port-Access	351
3. Configure the 802.1X Authentication Method	354
4. Enter the RADIUS Host IP Address(es)	355
5. Enable 802.1X Authentication on the Switch	355
6. Optional: Reset Authenticator Operation	356
7. Optional: Configure 802.1X Controlled Directions	356
802.1X Open VLAN Mode	359
Introduction	359
VLAN Membership Priorities	360
Use Models for 802.1X Open VLAN Modes	361
Operating Rules for Authorized-Client and Unauthorized-Client VLANs	366
Setting Up and Configuring 802.1X Open VLAN Mode	370
802.1X Open VLAN Operating Notes	374
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices	375
Port-Security	376
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches	377
Example	377
Supplicant Port Configuration	379
Displaying 802.1X Configuration, Statistics, and Counters	381
Show Commands for Port-Access Authenticator	381
Viewing 802.1X Open VLAN Mode Status	390
Show Commands for Port-Access Supplicant	394
How RADIUS/802.1X Authentication Affects VLAN Operation	395
VLAN Assignment on a Port	396
Operating Notes	396
Example of Untagged VLAN Assignment in a RADIUS- Based Authentication Session	398
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions	401
Messages Related to 802.1X Operation	403
Configuring and Monitoring Port Security	404
Contents	404
Overview	406
Port Security	407
Basic Operation	407
Eavesdrop Protection	408
Blocking Unauthorized Traffic	408
Trunk Group Exclusion	409
Planning Port Security	410
Port Security Command Options and Operation	411
Configuring Port Security	415
Retention of Static Addresses	420
MAC Lockdown	425
Differences Between MAC Lockdown and Port Security	427
Deploying MAC Lockdown	429
MAC Lockout	429
Port Security and MAC Lockout	432
Web: Displaying and Configuring Port Security Features	433
Reading Intrusion Alerts and Resetting Alert Flags	433
Notice of Security Violations	433
How the Intrusion Log Operates	434
Keeping the Intrusion Log Current by Resetting Alert Flags	435
Using the Event Log To Find Intrusion Alerts	439
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags	440
Operating Notes for Port Security	441
Using Authorized IP Managers	443
Contents	443
Overview	444
Options	445
Access Levels	445
Defining Authorized Management Stations	446
Overview of IP Mask Operation	446
Menu: Viewing and Configuring IP Authorized Managers	447
CLI: Viewing and Configuring Authorized IP Managers	448
Web: Configuring IP Authorized Managers	451
Web Proxy Servers	451
Web-Based Help	452
Building IP Masks	452
Configuring One Station Per Authorized Manager IP Entry	452
Configuring Multiple Stations Per Authorized Manager IP Entry	453
Additional Examples for Authorizing Multiple Stations	455
Operating Notes	455
Numerics	457
A	459
B	459
C	459
D	460
E	462
F	462
G	462
H	462
I	462
L	462
M	462
N	463
O	463
P	463
R	464
S	465
T	467
U	468
V	468

Match case Limit results 1 per page

8-16

Configuring Advanced Threat Protection

Dynamic ARP Protection

Introduction

On the VLAN interfaces of a routing switch, dynamic ARP protection ensures

that only valid ARP requests and responses are relayed or used to update the

local ARP cache. ARP packets with invalid IP-to-MAC address bindings adver-

tised in the source protocol address and source physical address fields are

discarded. For more information about the ARP cache, refer to “ARP Cache

Table” in the

Multicast and Routing Guide

ARP requests are ordinarily broadcast and received by all devices in a broad-

cast domain. Most ARP devices update their IP-to-MAC address entries each

time they receive an ARP packet even if they did not request the information.

This behavior makes an ARP cache vulnerable to attacks.

Because ARP allows a node to update its cache entries on other systems by

broadcasting or unicasting a gratuitous ARP reply, an attacker can send his

own IP-to-MAC address binding in the reply that causes all traffic destined for

a VLAN node to be sent to the attacker's MAC address. As a result, the attacker

can intercept traffic for other hosts in a classic "man-in-the-middle" attack.

The attacker gains access to any traffic sent to the poisoned address and can

capture passwords, e-mail, and VoIP calls or even modify traffic before

resending it.

Another way in which the ARP cache of known IP addresses and associated

MAC addresses can be poisoned is through unsolicited ARP responses. For

example, an attacker can associate the IP address of the network gateway

with the MAC address of a network node. In this way, all outgoing traffic is

prevented from leaving the network because the node does not have access

to outside networks. As a result, the node is overwhelmed by outgoing traffic

destined to another network.

Dynamic ARP protection is designed to protect your network against ARP

poisoning attacks in the following ways:

■

Allows you to differentiate between trusted and untrusted ports.

■

Intercepts all ARP requests and responses on untrusted ports before

forwarding them.

■

Verifies IP-to-MAC address bindings on untrusted ports with the informa-

tion stored in the lease database maintained by DHCP snooping and user-

configured static bindings (in non-DHCP environments):