Home » HP Manuals » Servers » HP 6120XG » Manual Viewer

HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 30

BPDU Filtering and BPDU Protection, Dynamic ARP Protection

Add to My Manuals
Save this manual to your list of manuals

Page 30 highlights

Security Overview Network Security Features Feature Default Setting ConnectionRate Filtering based on Virus-Throttling Technology none ICMP none Rate-Limiting Spanning Tree none Protection DHCP Snooping, none Dynamic ARP Protection, and Dynamic IP Lockdown Security Guidelines More Information and Configuration Details This feature helps protect the network from attack and Chapter 3, "Virus Throttling is recommended for use on the network edge. It is (Connection-Rate Filtering)" primarily focused on the class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in network applications behind unsecured ports. In this case, the malicious code tries to create a large number of outbound connections on an interface in a short time. Connection-Rate filtering detects hosts that are generating traffic that exhibits this behavior, and causes the switch to generate warning messages and (optionally) to throttle or drop all traffic from the offending hosts. This feature helps defeat ICMP denial-of-service Management and attacks by restricting ICMP traffic to percentage levels Configuration Guide, in the that permit necessary ICMP functions, but throttle chapter on "Port Traffic additional traffic that may be due to worms or viruses Controls" refer to the section (reducing their spread and effect). "ICMP Rate-Limiting" These features prevent your switch from malicious Advanced Traffic attacks or configuration errors: Management Guide, refer to • BPDU Filtering and BPDU Protection: Protects the the chapter "Multiple network from denial-of-service attacks that use Instance Spanning-Tree spoofing BPDUs by dropping incoming BPDU frames Operation" and/or blocking traffic through a port. • STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes. These features provide the following additional protections for your network: • DHCP Snooping: Protects your network from common DHCP attacks, such as address spoofing and repeated address requests. Chapter 11, "Configuring Advanced Threat Protection" • Dynamic ARP Protection: Protects your network from ARP cache poisoning. • Dynamic IP Lockdown: Prevents IP source address spoofing on a per-port and per-VLAN basis • Instrumentation Monitor. Helps identify a variety of malicious attacks by generating alerts for detected anomalies on the switch. 1-8

Section	Page
Security Overview	23
Contents	23
Introduction	24
About This Guide	24
For More Information	24
Access Security Features	25
Network Security Features	29
Getting Started with Access Security	31
Physical Security	31
Quick Start: Using the Management Interface Wizard	32
SNMP Security Guidelines	37
Precedence of Security Options	39
Precedence of Port-Based Security Options	39
Precedence of Client-Based Authentication: Dynamic Configuration Arbiter	39
ProCurve Identity-Driven Manager (IDM)	43
Configuring Username and Password Security	44
Contents	44
Overview	46
Configuring Local Password Security	49
Menu: Setting Passwords	49
CLI: Setting Passwords and Usernames	51
Web: Setting Passwords and Usernames	52
SNMP: Setting Passwords and Usernames	52
Saving Security Credentials in a Config File	53
Benefits of Saving Security Credentials	53
Enabling the Storage and Display of Security Credentials	54
Security Settings that Can Be Saved	54
Local Manager and Operator Passwords	55
Password Command Options	55
SNMP Security Credentials	56
802.1X Port-Access Credentials	57
TACACS+ Encryption Key Authentication	58
RADIUS Shared-Secret Key Authentication	58
SSH Client Public-Key Authentication	59
Operating Notes	62
Restrictions	64
Front-Panel Security	66
When Security Is Important	66
Front-Panel Button Functions	67
Configuring Front-Panel Security	70
Password Recovery	75
Disabling or Re-Enabling the Password Recovery Process	75
Password Recovery Process	77
Web and MAC Authentication	78
Contents	78
Overview	80
Web Authentication	80
MAC Authentication	81
Concurrent Web and MAC Authentication	81
Authorized and Unauthorized Client VLANs	82
RADIUS-Based Authentication	83
Wireless Clients	83
How Web and MAC Authentication Operate	83
Web-based Authentication	84
MAC-based Authentication	86
Terminology	88
Operating Rules and Notes	89
Setup Procedure for Web/MAC Authentication	91
Before You Configure Web/MAC Authentication	91
Configuring the RADIUS Server To Support MAC Authentication	93
Configuring the Switch To Access a RADIUS Server	94
Configuring Web Authentication	97
Overview	97
Configuration Commands for Web Authentication	98
Show Commands for Web Authentication	105
Customizing Web Authentication HTML Files (Optional)	111
Implementing Customized Web-Auth Pages	111
Operating Notes and Guidelines	111
Customizing HTML Templates	112
Configuring MAC Authentication on the Switch	127
Overview	127
Configuration Commands for MAC Authentication	128
Show Commands for MAC-Based Authentication	131
Client Status	137
TACACS+ Authentication	138
Contents	138
Overview	139
Terminology Used in TACACS Applications:	140
General System Requirements	142
General Authentication Setup Procedure	142
Configuring TACACS+ on the Switch	145
Before You Begin	145
CLI Commands Described in this Section	146
Viewing the Switch’s Current Authentication Configuration	146
Viewing the Switch’s Current TACACS+ Server Contact Configuration	147
Configuring the Switch’s Authentication Methods	148
Configuring the TACACS+ Server for Single Login	150
Configuring the Switch’s TACACS+ Server Access	155
How Authentication Operates	161
General Authentication Process Using a TACACS+ Server	161
Local Authentication Process	163
Using the Encryption Key	164
Controlling Web Browser Interface Access When Using TACACS+ Authentication	165
Messages Related to TACACS+ Operation	166
Operating Notes	166
RADIUS Authentication, Authorization, and Accounting	168
Contents	168
Overview	170
Authentication Services	170
Accounting Services	171
RADIUS-Administered CoS and Rate-Limiting	171
RADIUIS-Administered Commands Authorization	171
SNMP Access to the Switch’s Authentication Configuration MIB	171
Terminology	172
Switch Operating Rules for RADIUS	173
General RADIUS Setup Procedure	174
Configuring the Switch for RADIUS Authentication	175
Outline of the Steps for Configuring RADIUS Authentication	176
1. Configure Authentication for the Access Methods You Want RADIUS To Protect	177
2. Enable the (Optional) Access Privilege Option	180
3. Configure the Switch To Access a RADIUS Server	181
4. Configure the Switch’s Global RADIUS Parameters	184
Using SNMP To View and Configure Switch Authentication Features	188
Changing and Viewing the SNMP Access Configuration	189
Local Authentication Process	191
Controlling Web Browser Interface Access	192
Commands Authorization	193
Enabling Authorization	194
Displaying Authorization Information	195
Configuring Commands Authorization on a RADIUS Server	195
VLAN Assignment in an Authentication Session	201
Tagged and Untagged VLAN Attributes	202
Additional RADIUS Attributes	203
Configuring RADIUS Accounting	204
Operating Rules for RADIUS Accounting	206
Steps for Configuring RADIUS Accounting	206
Viewing RADIUS Statistics	213
General RADIUS Statistics	213
RADIUS Authentication Statistics	215
RADIUS Accounting Statistics	216
Changing RADIUS-Server Access Order	217
Messages Related to RADIUS Operation	220
Configuring Secure Shell (SSH)	221
Contents	221
Overview	222
Terminology	223
Prerequisite for Using SSH	225
Public Key Formats	225
Steps for Configuring and Using SSH for Switch and Client Authentication	226
General Operating Rules and Notes	228
Configuring the Switch for SSH Operation	229
1. Assigning a Local Login (Operator) and Enable (Manager) Password	230
2. Generating the Switch’s Public and Private Key Pair	230
3. Providing the Switch’s Public Key to Clients	233
4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior	235
5. Configuring the Switch for SSH Authentication	240
6. Use an SSH Client To Access the Switch	244
Further Information on SSH Client Public-Key Authentication	244
Messages Related to SSH Operation	250
Logging Messages	251
Debug Logging	252
Configuring Secure Socket Layer (SSL)	253
Contents	253
Overview	254
Terminology	255
Prerequisite for Using SSL	257
Steps for Configuring and Using SSL for Switch and Client Authentication	257
General Operating Rules and Notes	258
Configuring the Switch for SSL Operation	259
1. Assigning a Local Login (Operator) and Enabling (Manager) Password	259
2. Generating the Switch’s Server Host Certificate	260
3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior	269
Common Errors in SSL setup	273
Configuring Advanced Threat Protection	274
Contents	274
Introduction	276
DHCP Snooping	277
Overview	277
Enabling DHCP Snooping	278
Enabling DHCP Snooping on VLANS	280
Configuring DHCP Snooping Trusted Ports	281
Configuring Authorized Server Addresses	282
Using DHCP Snooping with Option 82	282
The DHCP Binding Database	285
Operational Notes	286
Log Messages	287
Dynamic ARP Protection	289
Introduction	289
Enabling Dynamic ARP Protection	291
Configuring Trusted Ports	291
Adding an IP-to-MAC Binding to the DHCP Database	293
Configuring Additional Validation Checks on ARP Packets	294
Verifying the Configuration of Dynamic ARP Protection	294
Displaying ARP Packet Statistics	295
Monitoring Dynamic ARP Protection	296
Dynamic IP Lockdown	296
Protection Against IP Source Address Spoofing	297
Prerequisite: DHCP Snooping	297
Filtering IP and MAC Addresses Per-Port and Per-VLAN	298
Enabling Dynamic IP Lockdown	299
Operating Notes	299
Adding an IP-to-MAC Binding to the DHCP Binding Database	301
Verifying the Dynamic IP Lockdown Configuration	302
Displaying the Static Configuration of IP-to-MAC Bindings	303
Debugging Dynamic IP Lockdown	304
Using the Instrumentation Monitor	306
Operating Notes	307
Configuring Instrumentation Monitor	308
Viewing the Current Instrumentation Monitor Configuration	310
Traffic/Security Filters and Monitors	311
Contents	311
Overview	312
Introduction	312
Filter Limits	312
Using Port Trunks with Filters	312
Filter Types and Operation	313
Source-Port Filters	314
Named Source-Port Filters	316
Configuring Traffic/Security Filters	325
Configuring a Source-Port Traffic Filter	326
Editing a Source-Port Filter	328
Filter Indexing	329
Displaying Traffic/Security Filters	330
Configuring Port-Based and User-Based Access Control (802.1X)	331
Contents	331
Overview	333
Why Use Port-Based or User-Based Access Control?	333
General Features	333
User Authentication Methods	334
Terminology	336
General 802.1X Authenticator Operation	339
Example of the Authentication Process	339
VLAN Membership Priority	340
General Operating Rules and Notes	342
General Setup Procedure for 802.1X Access Control	344
Do These Steps Before You Configure 802.1X Operation	344
Overview: Configuring 802.1X Authentication on the Switch	347
Configuring Switch Ports as 802.1X Authenticators	348
1. Enable 802.1X Authentication on Selected Ports	349
2. Reconfigure Settings for Port-Access	351
3. Configure the 802.1X Authentication Method	354
4. Enter the RADIUS Host IP Address(es)	355
5. Enable 802.1X Authentication on the Switch	355
6. Optional: Reset Authenticator Operation	356
7. Optional: Configure 802.1X Controlled Directions	356
802.1X Open VLAN Mode	359
Introduction	359
VLAN Membership Priorities	360
Use Models for 802.1X Open VLAN Modes	361
Operating Rules for Authorized-Client and Unauthorized-Client VLANs	366
Setting Up and Configuring 802.1X Open VLAN Mode	370
802.1X Open VLAN Operating Notes	374
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices	375
Port-Security	376
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches	377
Example	377
Supplicant Port Configuration	379
Displaying 802.1X Configuration, Statistics, and Counters	381
Show Commands for Port-Access Authenticator	381
Viewing 802.1X Open VLAN Mode Status	390
Show Commands for Port-Access Supplicant	394
How RADIUS/802.1X Authentication Affects VLAN Operation	395
VLAN Assignment on a Port	396
Operating Notes	396
Example of Untagged VLAN Assignment in a RADIUS- Based Authentication Session	398
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions	401
Messages Related to 802.1X Operation	403
Configuring and Monitoring Port Security	404
Contents	404
Overview	406
Port Security	407
Basic Operation	407
Eavesdrop Protection	408
Blocking Unauthorized Traffic	408
Trunk Group Exclusion	409
Planning Port Security	410
Port Security Command Options and Operation	411
Configuring Port Security	415
Retention of Static Addresses	420
MAC Lockdown	425
Differences Between MAC Lockdown and Port Security	427
Deploying MAC Lockdown	429
MAC Lockout	429
Port Security and MAC Lockout	432
Web: Displaying and Configuring Port Security Features	433
Reading Intrusion Alerts and Resetting Alert Flags	433
Notice of Security Violations	433
How the Intrusion Log Operates	434
Keeping the Intrusion Log Current by Resetting Alert Flags	435
Using the Event Log To Find Intrusion Alerts	439
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags	440
Operating Notes for Port Security	441
Using Authorized IP Managers	443
Contents	443
Overview	444
Options	445
Access Levels	445
Defining Authorized Management Stations	446
Overview of IP Mask Operation	446
Menu: Viewing and Configuring IP Authorized Managers	447
CLI: Viewing and Configuring Authorized IP Managers	448
Web: Configuring IP Authorized Managers	451
Web Proxy Servers	451
Web-Based Help	452
Building IP Masks	452
Configuring One Station Per Authorized Manager IP Entry	452
Configuring Multiple Stations Per Authorized Manager IP Entry	453
Additional Examples for Authorizing Multiple Stations	455
Operating Notes	455
Numerics	457
A	459
B	459
C	459
D	460
E	462
F	462
G	462
H	462
I	462
L	462
M	462
N	463
O	463
P	463
R	464
S	465
T	467
U	468
V	468

Match case Limit results 1 per page

1-8

Security Overview

Network Security Features

Connection-

Rate Filtering

based on

Virus-Throttling

Technology

none

This feature helps protect the network from attack and

is recommended for use on the network edge. It is

primarily focused on the class of worm-like malicious

code that tries to replicate itself by taking advantage of

weaknesses in network applications behind unsecured

ports. In this case, the malicious code tries to create a

large number of outbound connections on an interface

in a short time. Connection-Rate filtering detects hosts

that are generating traffic that exhibits this behavior, and

causes the switch to generate warning messages and

(optionally) to throttle or drop all traffic from the

offending hosts.

Chapter 3, “Virus Throttling

(Connection-Rate Filtering)”

ICMP

Rate-Limiting

none

This feature helps defeat ICMP denial-of-service

attacks by restricting ICMP traffic to percentage levels

that permit necessary ICMP functions, but throttle

additional traffic that may be due to worms or viruses

(reducing their spread and effect).

Management and

Configuration Guide

in the

chapter on

“Port Traffic

Controls”

refer to the section

“ICMP Rate-Limiting”

Spanning Tree

Protection

none

These features prevent your switch from malicious

attacks or configuration errors:

•

BPDU Filtering and BPDU Protection

: Protects the

network from denial-of-service attacks that use

spoofing BPDUs by dropping incoming BPDU frames

and/or blocking traffic through a port.

•

STP Root Guard

: Protects the STP root bridge from

malicious attacks or configuration mistakes.

Advanced Traffic

Management Guide

, refer to

the chapter

“Multiple

Instance Spanning-Tree

Operation”

DHCP Snooping,

Dynamic ARP

Protection, and

Dynamic IP

Lockdown

none

These features provide the following additional

protections for your network:

•

DHCP Snooping

: Protects your network from

common DHCP attacks, such as address spoofing

and repeated address requests.

•

Dynamic ARP Protection

: Protects your network

from ARP cache poisoning.

•

Dynamic IP Lockdown

: Prevents IP source address

spoofing on a per-port and per-VLAN basis

•

Instrumentation Monitor

. Helps identify a variety of

malicious attacks by generating alerts for detected

anomalies on the switch.

Chapter 11, “Configuring

Advanced Threat

Protection”

Feature

Default

Setting

Security Guidelines

More Information and

Configuration Details