HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 30
BPDU Filtering and BPDU Protection, Dynamic ARP Protection
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 30 highlights
Security Overview Network Security Features Feature Default Setting ConnectionRate Filtering based on Virus-Throttling Technology none ICMP none Rate-Limiting Spanning Tree none Protection DHCP Snooping, none Dynamic ARP Protection, and Dynamic IP Lockdown Security Guidelines More Information and Configuration Details This feature helps protect the network from attack and Chapter 3, "Virus Throttling is recommended for use on the network edge. It is (Connection-Rate Filtering)" primarily focused on the class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in network applications behind unsecured ports. In this case, the malicious code tries to create a large number of outbound connections on an interface in a short time. Connection-Rate filtering detects hosts that are generating traffic that exhibits this behavior, and causes the switch to generate warning messages and (optionally) to throttle or drop all traffic from the offending hosts. This feature helps defeat ICMP denial-of-service Management and attacks by restricting ICMP traffic to percentage levels Configuration Guide, in the that permit necessary ICMP functions, but throttle chapter on "Port Traffic additional traffic that may be due to worms or viruses Controls" refer to the section (reducing their spread and effect). "ICMP Rate-Limiting" These features prevent your switch from malicious Advanced Traffic attacks or configuration errors: Management Guide, refer to • BPDU Filtering and BPDU Protection: Protects the the chapter "Multiple network from denial-of-service attacks that use Instance Spanning-Tree spoofing BPDUs by dropping incoming BPDU frames Operation" and/or blocking traffic through a port. • STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes. These features provide the following additional protections for your network: • DHCP Snooping: Protects your network from common DHCP attacks, such as address spoofing and repeated address requests. Chapter 11, "Configuring Advanced Threat Protection" • Dynamic ARP Protection: Protects your network from ARP cache poisoning. • Dynamic IP Lockdown: Prevents IP source address spoofing on a per-port and per-VLAN basis • Instrumentation Monitor. Helps identify a variety of malicious attacks by generating alerts for detected anomalies on the switch. 1-8