HP 6125G HP Networking guide to hardening Comware-based devices - Page 13

13

#

This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of authpassword and a

3DES encryption password of privpassword:

#

snmp-agent usm-user v3 snmpv3user PRIVGROUP authentication-mode md5 authpas

sword privacy-mode 3des privpassword

#

Additionally, it is recommended that SNMPv1/v2 be disabled whenever SNMPv3 is configured for an additional level of

security. For more information, see “SNMP” in the

Network Management and Monitoring Command Reference Guide

.

Logging best practices

Event logging provides you with visibility into the operation of an HP Comware device and the network into which it is

deployed. HP Comware software provides several flexible logging options that can help achieve an organization’s

network management and visibility goals.

These sections provide some basic logging best practices that can help an administrator leverage logging successfully

while minimizing the impact of logging on an HP Comware device.

Send logs to a central location

You are advised to send logging information to a remote syslog server. By doing so, it becomes possible to correlate and

audit network and security events across network devices more effectively. Note that syslog messages are transmitted

unreliably by UDP and in cleartext. For this reason, any protections that a network affords to management traffic (for

example, encryption or out-of-band access) should be extended to include syslog traffic.

The following configuration example configures an HP Comware device to send logging information to a remote

syslog server:

#

info-center loghost <ip-address>

#

For more information on log correlation, see “Information Center” in the

Network Management and Monitoring

Configuration Guide

.

Logging level

Each log message that is generated by an HP Comware device is assigned one of eight severity levels that range from

level 0 (emergencies) through level 7 (debug). Unless specifically required, you are advised to avoid logging at level 7.

Logging at level 7 produces an elevated CPU load on the device that can lead to device and network instability.

The system-view configuration command

info-center source default channel loghost log level

is used to specify which

logging messages are sent to remote syslog servers. The level specified indicates the lowest severity message that is

sent. For buffered logging, the

info-center source default channel logbuffer log level

command is used.

This configuration example limits log messages that are sent to remote syslog servers and the local log buffer to

severities 6 (informational) through 0 (emergencies):

#

info-center source default channel logbuffer log level informational

info-center source default channel loghost log level informational

#

For more information, see “Information Center” in the

Network Management and Monitoring Command Reference Guide

.

Section	Page
Introduction	2
Management plane	2
General management plane hardening	2
Password control	2
Disable unused services	4
EXEC timeout	4
Using management interfaces	4
Memory Threshold Notification	5
CPU Threshold Notification	5
Limiting access to the network with infrastructure ACLs	5
ICMP packet filtering	6
Filtering IP fragments	6
Securing interactive management sessions	7
Console and AUX ports	7
Control VTY and TTY lines	8
Warning banners	9
Using authentication, authorization, and accounting	9
Authentication, authorization, and accounting with RADIUS	9
Authentication, authorization, and accounting with HWTACACS	10
Authentication and authorization with LDAP	10
Authentication fallback	11
Redundant AAA servers	11
Fortifying Simple Network Management Protocol	11
SNMP community strings	11
SNMP community strings with ACLs	11
SNMP Views	12
SNMP Version 3	12
Logging best practices	13
Send logs to a central location	13
Logging level	13
Do not log to console or monitor sessions	14
Use buffered logging	14
Configure logging source interface	14
Configure logging timestamps	15
HP Comware software configuration management	15
Configuration Replace and Configuration Rollback	15
Backup configuration file and boot file	15
Configuration change notification	16
Control plane	16
General control plane hardening	16
IP ICMP redirects	16
ICMP unreachables	17
ICMP TTL-expiry	17
Proxy ARP	17
Network time protocol	17
Limiting the CPU impact of control plane traffic	18
Understanding control plane traffic	18
FTP and TFTP ACLs	18
User interface ACLs	18
HTTPS ACLs	19
Control plane protection	19
Rate limiting packets on network management interfaces	19
TCP SYN Cookie and protection against Naptha attacks	19
Securing BGP	20
Generalized TTL Security Mechanism	20
BGP peer authentication with MD5	20
Configuring maximum prefixes	20
Filtering BGP prefixes with prefix lists	21
Filtering BGP prefixes with autonomous system path access lists	21
Securing Interior Gateway Protocols	22
Routing protocol authentication and verification with MD5	22
Silent-interface commands	23
Route filtering	23
Securing Virtual Router Redundancy Protocol	24
Data plane	24
General data plane hardening	24
Disable ICMP redirects	24
Disable or limit IP Directed broadcasts	25
Filtering transit traffic with Transit ACLs	25
ICMP packet filtering	25
Filtering IP fragments	26
Anti-spoofing protections	26
URPF	26
IP source guard	26
Port security	27
ARP Detection	29
Anti-spoofing ACLs	29
Limiting the CPU impact of data plane traffic	30
Features and traffic types that impact the CPU	30
Traffic identification and traceback	30
NetStream	30
sFlow	32
Classification ACLs	33
Access control with VLAN QoS policy and port access control lists	34
Access control with VLAN QoS policy	34
Access control with PACLs	34
Access control with MAC	35
Using private VLANs	35
Isolated VLANs	35
Community VLANs	36
Promiscuous ports	36
Port isolation	37
Isolated ports	37
Uplink port	38

HP 6125G HP Networking guide to hardening Comware-based devices - Page 13

Logging best practices, Send logs to a central location, Logging level

Page 13 highlights