HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
12
snmp-agent community write READWRITE acl 2002
#
For more information, see the snmp-server community command in “SNMP” in the Network Management and
Monitoring Command Reference Guide.
SNMP Views
SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs. Once a view is created and
applied to a community string with the snmp-agent community command, if you access MIB data, you are restricted to
the permissions that are defined by the view. When appropriate, you are advised to use views to limit SNMP users to the
data that they require.
The configuration example that follows restricts SNMP access with the community string LIMITED to the MIB data that is
located in the system group:
#
snmp-agent mib-view included VIEW-SYSTEM-ONLY system
#
snmp-agent community read LIMITED mib-view VIEW-SYSTEM-ONLY
#
For more information, see “SNMP” in the Network Management and Monitoring Command Reference Guide.
SNMP Version 3
SNMP Version 3 (SNMPv3) is defined by RFC3410, RFC3411, RFC3412, RFC3413, RFC3414, and RFC3415, and is an
interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by
authenticating and optionally encrypting packets over the network. Where supported, SNMPv3 can be used to add
another layer of security when deploying SNMP. SNMPv3 consists of three primary configuration options:
• no authentication
This mode does not require any authentication or any encryption of SNMP packets.
• authentication
This mode requires authentication of the SNMP packet without encryption.
• privacy
This mode requires both authentication and encryption (privacy) of each SNMP packet.
An authoritative engine ID must exist before the SNMPv3 security mechanisms authentication or authentication and
encryption can be used for handling SNMP packets. By default, the engine ID is generated locally. The engine ID can be
displayed with the display snmp-agent local-engineid command as shown in this example:
#
[HP]display snmp-agent local-engineid
SNMP local EngineID: 800063A203000FE2000002
#
Note that if the engine ID is changed, all SNMP user accounts must be reconfigured. The next step is to configure an
SNMPv3 group. This command configures an HP Comware device for SNMPv3 with an SNMP server group AUTHGROUP
and enables only authentication for this group by using the authentication keyword:
#
snmp-agent group v3 AUTHGROUP authentication
#
This command configures an HP Comware device for SNMPv3 with an SNMP server group PRIVGROUP and enables both
authentication and encryption for this group by using the privacy keyword:
#
snmp-agent group v3 PRIVGROUP privacy