HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
13
#
This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of authpassword and a
3DES encryption password of privpassword:
#
snmp-agent usm-user v3 snmpv3user PRIVGROUP authentication-mode md5 authpas
sword privacy-mode 3des privpassword
#
Additionally, it is recommended that SNMPv1/v2 be disabled whenever SNMPv3 is configured for an additional level of
security. For more information, see “SNMP” in the Network Management and Monitoring Command Reference Guide.
Logging best practices
Event logging provides you with visibility into the operation of an HP Comware device and the network into which it is
deployed. HP Comware software provides several flexible logging options that can help achieve an organization’s
network management and visibility goals.
These sections provide some basic logging best practices that can help an administrator leverage logging successfully
while minimizing the impact of logging on an HP Comware device.
Send logs to a central location
You are advised to send logging information to a remote syslog server. By doing so, it becomes possible to correlate and
audit network and security events across network devices more effectively. Note that syslog messages are transmitted
unreliably by UDP and in cleartext. For this reason, any protections that a network affords to management traffic (for
example, encryption or out-of-band access) should be extended to include syslog traffic.
The following configuration example configures an HP Comware device to send logging information to a remote
syslog server:
#
info-center loghost <ip-address>
#
For more information on log correlation, see “Information Center” in the Network Management and Monitoring
Configuration Guide.
Logging level
Each log message that is generated by an HP Comware device is assigned one of eight severity levels that range from
level 0 (emergencies) through level 7 (debug). Unless specifically required, you are advised to avoid logging at level 7.
Logging at level 7 produces an elevated CPU load on the device that can lead to device and network instability.
The system-view configuration command info-center source default channel loghost log level is used to specify which
logging messages are sent to remote syslog servers. The level specified indicates the lowest severity message that is
sent. For buffered logging, the info-center source default channel logbuffer log level command is used.
This configuration example limits log messages that are sent to remote syslog servers and the local log buffer to
severities 6 (informational) through 0 (emergencies):
#
info-center source default channel logbuffer log level informational
info-center source default channel loghost log level informational
#
For more information, see “Information Center” in the Network Management and Monitoring Command Reference Guide.