HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
14
Do not log to console or monitor sessions
With HP Comware software, it is possible to send log messages to monitor sessions and to the console. Monitor sessions
are interactive management sessions in which the EXEC command terminal monitor has been issued. However, sending
such messages can elevate the CPU load of a Comware device and therefore is not recommended.
Instead, you are advised to send logging information to the local log buffer, which can be viewed by using the display
logbuffer command.
Use the system-view configuration commands info-center source default channel console log state off and
info-center source default channel monitor log state off to disable logging to the console and monitor sessions. The
following configuration example shows the use of these commands:
#
info-center source default channel console log state off
info-center source default channel monitor log state off
#
server:
#
info-center loghost <ip-address>
#
For more information on log correlation, see “Information Center” in the Network Management and Monitoring
Configuration Guide.
Use buffered logging
HP Comware software supports the use of a local log buffer so that an administrator can view locally generated log
messages. The use of buffered logging is highly recommended versus logging to either the console or monitor session.
There are two configuration options that are relevant when configuring buffered logging: the logging buffer size and the
message severities that are stored in the buffer. The size of the logging buffer is configured with the system-view
configuration command info-center logbuffer size. The lowest severity included in the buffer is configured using the
info-center source default channel logbuffer log level command. An administrator is able to view the contents of the
logging buffer through the display logbuffer EXEC command.
The following configuration example includes the configuration of a logging buffer of 1,024 items, as well as a severity
of 6 (informational), indicating that messages at levels 0 (emergencies) through 6 (informational) are stored:
#
info-center logbuffer size 1024
info-center source default channel logbuffer log level informational
#
For more information, see “Information Center” in the Network Management and Monitoring Command Reference Guide.
Configure logging source interface
In order to provide an increased level of consistency when collecting and reviewing log messages, you are advised to
statically configure a logging source interface. Accomplished by using the info-center loghost source interface
command, statically configuring a logging source interface helps ensure that the same IP address appears in all logging
messages that are sent from an individual HP Comware device. For added stability, you are advised to use a loopback
interface as the logging source.
The following configuration example illustrates the use of the info-center loghost source command to specify that the
IP address of the loopback 0 interface be used for all log messages:
#
info-center loghost source Loopback 0
#
For more information, see “Information Center” in the Network Management and Monitoring Command Reference Guide.