HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
15
Configure logging timestamps
Configuring logging timestamps helps you correlate events across network devices. It is important to implement a
correct and consistent logging timestamp configuration to ensure that you are able to correlate logging data. Logging
timestamps should be configured to include the date and time with millisecond precision and to include the time zone in
use on the device.
The following example includes the configuration of logging timestamps with the time from system boot:
#
info-center timestamp log boot
#
Use the info-center timestamp loghost command to configure the format of logging timestamps sent to the log host.
For more information, see “Information Center” in the Network Management and Monitoring Command Reference Guide.
HP Comware software configuration management
HP Comware software includes several features that can enable a form of configuration management on an
HP Comware device. Such features include functionality to archive configurations and to roll back the configuration to a
previous version as well as create a detailed configuration change log.
Configuration Replace and Configuration Rollback
Beginning in HP Comware Software Release 5.20, the Configuration Replace and Configuration Rollback features allow
HP Comware device configurations to be archived on the device. Stored manually or automatically, the configurations in
this archive can be used to replace the current running configuration by using the configuration replace file command.
You are advised to enable this feature on all HP Comware devices in the network. Once enabled, an administrator can
cause the current running configuration to be added to the archive by using the archive configuration command. The
archived configurations can be viewed by using the display archive configuration command.
The following example illustrates the configuration of automatic configuration archiving. This example instructs the
HP Comware device to store archived configurations as files named archived-config-N on the cfa0:/config file system, to
maintain a maximum of 10 backups, and to archive once per day (1,440 minutes):
#
archive configuration location cfa0:/config filename-prefix archived-config
archive configuration interval 1440
archive configuration max 10
#
Although the configuration archive functionality can store up to 10 backup configurations, you are advised to consider
the space requirements before using the maximum command.
For more information, see “Configuration File Management” in the Fundamentals Command Reference Guide.
Backup configuration file and boot file
The following example configures backup configuration and boot files that are used when the primary ones
are unavailable:
#
boot-loader file cfa0:/mainmsr20_backup.bin backup
startup saved-configuration startup_backup.cfg backup
#
For more information, see “Configuration File Management” and “Device Management” in the Fundamentals Command
Reference Guide.