HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
16
Configuration change notification
The configuration change notification feature can log the configuration changes made to an HP Comware device. You can
display the change trap with the display trapbuffer command. Use the snmp-agent trap enable command to enable
configuration change notification.
#
[HP]display trapbuffer
Trapping buffer configuration and contents:enabled
Allowed max buffer size : 1024
Actual buffer size : 1024
Channel number : 3 , channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 31
#Aug 27 04:01:50:785 2010 HP DEVM/4/SYSTEM WARM START:
Trap 1.3.6.1.4.1.25506.6.8.5: system warm start.
#Aug 27 04:01:54:374 2010 HP SHELL/4/LOGIN:
Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console
#Aug 27 04:02:10:277 2010 HP CFGMAN/4/TRAP:
1.3.6.1.4.1.25506.2.4.2.1 configure changed:
EventIndex=1,CommandSource=1,ConfigSource=2,ConfigDestination=4
#
Control plane
Control plane functions consist of the protocols and processes that communicate between network devices to move
data from source to destination, including routing protocols such as the Border Gateway Protocol, as well as protocols
like ICMP and the Resource Reservation Protocol (RSVP).
It is important that events in the management and data planes do not adversely affect the control plane. If a data plane
event such as a DoS attack impacts the control plane, the entire network can become unstable. This information about
HP Comware software features and configurations can help ensure the resilience of the control plane.
General control plane hardening
Protection of a network device’s control plane is critical because the control plane helps ensure that the management
and data planes are maintained and operational. If the control plane were to become unstable during a security incident,
it can be impossible for you to recover the stability of the network.
In many cases, disabling the reception and transmission of certain types of messages on an interface can reduce the
amount of CPU load that is required to process unneeded packets.
IP ICMP redirects
An ICMP redirect message can be generated by a router when a packet is received and transmitted on the same
interface. In this situation, the router forwards the packet and sends an ICMP redirect message back to the sender of the
original packet. This behavior allows the sender to bypass the router and forward future packets directly to the
destination (or to a router closer to the destination). In a properly functioning IP network, a router sends redirects only
to hosts on its own local subnets. In other words, ICMP redirects should never go beyond a Layer 3 boundary.