HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
17
There are two types of ICMP redirect messages: redirect for a host address and redirect for an entire subnet. A malicious
user can exploit the ability of the router to send ICMP redirects by continually sending packets to the router, forcing the
router to respond with ICMP redirect messages. This produces an adverse impact on the CPU and on the performance of
the router. In order to prevent the router from sending ICMP redirects, use the undo ip redirects command.
For more information on ICMP redirects, see “IP Performance Optimization” in the Layer-3 IP Services Command
Reference Guide.
ICMP unreachables
Generating ICMP unreachable messages can increase CPU load on the device. ICMP unreachable message generation can
be disabled using the undo ip unreachables command.
ICMP TTL-expiry
Generating ICMP timeout messages can increase CPU load on the device. ICMP TTL timeout message generation can be
disabled using the undo ip ttl-expires command.
Proxy ARP
Proxy ARP is the technique in which one device, usually a router, answers ARP requests that are intended for another
device. By "faking" its identity, the router accepts responsibility for routing packets to the real destination. Proxy ARP
can help machines on a subnet reach remote subnets without configuring routing or a default gateway. Proxy ARP is
defined in RFC 1027.
There are several disadvantages to utilizing proxy ARP. Doing so can result in an increase in the amount of ARP traffic on
the network segment, as well as resource exhaustion and man-in-the-middle attacks. Proxy ARP presents a resource
exhaustion attack vector because each proxied ARP request consumes a small amount of memory. An attacker can
exhaust all available memory by sending a large number of ARP requests.
Man-in-the-middle attacks enable a host on the network to spoof the MAC address of the router, resulting in
unsuspecting hosts sending traffic to the attacker. Proxy ARP can be disabled using the undo proxy-arp enable
command in interface view.
For more information on this feature, see “ARP Configuration” in the Layer-3 IP Services Command Reference Guide.
Network time protocol
Network Time Protocol (NTP) is not an especially dangerous service, but any unneeded service can represent an attack
vector. If NTP is used, it is important to explicitly configure a trusted time source and to use proper authentication.
Accurate and reliable time is required for syslog purposes, such as during forensic investigations of potential attacks, as
well as for successful VPN connectivity when depending on certificates for Phase 1 authentication.
NTP time zone—When you configure NTP, the time zone needs to be configured so that timestamps can be accurately
correlated. There are usually two approaches to configuring the time zone for devices in a network with a global
presence. One method is to configure all network devices with the Coordinated Universal Time (UTC—previously
Greenwich Mean Time [GMT]). The other approach is to configure network devices with the local time zone. More
information on this feature can be found in “clock timezone” in the HP product documentation.
NTP maximum dynamic sessions—Use the ntp-service max-dynamic-sessions command to set the maximum number
of dynamic NTP sessions that are allowed to be established locally. Please see “NTP” in the Network Management and
Monitoring Configuration Guide and Command Reference Guide.
NTP access control—Configure the access control right to restrict the NTP peers. The access control right mechanism
provides only a minimum degree of security protection for the system running NTP. A more secure method is identity
authentication. For more information, see “NTP” in the Network Management and Monitoring Configuration Guide and
Command Reference Guide.
NTP authentication—Configuring NTP authentication provides some assurance that NTP messages are exchanged
between trusted NTP peers. For more information on how to configure NTP authentication, see “NTP” in the Network
Management and Monitoring Configuration Guide and Command Reference Guide.