HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
18
Limiting the CPU impact of control plane traffic
Protecting the control plane is critical. Because application performance and the end-user experience can suffer without
the presence of data and management traffic, the survivability of the control plane helps ensure that the other two
planes are maintainable and operational.
Understanding control plane traffic
To properly protect the control plane of HP Comware devices, it is essential to understand the types of traffic that is
processed by the CPU. CPU-processed traffic normally consists of two different types of traffic. The first type of traffic is
directed to the HP Comware device and must be handled directly by the HP Comware device CPU. This traffic consists of
traffic to the device:
• Traffic to the device
This kind of unicast traffic matches FIB entries that either have a next hop of “127.0.0.1” or an outbound interface of
InLoop0 (displayed with the display fib command), such as traffic destined to interface IP addresses. Some multicast
traffic or broadcast traffic may also need to be processed by the device.
The second type of traffic that is handled by the CPU is data plane traffic with a destination beyond the HP Comware
device itself. This traffic requires special processing by the CPU. Although not an exhaustive list of CPU-impacting data
plane traffic, these types of traffic are processed by the CPU and can therefore affect the operation of the control plane:
• IP options
Any IP packets with options must be processed by the CPU.
• Fragmentation
Any IP packet that requires fragmentation must be passed to the CPU for processing.
• Time-to-live (TTL) expiry
Packets that have a TTL value less than or equal to 1 require Internet Control Message Protocol Time Exceeded (ICMP
Type 11, Code 0) messages to be sent, which results in CPU processing.
• ICMP unreachables
Packets that result in ICMP unreachable messages due to routing, MTU, or filtering are processed by the CPU.
• ICMP redirects
Packets received and transmitted on the same interface are processed by the CPU.
• Traffic requiring an ARP request
Destinations for which no ARP entry exists require processing by the CPU.
• Non-IP traffic
All non-IP traffic is processed by the CPU. The display fib command can be used to check the prefix and next-hop
information.
FTP and TFTP ACLs
An FTP server can deny the FTP requests from some FTP clients and only permit the access of clients allowed by the ACL
rules. The command to configure this feature is ftp server acl. For more information, see “FTP” and “TFTP” in the
Fundamentals Configuration Guide.
The tftp-server acl command can be used to control the device’s access to a specific TFTP server using an ACL.
User interface ACLs
You can use ACLs to control access from telnet/SSH users to VTYs. The following gives an example configuration:
#
acl number 2001
rule permit source 192.168.1.26 0
#
user-interface vty 0 4
acl [ ipv6 ] acl-number { inbound | outbound }
#