HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
20
#
For more information on these two features, see “TCP” and “ICMP Attack Protection” in the Security Configuration Guide.
Securing BGP
Border Gateway Protocol (BGP) is the routing foundation of the Internet. As such, any organization with more than
modest connectivity requirements often finds itself utilizing BGP. BGP is often targeted by attackers because of its
ubiquity and the “set-and-forget” nature of BGP configurations in smaller organizations. However, there are many BGP-
specific security features that can be leveraged to increase the security of a BGP configuration.
The following section provides an overview of the most important BGP security features. Where appropriate,
configuration recommendations are made.
Generalized TTL Security Mechanism
The Generalized TTL Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from CPU
utilization–based attacks. In particular, while cryptographic techniques can protect the router-based infrastructure
from a wide variety of attacks, many attacks based on CPU overload can be prevented by GTSM. Note that the same
technique protects against other scarce-resource attacks involving a router's CPU, such as attacks against processor-
line card bandwidth.
GTSM for BGP is enabled using the ttl-security option for the peer command in BGP view. The following example
illustrates the configuration of this feature:
#
bgp <asn>
peer <ip-address> as-number <remote-asn>
peer <ip-address> ttl-security hops <hop-count>
#
When BGP packets are received, the TTL value is checked and must be greater than 255 minus the hop-count specified.
For more information, see “Configuring GTSM for BGP in BGP” in the Layer-3 IP Routing Configuration Guide.
BGP peer authentication with MD5
Peer authentication using MD5 creates an MD5 digest of each packet sent as part of a BGP session. Specifically, portions
of the IP and TCP headers, TCP payload, and a secret key are used to generate the digest.
The created digest is then stored in TCP option Kind 19, which was created specifically for this purpose by RFC 2385. The
receiving BGP speaker uses the same algorithm and secret key to regenerate the message digest. If the received and
computed digests are not identical, the packet is discarded.
Peer authentication with MD5 is configured by using the password option in the peer command in BGP view. The use of
this command is illustrated as follows:
#
bgp <asn>
peer <ip-address> as-number <remote-asn>
peer <ip-address> password cipher <secret>
#
For more information, see “Enabling MD5 Authentication for TCP Connections in BGP” in the Layer-3 IP Routing
Configuration Guide.
Configuring maximum prefixes
BGP prefixes are stored by a router in memory. The more prefixes that a router must hold results in BGP consuming
more memory. In some configurations, a subset of all Internet prefixes can be stored, such as in configurations that
leverage only a default route or routes for a provider’s customer networks.