HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
23
area-authentication-mode md5 <password>
domain-authentication-mode md5 <password>
#
For more information, see “Enhancing IS-IS Network Security in ISIS” in the Layer-3 IP Routing Configuration Guide.
Silent-interface commands
Information leaks, or the introduction of false information into an IGP, can be mitigated through use of the
silent-interface command, which assists in controlling the advertisement of routing information. You are advised
not to advertise any information to networks that are outside your administrative control.
The following example demonstrates usage of this feature:
#
ospf <process-id>
silent-interface all
undo silent-interface <interface>
#
Route filtering
To reduce the possibility of introducing false routing information to the network, you must utilize route filtering. Unlike
the silent-interface command, routing occurs on interfaces once route filtering is enabled, but the information that is
advertised or processed is limited.
For RIP, using the filter-policy command with the export key word limits what information is advertised, while use of
the import key word limits what updates are processed. The filter-policy command is available for OSPF, but it does not
prevent a router from propagating filtered routes. Instead, the filter command can be used.
The following RIP example filters outbound advertisements with the filter-policy command and a prefix list:
#
ip ip-prefix <list-name> index 10 permit <ip-address> <mask-length>
#
rip <process-id>
silent-interface all
undo silent-interface <interface>
filter-policy ip-prefix <list-name> export <interface>
#
The following RIP example filters inbound updates with a prefix list:
#
ip ip-prefix <list-name> index 10 permit <ip-address> <mask-length>
#
rip <process-id>
silent-interface all
undo silent-interface <interface>
filter-policy ip-prefix <list-name> import <interface>
#
For more information, see “Configuring Inbound/Outbound Route Filtering in RIP” in the Layer-3 IP Routing
Configuration Guide.
The following OSPF example utilizes a prefix list with the OSPF-specific filter command:
#