HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
25
#
undo ip redirects
#
For more information on the undo ip redirects command, see “IP Performance Optimization” in the Layer-3 IP Services
Configuration Guide.
Disable or limit IP Directed broadcasts
IP Directed Broadcasts make it possible to send an IP broadcast packet to a remote IP subnet. Once it reaches the remote
network, the forwarding IP device sends the packet as a Layer 2 broadcast to all stations on the subnet. This directed
broadcast functionality has been leveraged as an amplification and reflection aid in several attacks, including the
Smurf attack.
Current versions of HP Comware products have this functionality disabled by default; however, it can be enabled via the
ip forward-broadcast command.
If a network absolutely requires directed broadcast functionality, its use should be controlled. This is possible using an
access control list as an option to the ip forward-broadcast command. The following configuration example limits
directed broadcasts to those UDP packets originating at a trusted network, 192.168.1.0/24:
#
acl number 3001
rule 0 permit udp source 192.168.1.0 0.0.0.255
#
interface Ethernet 0/1/0
ip forward-broadcast acl 3001
#
For more information about the ip forward-broadcast command, see “IP Performance Optimization Configuration” in
the Layer-3 IP Services Configuration Guide.
Filtering transit traffic with Transit ACLs
ICMP packet filtering
The Internet Control Message Protocol (ICMP) was designed as a control protocol for IP. As a result, the messages it
conveys can have far-reaching ramifications on TCP and IP in general. ICMP is used by the network troubleshooting tools
ping and traceroute, as well as by Path MTU Discovery; however, external ICMP connectivity is rarely needed for the
proper operation of a network.
HP Comware software provides functionality to specifically filter ICMP messages by name or type and code.
The following example ACL allows ICMP from trusted networks while blocking all ICMP packets from other sources:
#
acl number 3000 name ACL-TRANSIT-IN
#
# Permit ICMP packets from trusted networks only
#
rule permit icmp source <trusted-networks>
#
# Deny all other ICMP traffic.
#
rule deny icmp
#