HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
3
After password control is configured, a password is displayed as ***, and is saved in a special format in the
configuration file.
Users will often choose their user names or simple digits such as 123456 as their passwords. These passwords can
easily be cracked. Increasing password complexity can make it more difficult to crack passwords.
With password control, the administrator can configure the minimum password length, password composition check,
password complexity check, password update interval, password aging, early notice on pending password expiration,
login with an expired password, password history, login attempt limit, password display, authentication timeout
management, maximum account idle time, and logging. (The system logs all successful password change events and
user blacklisting events due to login failures.)
The following gives a typical configuration example of password control:
# Enable password control globally.
[Sysname] password-control enable
# Prohibit a user from logging in forever after two consecutive login failures.
[Sysname] password-control login-attempt 2 exceed lock
# Set an age time of 30 days for all passwords.
[Sysname] password-control aging 30
# Set the minimum password update interval to 36 hours.
[Sysname] password-control password update interval 36
# Specify that a user can log in five times within 60 days after the password expires.
[Sysname] password-control expired-user-login delay 60 times 5
# Set the maximum account idle time to 30 days.
[Sysname] password-control login idle-time 30
# Refuse any password that contains the user name or the reverse of the user name.
[Sysname] password-control complexity user-name check
# Specify that no character of the password can be repeated three or more times consecutively.
[Sysname] password-control complexity same-character check
# Set the minimum number of composition types for super passwords to 3 and the minimum number of characters of
each composition type to 5.
[Sysname] password-control super composition type-number 3 type-length 5
# Configure a super password.
[Sysname] super password level 3 simple 12345ABGFTweuix
# Create a local user named test.
[Sysname] local-user test
# Set the service type of the user to Telnet.
[Sysname-luser-test] service-type telnet
# Set the minimum password length to 12 for the local user.
[Sysname-luser-test] password-control length 12
# Set the minimum number of password composition types to 2 and the minimum number of characters of each
password composition type to 5 for the local user.
[Sysname-luser-test] password-control composition type-number 2 type-length 5
# Set the password age time to 20 days for the local user.
[Sysname-luser-test] password-control aging 20