HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
31
Approach II, enable NetStream through QoS policy.
#
ip netstream { inbound | outbound }
#
traffic behavior <behavior-name>
mirror-to interface net-stream <interface-number>
#
Approach III, enable NetStream through port mirroring.
#
ip { inbound | outbound }
#
interface Ethernet0/1/0
ip netstream mirror-to interface net-stream <interface-numbr>
#
Following is an example of NetStream output from the CLI. The If(Direc) attribute can be beneficial in traceback:
#
<Sysname> display ip netstream cache
IP netstream cache information:
Stream active timeout (in minutes) : 60
Stream inactive timeout (in seconds) : 10
Stream max entry number : 1000
IP active stream entry number : 1
MPLS active stream entry number : 2
L2 active stream entry number : 1
IPL2 active stream entry number : 1
IP stream entries been counted : 10
MPLS stream entries been counted : 20
L2 stream entries been counted : 10
IPL2 stream entries been counted : 20
Last statistics reset time : 01/01/2000, 00:01:02
IP packet size distribution (1103746 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.249 .694 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 >4608
.000 .000 .027 .000 .027 .000 .000 .000 .000 .000 .000 .000
Protocol Total Packets Stream Packets Active(sec) Idle(sec)
Streams /Sec /Sec /stream /stream /stream
TCP-Telnet 2656855 372 4 86 49 27
TCP-FTP 5900082 86 9 9 11 33