HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
4
# Configure the password of the local user in interactive mode.
[Sysname-luser-test] password
Password:***********
Confirm :***********
Updating user(s) information, please wait........
[Sysname-luser-test] quit
Disable unused services
As a security best practice, any unnecessary service must be disabled. These unneeded services, especially those that
use User Datagram Protocol (UDP), are infrequently used for legitimate purposes, but can be used to launch DoS and
other attacks that can otherwise be prevented by packet filtering.
Following is a list of additional services that must be disabled if not in use:
• Issue the undo dhcp enable command in system view to disable DHCP.
• Issue the undo dns resolve command in system view to disable DNS.
• Issue the undo x25 switching command in system view to disable X.25 switching function.
• Issue the undo ip http enable command in system view to disable HTTP server.
• Issue the undo ip https enable command in system view to disable HTTPS server.
Neighbor Discovery Protocol (NDP) is used to discover other NDP-enabled devices for neighbor adjacency and network
topology. NDP can be used by HGMP to manage a cluster. NDP must be disabled on all interfaces that are connected to
untrusted networks. This is accomplished by issuing the undo ndp enable command in interface view. Alternatively, NDP
can be disabled globally with the undo ndp enable command in system view or on interfaces by specifying an interface
list in system view. Note that NDP can be used by a malicious user for reconnaissance and network mapping.
Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is similar to NDP; however, this
protocol allows interoperability between other devices that do not support NDP. LLDP must be treated in the same
manner as NDP and disabled on all interfaces that connect to untrusted networks. To accomplish this, issue the undo
lldp enable command in interface view. To disable LLDP globally, issue the undo lldp enable command in system view.
LLDP can also be used by a malicious user for reconnaissance and network mapping.
EXEC timeout
To set the interval so that the command interpreter waits for user input before it terminates a session, issue the
idle-timeout command in interface view. The idle-timeout command must be used to log out sessions on a virtual type
terminal (VTY) or true type terminal (TTY) interface that is left idle. By default, sessions are disconnected after 10
minutes of inactivity.
#
user-interface con 0
idle-timeout 2 0
user-interface aux 0
idle-timeout 2 0
user-interface vty 0 4
idle-timeout 2 0
#
Using management interfaces
A device’s management plane is accessed in band or out of band on a physical or logical management interface. Ideally,
both in-band and out-of-band management access exist for each network device so that the management plane can be
accessed during network outages.
One of the most common interfaces that are used for in-band device access is the logical loopback interface. Loopback
interfaces are always up, whereas physical interfaces can change state and potentially be inaccessible. It is
recommended that you add a loopback interface to each device as a management interface and that it be used