HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
7
infrastructure ACLs. The example ACL that follows includes comprehensive filtering of IP fragments. The functionality
from this example must be used in conjunction with the functionality of the previous examples.
#
acl number 3001 name ACL-INFRASTRUCTURE-IN
#
# Deny IP fragments using protocol-specific ACEs to aid in classification of attack traffic
#
rule deny tcp fragment
rule deny udp fragment
rule deny icmp fragment
rule deny ip fragment
#
# Deny all other IP traffic to any network device #
rule deny ip destination <infrastructure-address-space> <wildcard>
#
# Permit transit traffic #
rule permit ip
#
For more information regarding ACL handling of fragmented IP packets, see “Filtering IP fragments.”
Securing interactive management sessions
Management sessions to devices allow you the ability to view and collect information about a device and its operations.
If this information is disclosed to a malicious user, the device can become the target of an attack, become compromised,
and be used to perform additional attacks. Anyone with privileged access to a device has the capability for full
administrative control of that device. Securing management sessions is imperative to prevent information disclosure
and unauthorized access.
Console and AUX ports
In HP Comware devices, and console and auxiliary (AUX) ports are asynchronous lines that can be used for local and
remote access to a device. Console ports on HP Comware devices have special privileges. By default, an administrator
can access a device through its console port without password authentication.
You can configure authentication, authorization, and accounting (AAA) to authenticate users accessing the console port.
Following is an example configuration:
#
user-interface con 0
authentication-mode scheme
idle-timeout 1 0
user privilege level 3
#
To adopt username/password authentication, configure the following:
#
user-interface con 0
authentication-mode password
set authentication password cipher password