HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
8
idle-timeout 1 0
user privilege level 3
#
To access the AUX port remotely, the user must first pass local password authentication by default. You can configure
AAA to authenticate users accessing the AUX port as follows:
#
user-interface aux 0
authentication-mode scheme
idle-timeout 1 0
user privilege level 3
#
You can disable authentication so that users can access the device through the AUX port directly as follows:
#
user-interface aux 0
authentication-mode none
user privilege level 3
idle-timeout 1 0
#
Control VTY and TTY lines
Interactive management sessions in HP Comware software use a TTY or virtual TTY (VTY). A TTY is used by a terminal for
local access to the device or to a modem for dialup access to a device. Note that TTYs can be used for connections to the
console ports of other devices. This function allows for reverse Telnet to the device. The TTY lines for these reverse
connections must also be controlled.
A VTY line is used for all other remote network connections supported by the device. To ensure that a device can be
accessed via a local or remote management session, proper controls must be enforced on both VTY lines. HP Comware
devices have a limited number of VTY lines. When all VTY lines are in use, new management sessions cannot be
established, creating a DoS condition for access to the device.
Authentication can be enforced through the use of AAA, which is the recommended method for authenticated access to a
device. The following gives an example configuration:
#
user-interface tty 33
authentication-mode scheme
user privilege level 3
idle-timeout 1 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
idle-timeout 1 0
#
Note: Set a short time value with the idle-timeout command to ensure that users who no longer use the TTYs or VTYs
are logged out in time. The default time value is 10 minutes.