HP Networking guide to hardening Comware-based devices
Table Of Contents
- Introduction
- Management plane
- General management plane hardening
- Limiting access to the network with infrastructure ACLs
- Securing interactive management sessions
- Fortifying Simple Network Management Protocol
- Logging best practices
- HP Comware software configuration management
- Control plane
- General control plane hardening
- Limiting the CPU impact of control plane traffic
- Securing BGP
- Securing Interior Gateway Protocols
- Securing Virtual Router Redundancy Protocol
- Data plane
- General data plane hardening
- Filtering transit traffic with Transit ACLs
- Anti-spoofing protections
- Limiting the CPU impact of data plane traffic
- Traffic identification and traceback
- Access control with VLAN QoS policy and port access control lists
- Using private VLANs
- Port isolation
9
Warning banners
In some legal jurisdictions, it can be impossible to prosecute and illegal to monitor malicious users unless they have
been notified that they are not permitted to use the system. One method to provide this notification is to place this
information into a banner message that is configured with the HP Comware software header legal command.
Legal notification requirements are complex, vary by jurisdiction and situation, and should be discussed with legal
counsel. Even within jurisdictions, legal opinions can differ. In cooperation with counsel, a banner can provide some or all
of the necessary information.
The notice should indicate that the system is to be logged into or used only by specifically authorized personnel; it can
also contain information about who can authorize use:
• Notice that any unauthorized use of the system is unlawful and can be subject to civil and criminal penalties.
• Notice that any use of the system can be logged or monitored without further notice and that the resulting logs can be
used as evidence in court.
• Specific notices required by local laws.
• From a security point of view, rather than a legal one, a login banner should not contain any specific information
about the router name, model, software, or ownership. This information can be abused by malicious users.
Note: You can use the undo copyright-info enable command to disable displaying copyright information upon login.
Using authentication, authorization, and accounting
The authentication, authorization, and accounting (AAA) framework is critical to securing interactive access to network
devices. The AAA framework provides a highly configurable environment that can be tailored depending on the needs of
the network.
Authentication, authorization, and accounting with RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a
client/server model. RADIUS can protect networks against unauthorized access and is often used in network
environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the diversification of access methods, RADIUS has been
extended to support more access methods, for example, Ethernet access and ADSL access. It provides access
authentication and authorization services.
Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is
never transmitted over the network to enhance security. In addition, to prevent user passwords from being intercepted
in non-secure networks, RADIUS encrypts passwords before transmitting them.
The following gives an example RADIUS configuration:
#
radius scheme radius
primary authentication 192.168.0.1
primary accounting 192.168.0.1
secondary accounting 192.168.0.2
key authentication HP
key accounting HP
user-name-format without-domain
#