Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

Table 48 Network Security—Default Settings and Security Guidelines (continued)

More information and configuration

details

Security guidelinesDefault settingFeature

protocols that use time-dependent

or time-independent keys. (A key

chain is a set of keys with a timing

mechanism for activating and

deactivating individual keys.) KMS

provides specific instances of

routing protocols with one or more

Send or Accept keys that must be

active at the time of a request.

“Virus throttling (connection-rate

filtering)” (page 53)

This feature helps protect the

network from attack and is

noneConnection-Rate

Filtering based on

recommended for use on theVirus-Throttling

Technology network edge. It is primarily

focused on the class of worm-like

malicious code that tries to

replicate itself by taking advantage

of weaknesses in network

applications behind unsecured

ports. In this case, the malicious

code tries to create a large number

of outbound connections on an

interface in a short time.

Connection-Rate filtering detects

hosts that are generating traffic

that exhibits this behavior, and

causes the switch to generate

warning messages and (optionally)

to throttle or drop all traffic from

the offending hosts.

Management and Configuration

Guide, in the chapter on "Port

This feature helps defeat ICMP

denial-of-service attacks by

noneICMP Rate-Limiting

Traffic Controls" see "ICMP

Rate-Limiting"

restricting ICMP traffic to

percentage levels that permit

necessary ICMP functions, but

throttle additional traffic that may

be due to worms or viruses

(reducing their spread and effect).

Advanced Traffic Management

Guide, see "Multiple Instance

Spanning-Tree Operation"

These features prevent your switch

from malicious attacks or

configuration errors:

noneSpanning Tree

Protection

• BPDU Filtering and BPDU

Protection: Protects the network

from denial-of-service attacks

that use spoofing BPDUs by

dropping incoming BPDU

frames and/or blocking traffic

through a port.

• STP Root Guard: Protects the

STP root bridge from malicious

attacks or configuration

mistakes.

These features provide the

following additional protections

for your network:

noneDHCP Snooping,

Dynamic ARP

Protection, and

Dynamic IP

Lockdown

• DCHP Snooping: Protects your

network from common DHCP

attacks, such as address

Using HP switch security features 447