Manualshelf

Common Criteria for HP Networking Switches

ManualsBrandsHP ManualsComputer AccessoriesHP 20-port 10/100/1000 PoE+ / 4-port Mini-GBIC zl Module
11121314151617181920
18
command:
HP Switch(config)# aaa authentication login privilege-mode
To supply a privilege level via RADIUS, specify the “Service-Type” attribute in the user’s credentials.
Service-Type = 6 allows manager-level access
Service-Type = 7 allows operator-level access
A user with Service-Type not equal to 6 or 7 is denied access
A user with no Service-Type attribute supplied is denied access when privilege mode is enabled
To supply a privilege level via TACACS specify the “Max Privilege” level in the user’s credentials.
Max-privilege = 15 allows manager-level access
Max-privilege = 14 allows operator-level access
A user with Max-Privilege of 14 or lower is granted operator-level access
Console Inactivity Timer
The console inactivity timer must be configured to a nonzero value. Leaving the inactivity timer set to
zero (the default setting) prevents an idle console session from timing out, and leaves the session open
to anyone having console access. When the inactivity time threshold is met the session is terminated
and the user must re-authenticate. Use the following command to set the timer to the number of
minutes of inactivity before timing-out:
HP Switch(config): console inactivity-timer < 0 | 1 | 5 | 10 | 15 | 20 | 30 | 60 |
120>
Attack Prevention
Dynamic ARP Protection
Address Resolution Protocol (ARP) allows hosts to communicate over the network by creating an IP to
MAC address mapping used in the transmission of packets. Attackers can use ARP to generate bogus
mappings, thereby allowing them to spoof other clients’ MAC addresses and intercept traffic destined to
them. Additionally, an attacker could generate an unlimited number of artificial ARP entries, filling up
the caches of other clients on the network and creating a Denial of Service.
Dynamic ARP Protection works by intercepting ARP packets and verifying their authenticity before
forwarding them. Packets with invalid IP to MAC address bindings advertised in the source protocol
address and source physical address fields are discarded, ensuring that only valid ARP requests and
replies are forwarded or used to update the local ARP table.
ARP Protection authenticates IP to MAC bindings stored from a lease maintained by DHCP Snooping, or
by using static bindings configured for non-DHCP clients. It is configured per VLAN and categorizes ports
in two ways, trusted and untrusted (default). ARP packets received on trusted ports are forwarded