Technical white paper HP Networking guide to hardening Comware-based devices Table of contents Introduction 2 Management plane General management plane hardening Limiting access to the network with infrastructure ACLs Securing interactive management sessions Fortifying Simple Network Management Protocol Logging best practices HP Comware software configuration management 2 2 Control plane General control plane hardening Limiting the CPU impact of control plane traffic Securing BGP Securing Interior Gat
Introduction This document contains information to help you secure your HP Comware OS-based devices, which will help increase the overall security of your network. This document, which is structured around the three planes into which network device functions can be categorized, provides an overview of each feature and references related documentation. The three functional planes of a network—the management plane, control plane, and data plane—each provide different functionality that must be protected.
After password control is configured, a password is displayed as ***, and is saved in a special format in the configuration file. Users will often choose their user names or simple digits such as 123456 as their passwords. These passwords can easily be cracked. Increasing password complexity can make it more difficult to crack passwords.
# Configure the password of the local user in interactive mode. [Sysname-luser-test] password Password:*********** Confirm :*********** Updating user(s) information, please wait........ [Sysname-luser-test] quit Disable unused services As a security best practice, any unnecessary service must be disabled.
exclusively for the management plane. This allows the administrator to apply policies throughout the network for the management plane. Once the loopback interface is configured on a device, it can be used by management plane protocols such as SSH, SNMP, and syslog to send and receive traffic. Memory Threshold Notification The Memory Threshold Notification feature allows you to mitigate low-memory conditions on a device.
# Permit transit traffic # rule permit ip # Once created, the ACL must be applied to all interfaces that face non-infrastructure devices. This includes interfaces that connect to other organizations, remote access segments, user segments, and data center segments. ICMP packet filtering Internet Control Message Protocol (ICMP) is designed as an IP control protocol. As a result, the messages it conveys can have far-reaching ramifications to TCP and IP protocols in general.
infrastructure ACLs. The example ACL that follows includes comprehensive filtering of IP fragments. The functionality from this example must be used in conjunction with the functionality of the previous examples.
idle-timeout 1 0 user privilege level 3 # To access the AUX port remotely, the user must first pass local password authentication by default.
Warning banners In some legal jurisdictions, it can be impossible to prosecute and illegal to monitor malicious users unless they have been notified that they are not permitted to use the system. One method to provide this notification is to place this information into a banner message that is configured with the HP Comware software header legal command. Legal notification requirements are complex, vary by jurisdiction and situation, and should be discussed with legal counsel.
Authentication, authorization, and accounting with HWTACACS HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They have many common features in implementing AAA, such as using the client/server model, using shared keys for user information security, and having good flexibility and extensibility. They also have differences, which are listed below. HWTACACS RADIUS Uses TCP, providing more reliable networking transmission.
Authentication fallback If all authentication servers are unavailable, local authentication can be used. Local authentication can use the password control function to secure user passwords. Redundant AAA servers You can specify multiple RADIUS or HWTACACS authentication/authorization servers to achieve redundancy. When the primary authentication/authorization server is unreachable, the access device contacts the secondary server to perform authentication/authorization.
snmp-agent community write READWRITE acl 2002 # For more information, see the snmp-server community command in “SNMP” in the Network Management and Monitoring Command Reference Guide. SNMP Views SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs. Once a view is created and applied to a community string with the snmp-agent community command, if you access MIB data, you are restricted to the permissions that are defined by the view.
# This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of authpassword and a 3DES encryption password of privpassword: # snmp-agent usm-user v3 snmpv3user PRIVGROUP authentication-mode md5 authpas sword privacy-mode 3des privpassword # Additionally, it is recommended that SNMPv1/v2 be disabled whenever SNMPv3 is configured for an additional level of security. For more information, see “SNMP” in the Network Management and Monitoring Command Reference Guide.
Do not log to console or monitor sessions With HP Comware software, it is possible to send log messages to monitor sessions and to the console. Monitor sessions are interactive management sessions in which the EXEC command terminal monitor has been issued. However, sending such messages can elevate the CPU load of a Comware device and therefore is not recommended. Instead, you are advised to send logging information to the local log buffer, which can be viewed by using the display logbuffer command.
Configure logging timestamps Configuring logging timestamps helps you correlate events across network devices. It is important to implement a correct and consistent logging timestamp configuration to ensure that you are able to correlate logging data. Logging timestamps should be configured to include the date and time with millisecond precision and to include the time zone in use on the device.
Configuration change notification The configuration change notification feature can log the configuration changes made to an HP Comware device. You can display the change trap with the display trapbuffer command. Use the snmp-agent trap enable command to enable configuration change notification.
There are two types of ICMP redirect messages: redirect for a host address and redirect for an entire subnet. A malicious user can exploit the ability of the router to send ICMP redirects by continually sending packets to the router, forcing the router to respond with ICMP redirect messages. This produces an adverse impact on the CPU and on the performance of the router. In order to prevent the router from sending ICMP redirects, use the undo ip redirects command.
Limiting the CPU impact of control plane traffic Protecting the control plane is critical. Because application performance and the end-user experience can suffer without the presence of data and management traffic, the survivability of the control plane helps ensure that the other two planes are maintainable and operational. Understanding control plane traffic To properly protect the control plane of HP Comware devices, it is essential to understand the types of traffic that is processed by the CPU.
For more information about ACL, see “ACL” in the Security Command Reference Guide. HTTPS ACLs Use the ip https acl command to control HTTPS access with an ACL. Only the clients permitted by the ACL can access the HTTPS server on the device. Control plane protection The control plane policing feature allows you to configure a quality of service (QoS) policy that manages control plane packets to protect the control plane from denial-of-service (DoS) attacks.
# For more information on these two features, see “TCP” and “ICMP Attack Protection” in the Security Configuration Guide. Securing BGP Border Gateway Protocol (BGP) is the routing foundation of the Internet. As such, any organization with more than modest connectivity requirements often finds itself utilizing BGP. BGP is often targeted by attackers because of its ubiquity and the “set-and-forget” nature of BGP configurations in smaller organizations.
In order to prevent memory exhaustion, it is important to configure the maximum number of prefixes that is accepted on a per-peer basis. It is recommended that a limit be configured for each BGP peer. When configuring this feature using the peer route-limit command in BGP view, one argument is required: the maximum number of prefixes that are accepted before a peer is shut down. Optionally, a number from 1 to 100 can also be entered.
peer as-path-acl 1 import peer as-path-acl 2 export # Securing Interior Gateway Protocols The ability of a network to properly forward traffic and recover from topology changes or faults is dependent on an accurate view of the topology. Running an Interior Gateway Protocol (IGP) can often provide this view. By default, IGPs are dynamic and discover additional routers that communicate with the particular IGP in use.
area-authentication-mode md5 domain-authentication-mode md5 # For more information, see “Enhancing IS-IS Network Security in ISIS” in the Layer-3 IP Routing Configuration Guide. Silent-interface commands Information leaks, or the introduction of false information into an IGP, can be mitigated through use of the silent-interface command, which assists in controlling the advertisement of routing information.
ip ip-prefix index 10 permit # ospf area filter ip-prefix import # For more information on OSPF Area Border Router (ABR) Type 3 link-state advertisements filtering, see “Configuring ABR Type-3 LSA Filtering in OSPF” in the Layer-3 IP Routing Configuration Guide. Securing Virtual Router Redundancy Protocol Virtual Router Redundancy Protocol (VRRP) provides resiliency and redundancy for devices that are acting as default gateways.
# undo ip redirects # For more information on the undo ip redirects command, see “IP Performance Optimization” in the Layer-3 IP Services Configuration Guide. Disable or limit IP Directed broadcasts IP Directed Broadcasts make it possible to send an IP broadcast packet to a remote IP subnet. Once it reaches the remote network, the forwarding IP device sends the packet as a Layer 2 broadcast to all stations on the subnet.
Filtering IP fragments As detailed previously in the “Limiting access to the network with infrastructure ACLs” section of this document, the filtering of fragmented IP packets can pose a challenge to security devices. Because of the nonintuitive nature of fragment handling, IP fragments are often inadvertently permitted by ACLs. Fragmentation is also often used in attempts to evade detection by intrusion detection systems.
After receiving a packet, an IP source guard-enabled port obtains the key attributes (source IP address, source MAC address, and VLAN tag) of the packet and then looks up the binding entries of the IP source guard for a match. If there is a match, the port forwards the packet; otherwise, the port discards the packet. You can enable this feature on a port connected to terminals to block illegal access (such as IP spoofing) and improve port security. HP IP source guard supports static and dynamic entries.
The following table describes the port security modes. Port security mode Description noRestrictions In this mode, port security is disabled on the port and access to the port is not restricted. autoLearn The port in this mode adds learned and configured secure MAC address entries into the secure MAC address table. When the maximum number of secure MAC addresses is reached, the port changes to secure mode.
ARP Detection ARP Detection can be utilized to mitigate ARP poisoning attacks on local segments. An ARP poisoning attack is a method in which an attacker sends falsified ARP information to a local segment. This information is designed to corrupt the ARP cache of other devices. Often an attacker uses ARP poisoning in order to perform a man-in-the-middle attack. ARP Detection intercepts and validates the IP-to-MAC address relationship of all ARP packets on untrusted ports.
firewall packet-filter name ACL-ANTISPOOF-IN inbound # Limiting the CPU impact of data plane traffic The primary purpose of routers and switches is to forward packets and frames to their final destinations. These packets, which transit the devices deployed throughout the network, can impact a device’s CPU operations. The data plane, which consists of traffic transiting the network device, should be secured to help ensure the operation of the management and control planes.
Approach II, enable NetStream through QoS policy. # ip netstream { inbound | outbound } # traffic behavior mirror-to interface net-stream # Approach III, enable NetStream through port mirroring. # ip { inbound | outbound } # interface Ethernet0/1/0 ip netstream mirror-to interface net-stream # Following is an example of NetStream output from the CLI.
TCP-FTPD TCP-WWW TCP-other UDP-DNS 3200453 1006 5 193 45 33 546778274 11170 887 12 8 32 49148540 3752 79 47 30 32 117240379 570 190 3 7 34 UDP-other 45502422 2272 73 30 8 37 ICMP 14837957 125 24 5 12 34 77406 5 0 47 52 27 IP-other Type DstIP(Port) DstMAC(VLAN) TopLblType(IP/MASK) SrcIP(Port) Pro ToS If(Direc) Pkts SrcMAC(VLAN) Lbl-Exp-S-List IP 11.1.1.1(1024) 11.1.1.
# sflow collector < collector-id > ip < ip-address > # Specify an IP address for the sFlow agent, and the sFlow version.
[HP] display acl 3002 Advanced ACL 3002, named ACL-SMB-CLASSIFY, 3 rules, Classification of SMB specific TCP traffic ACL's step is 5 rule 0 deny tcp destination-port eq 139 (10 times) rule 5 deny tcp destination-port eq 445 (10 times) rule 10 deny ip (205 times) # Access control with VLAN QoS policy and port access control lists VLAN access control lists (VACLs), or VLAN QoS policy and port ACLs (PACLs), provide the capability to enforce access control on non-routed traffic closer to endpoint devices than
rule permit # interface packet-filter name inbound Access control with MAC A MAC ACL can be applied on an IP network and instructs the forwarding engine to not inspect the IP header. The result is that you are able to use a MAC access list in the IP environment.
Community VLANs A secondary VLAN that is configured as a community VLAN allows communication among members of the VLAN as well as with any promiscuous ports in the primary VLAN. However, no communication is possible between any two community VLANs or from a community VLAN to an isolated VLAN. Community VLANs must be used to group servers that need connectivity with one another, but where connectivity to all other devices in the VLAN is not required.
port access vlan 12 # interface GigabitEthernet1/0/12 port link-mode bridge description *** Promiscuous Port *** port isolate-user-vlan promiscuous port link-type hybrid port hybrid vlan 11 to 12 20 tagged # isolate-user-vlan 20 secondary 11 12 # When implementing PVLANs, it is important to ensure that the Layer 3 configuration in place supports the restrictions that are imposed by PVLANs and does not allow the PVLAN configuration to be subverted.
Uplink port The uplink port of an isolation group can communicate with isolated ports in the group so that the isolated ports can access other networks through the uplink port without needing Layer 3 forwarding. If your device does not support an uplink port feature, the isolated ports in a Layer 2 VLAN need Layer 3 forwarding to access other networks. The following configuration example configures G1/0/10 and G1/0/11 in VLAN 20 as isolated ports, and configures Ten-GigabitEthernet1/0/49 as the uplink port.
description *** Isolated Port of Group2 *** port access vlan 20 port-isolate enable group 2 # interface Ten-GigabitEthernet1/0/49 description *** Uplink Port of Group1 *** port access vlan 20 port-isolate uplink-port group 1 # interface Ten-GigabitEthernet1/0/50 description *** Uplink Port of Group2 *** port access vlan 20 port-isolate uplink-port group 2 # For more information about port isolation, see “Port Isolation” in the Layer-2 LAN Switching Configuration Guide.
Keywords: secure, management plane, control plane, data plane Abstract: This document describes how to secure HP Comware devices.
