TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

261

262

263

264

265

266

267

268

269

270

4-21

Firewall

Firewall Access Policies

Preventing DoS on a Management-Access Zone

One of the policies that is created for a management-access zone permits

HTTPS traffic from any IP address in the zone to the TMS zl Module. This

policy opens up the potential for a DoS attack on the TMS zl Module’s internal

HTTP server. A malicious user could flood the module’s HTTP server with

connections, which could prevent management access from the Web browser

interface. (This attack would not affect CLI access through Telnet or SSH.)

To prevent this type of attack, ProCurve recommends that you follow one or

more of these steps:

■ Restrict HTTPS access to a trusted set of IP addresses or domain names

by editing the source field of the default HTTPS policy. Do this in each

management-access zone. (See “Basic Tab” on page 4-22.)

■ Specify a TMS VLAN as the priority VLAN. (See “Configure Management

Access” in Chapter 2: “Initial Setup in Routing Mode.”)

■ If users authenticate to the network through the TMS zl Module, do the

following:

• In each zone where your users reside, create a new firewall access

policy that permits HTTPS access from that zone to Self and set the

maximum connections to 5 (See “Advanced Tab” on page 4-23.) The

maximum connection limit does not limit how many authenticated

user sessions are permitted; it limits how many requests to the HTTP

server can be made at one time.

• This policy’s priority should be after (lower than) the default HTTPS

policy for that zone.

Traffic Types

Firewall access policies can be applied to two basic types of traffic:

■ Unicast—A packet has one sender and one receiver. Transmissions in

LANs and across the Internet are predominantly unicast.

■ Multicast—A packet has one or more senders and a set of receivers.

Multicast transmissions have a destination address in the 224.0.0.0 –

239.255.255.255 range.

To configure a firewall policy, complete the following steps:

1. Select one of the following:

■ To add a unicast access policy, select Firewall > Access Policies > Unicast.

■ To add a multicast access policy, select Firewall > Access Policies >

Multicast.