TMS zl Management and Configuration Guide ST.1.1.100226
4-26
Firewall
Firewall Access Policies
Table 4-5. Self to [Zone]
You can modify or delete these policies as desired. These policies are auto-
matically deleted when you remove the management-access designation from
a zone. For this reason, you can use the management-access designation as a
troubleshooting tool—specify all involved zones as management-access zones
while testing connectivity, and then remove the designation when you have
finished.
Preventing DoS Attacks on the TMS zl Module from a Management-
Access Zone. One of the policies that is created for a management-access
zone permits HTTPS traffic from any IP address in the zone to the TMS zl
Module. This policy opens up the potential for a DoS attack on the TMS zl
Module’s internal HTTP server. A malicious user could flood the module’s
HTTP server with connections, which could prevent management access from
the Web browser interface. (This attack would not affect CLI access through
Telnet or SSH.)
To prevent this type of attack, ProCurve recommends that you follow one or
more of these steps:
■ Restrict HTTPS access to a trusted set of IP addresses or domain names
by editing the source field of the default HTTPS policy. Do this in each
management-access zone. (See “Create Firewall Access Policies” on page
4-29.)
■ Specify a TMS VLAN as the priority VLAN. (See “Configure Management
Access” in Chapter 2: “Initial Setup in Routing Mode.”)
■ If users authenticate to the network through the TMS zl Module, do the
following:
• In each zone where your users reside, create a new firewall access
policy that permits HTTPS access from that zone to Self and set the
maximum connections to 5 (See “Create Firewall Access Policies” on
page 4-29.) The maximum connection limit does not limit how many
authenticated user sessions are permitted; it limits how many
requests to the HTTP server can be made at one time.
• This policy’s priority should be after (lower than) the default HTTPS
policy for that zone.
bootpc ftp radius snmptrap
bootps http radius-acct ssh
dns-tcp https smtp syslog
dns-udp ICMP/echo snmp tftp