HP HP ProCurve Series 6600 User manual
HP 6600/HSR6600 Routers
Security
Configuration Guide
Part number: 5998-1515
Software version: A6602-CMW520-R3103
A6600-CMW520-R3102-RPE
A6600-CMW520-R3102-RSE
HSR6602_MCP-CMW520-R3102
Document version: 6PW103-20130628
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
i
Contents
Security overview ························································································································································· 1
Network security threats···················································································································································1
Network security services·················································································································································1
Network security technologies·········································································································································2
Identity authentication ··············································································································································2
Access security··························································································································································2
Data security ·····························································································································································3
Firewall and connection control······························································································································3
Attack detection and protection······························································································································4
Other security technologies·····································································································································5
Configuring AAA ························································································································································· 7
Overview············································································································································································7
RADIUS······································································································································································8
HWTACACS ·························································································································································· 13
Domain-based user management ························································································································ 15
AAA for MPLS L3VPNs ········································································································································· 16
Protocols and standards ······································································································································· 16
RADIUS attributes ·················································································································································· 17
AAA configuration considerations and task list·········································································································· 20
Configuring AAA schemes············································································································································ 21
Configuring local users········································································································································· 21
Configuring RADIUS schemes······························································································································ 26
Configuring HWTACACS schemes····················································································································· 39
Configuring AAA methods for ISP domains················································································································ 45
Creating an ISP domain ······································································································································· 45
Configuring ISP domain attributes······················································································································· 46
Configuring authentication methods for an ISP domain ··················································································· 47
Configuring authorization methods for an ISP domain····················································································· 49
Configuring accounting methods for an ISP domain························································································· 51
Tearing down user connections···································································································································· 53
Configuring a NAS ID-VLAN binding·························································································································· 53
Specifying the device ID used in stateful failover mode ···························································································· 53
Displaying and maintaining AAA ································································································································ 54
AAA configuration examples········································································································································ 54
RADIUS authentication/authorization for Telnet/SSH users············································································· 54
Local authentication/authorization for Telnet/FTP users··················································································· 58
AAA for PPP users by an HWTACACS server ··································································································· 59
Level switching authentication for Telnet users by a RADIUS server································································ 61
AAA for portal users by a RADIUS server ·········································································································· 65
Troubleshooting AAA ···················································································································································· 71
Troubleshooting RADIUS······································································································································· 71
Troubleshooting HWTACACS······························································································································ 73
802.1X overview ·······················································································································································74
802.1X architecture······················································································································································· 74
Controlled/uncontrolled port and port authorization status······················································································ 74
802.1X-related protocols ·············································································································································· 75
Packet formats························································································································································ 75
EAP over RADIUS ·················································································································································· 77
ii
Initiating 802.1X authentication··································································································································· 77
802.1X client as the initiator································································································································ 77
Access device as the initiator······························································································································· 77
802.1X authentication procedures ······························································································································ 78
A comparison of EAP relay and EAP termination······························································································ 79
EAP relay································································································································································ 79
EAP termination ····················································································································································· 81
Configuring 802.1X ··················································································································································83
HP implementation of 802.1X ······································································································································ 83
Access control methods ········································································································································ 83
Using 802.1X authentication with other features ······························································································ 83
Configuration prerequisites··········································································································································· 87
802.1X configuration task list······································································································································· 87
Enabling 802.1X···························································································································································· 88
Enabling EAP relay or EAP termination ······················································································································· 89
Setting the port authorization state ······························································································································ 89
Specifying an access control method ·························································································································· 90
Setting the maximum number of concurrent 802.1X users on a port······································································· 90
Setting the maximum number of authentication request attempts ············································································· 91
Setting the 802.1X authentication timeout timers······································································································· 91
Configuring the online user handshake function ········································································································ 92
Configuration guidelines ······································································································································ 92
Configuration procedure ······································································································································ 92
Enabling the proxy detection function ························································································································· 93
Configuring the authentication trigger function ·········································································································· 93
Configuration guidelines ······································································································································ 94
Configuration procedure ······································································································································ 94
Specifying a mandatory authentication domain on a port························································································ 94
Configuring the quiet timer ··········································································································································· 95
Enabling the periodic online user re-authentication function····················································································· 95
Configuring an 802.1X guest VLAN ··························································································································· 96
Configuring an Auth-Fail VLAN···································································································································· 96
Configuring an 802.1X critical VLAN ························································································································· 97
Specifying supported domain name delimiters··········································································································· 98
Displaying and maintaining 802.1X ··························································································································· 99
802.1X authentication configuration example ··········································································································· 99
Network requirements··········································································································································· 99
Configuration procedure ······································································································································ 99
Verifying the configuration·································································································································101
802.1X guest VLAN and VLAN assignment configuration example······································································101
Network requirements·········································································································································101
Configuration procedure ····································································································································102
Verifying the configuration·································································································································103
802.1X with ACL assignment configuration example ·····························································································104
Network requirements·········································································································································104
Configuration procedure ····································································································································104
Verifying the configuration·································································································································105
Configuring EAD fast deployment ························································································································· 106
Overview·······································································································································································106
Free IP···································································································································································106
URL redirection·····················································································································································106
Configuration prerequisites·········································································································································106
Configuring a free IP ···················································································································································106
iii
Configuring the redirect URL·······································································································································107
Setting the EAD rule timer ···········································································································································107
Displaying and maintaining EAD fast deployment···································································································107
EAD fast deployment configuration example (1)······································································································108
Network requirements·········································································································································108
Configuration procedure ····································································································································108
Verifying the configuration·································································································································109
EAD fast deployment configuration example (2)······································································································110
Network requirements·········································································································································110
Configuration procedure ····································································································································111
Verifying the configuration·································································································································111
Troubleshooting EAD fast deployment·······················································································································112
Web browser users cannot be correctly redirected ························································································112
Configuring MAC authentication··························································································································· 113
Overview·······································································································································································113
User account policies··········································································································································113
Authentication methods·······································································································································113
MAC authentication timers·································································································································114
Using MAC authentication with other features ·········································································································114
VLAN assignment ················································································································································114
ACL assignment ···················································································································································114
Configuration task list ··················································································································································114
Basic configuration for MAC authentication·············································································································115
Configuring MAC authentication globally········································································································115
Configuring MAC authentication on a port ·····································································································116
Specifying a MAC authentication domain················································································································116
Displaying and maintaining MAC authentication ····································································································117
MAC authentication configuration examples············································································································117
Local MAC authentication configuration example···························································································117
RADIUS-based MAC authentication configuration example···········································································119
ACL assignment configuration example············································································································121
Configuring portal authentication·························································································································· 123
Overview·······································································································································································123
Extended portal functions ···································································································································123
Portal system components···································································································································123
Portal authentication modes ·······························································································································125
Portal support for EAP·········································································································································126
Layer 3 portal authentication process ···············································································································126
Portal stateful failover··········································································································································130
Portal authentication across VPNs·····················································································································131
Portal configuration task list ········································································································································132
Configuration prerequisites·········································································································································132
Specifying a portal server for Layer 3 portal authentication···················································································133
Enabling Layer 3 portal authentication······················································································································133
Controlling access of portal users ······························································································································134
Configuring a portal-free rule·····························································································································134
Configuring an authentication source subnet···································································································135
Configuring an authentication destination subnet ···························································································136
Setting the maximum number of online portal users························································································136
Specifying an authentication domain for portal users·····················································································137
Configuring RADIUS related attributes ······················································································································137
Specifying the NAS ID value carried in a RADIUS request ············································································137
Specifying NAS-Port-Type for an interface ·······································································································138
iv
Specifying the NAS-Port-ID for an interface ·····································································································138
Specifying a NAS ID profile for an interface ···································································································139
Specifying a source IP address for outgoing portal packets ···················································································140
Configuring portal stateful failover·····························································································································140
Specifying an autoredirection URL for authenticated portal users ··········································································142
Configuring portal detection functions·······················································································································142
Configuring online Layer 3 portal user detection ····························································································142
Configuring the portal server detection function······························································································143
Configuring portal user information synchronization······················································································145
Logging off portal users···············································································································································145
Displaying and maintaining portal ····························································································································146
Portal configuration examples ····································································································································147
Configuring direct portal authentication···········································································································147
Configuring re-DHCP portal authentication······································································································151
Configuring cross-subnet portal authentication ································································································153
Configuring direct portal authentication with extended functions··································································155
Configuring re-DHCP portal authentication with extended functions ····························································157
Configuring cross-subnet portal authentication with extended functions·······················································160
Configuring portal stateful failover(6600/HSR6600)·····················································································162
Configuring portal server detection and portal user information synchronization·······································169
Cross-subnet portal authentication across Vans ·······························································································174
Troubleshooting portal·················································································································································176
Inconsistent keys on the access device and the portal server·········································································176
Incorrect server port number on the access device··························································································177
Configuring port security········································································································································ 178
Overview·······································································································································································178
Configuring port security ····································································································································178
Port security modes ·············································································································································179
Working with guest VLAN and Auth-Fail VLAN ······························································································181
Configuration task list ··················································································································································181
Enabling port security ··················································································································································182
Setting port security's limit on the number of MAC addresses on a port·······························································182
Setting the port security mode ····································································································································183
Configuration prerequisites ································································································································183
Configuration procedure ····································································································································183
Configuring port security features ······························································································································184
Configuring NTK ·················································································································································184
Configuring intrusion protection ························································································································184
Enabling port security traps································································································································185
Configuring secure MAC addresses ··························································································································185
Configuration prerequisites ································································································································186
Configuration procedure ····································································································································186
Ignoring authorization information from the server··································································································187
Displaying and maintaining port security··················································································································188
Port security configuration examples ·························································································································188
Configuring the autoLearn mode·······················································································································188
Configuring the userLoginWithOUI mode ········································································································190
Configuring the macAddressElseUserLoginSecure mode················································································195
Troubleshooting port security······································································································································198
Cannot set the port security mode·····················································································································198
Cannot configure secure MAC addresses ········································································································198
Cannot change port security mode when a user is online··············································································199
v
Configuring a user profile ······································································································································ 200
Overview·······································································································································································200
User profile configuration task list······························································································································200
Creating a user profile ················································································································································200
Performing configurations in user profile view ·········································································································201
Enabling a user profile ················································································································································201
Displaying and maintaining user profile ···················································································································201
Configuring password control································································································································ 202
Overview·······································································································································································202
FIPS compliance ···························································································································································204
Password control configuration task list·····················································································································204
Enabling password control ·········································································································································205
Setting global password control parameters ············································································································206
Setting user group password control parameters·····································································································207
Setting local user password control parameters·······································································································208
Setting super password control parameters ··············································································································208
Setting a local user password in interactive mode···································································································209
Displaying and maintaining password control ·········································································································209
Password control configuration example ··················································································································210
Configuring RSH ····················································································································································· 213
Configuration prerequisites·········································································································································213
Configuration procedure·············································································································································213
RSH configuration example ········································································································································213
Managing public keys············································································································································ 216
FIPS compliance ···························································································································································216
Configuration task list ··················································································································································216
Creating a local asymmetric key pair························································································································217
Displaying or exporting the local host public key ····································································································218
Displaying and recording the host public key information······················································································218
Displaying the host public key in a specific format and saving it to a file ····························································218
Exporting the host public key in a specific format to a file ·····················································································219
Destroying a local asymmetric key pair ····················································································································219
Specifying the peer public key on the local device··································································································219
Displaying public keys·················································································································································220
Public key configuration examples·····························································································································221
Manually specifying the peer public key on the local device ········································································221
Importing a public key from a public key file···································································································223
Configuring PKI ······················································································································································· 226
Overview·······································································································································································226
PKI terms·······························································································································································226
PKI architecture····················································································································································227
PKI operation ·······················································································································································228
PKI applications ···················································································································································228
FIPS compliance ···························································································································································228
PKI configuration task list ············································································································································228
Configuring a PKI entity ··············································································································································229
Configuring a PKI domain···········································································································································230
Requesting a certificate ···············································································································································232
Configuring automatic certificate request·········································································································232
Manually requesting a certificate ······················································································································232
Obtaining certificates ··················································································································································233
Verifying PKI certificates··············································································································································234
vi
Verifying PKI certificates with CRL checking·····································································································234
Verifying PKI certificates without CRL checking································································································235
Destroying the local RSA key pair······························································································································235
Removing a certificate ·················································································································································235
Configuring an access control policy ························································································································236
Displaying and maintaining PKI ·································································································································236
PKI configuration examples·········································································································································237
Certificate request from an RSA Keon CA server ····························································································237
Certificate request from a Windows 2003 CA server ····················································································240
IKE negotiation with RSA digital signature ·······································································································243
Certificate access control policy configuration ································································································245
Troubleshooting PKI ·····················································································································································247
Failed to obtain a CA certificate ·······················································································································247
Failed to request a local certificate ···················································································································247
Failed to obtain CRLs ··········································································································································248
Configuring IPsec ···················································································································································· 249
Overview·······································································································································································249
Basic concepts ·····················································································································································249
IPsec tunnel interface···········································································································································252
IPsec for IPv6 routing protocols··························································································································253
IPsec RRI································································································································································253
Protocols and standards ·····································································································································254
FIPS compliance ···························································································································································254
Implementing IPsec·······················································································································································254
Implementing ACL-based IPsec ···································································································································255
Configuring an ACL ············································································································································255
Configuring an IPsec transform set····················································································································258
Configuring an IPsec policy ·······························································································································259
Applying an IPsec policy group to an interface·······························································································265
Enabling the encryption engine ·························································································································265
Enabling ACL checking of de-encapsulated IPsec packets ·············································································266
Configuring the IPsec anti-replay function ········································································································266
Configuring packet information pre-extraction ································································································267
Enabling invalid SPI recovery ····························································································································267
Configuring IPsec RRI··········································································································································268
Enabling IPsec packet fragmentation before/after encryption·······································································269
Implementing tunnel interface-based IPsec ················································································································270
Configuring an IPsec profile·······························································································································270
Configuring an IPsec tunnel interface ···············································································································272
Enabling packet information pre-extraction on the IPsec tunnel interface·····················································274
Applying a QoS policy to an IPsec tunnel interface························································································274
Configuring IPsec for IPv6 routing protocols·············································································································275
Displaying and maintaining IPsec ······························································································································275
IPsec configuration examples······································································································································276
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································276
Configuring an IKE-based IPsec tunnel for IPv4 packets ·················································································278
Configuring IKE-based IPsec tunnel for IPv6 packets·······················································································280
Configuring IPsec with IPsec tunnel interfaces··································································································282
Configuring IPsec for RIPng································································································································286
Configuring IPsec RRI··········································································································································290
Configuring IKE······················································································································································· 294
Overview·······································································································································································294
IKE security mechanism·······································································································································294
vii
IKE operation ·······················································································································································294
IKE functions·························································································································································295
Relationship between IKE and IPsec··················································································································296
Protocols and standards ·····································································································································296
FIPS compliance ···························································································································································296
IKE configuration task list ············································································································································296
Configuring a name for the local security gateway·································································································297
Configuring an IKE proposal ······································································································································297
Configuring an IKE peer··············································································································································298
Setting keepalive timers···············································································································································301
Setting the NAT keepalive timer·································································································································301
Configuring a DPD detector········································································································································301
Disabling next payload field checking ······················································································································302
Displaying and maintaining IKE·································································································································302
IKE configuration examples ········································································································································303
Configuring main mode IKE with pre-shared key authentication···································································303
Configuring aggressive mode IKE with NAT traversal····················································································307
Troubleshooting IKE ·····················································································································································310
Invalid user ID······················································································································································310
Proposal mismatch ··············································································································································311
Failing to establish an IPsec tunnel····················································································································311
ACL configuration error ······································································································································312
Configuring SSH ····················································································································································· 313
Overview·······································································································································································313
How SSH works···················································································································································313
SSH authentication ··············································································································································314
SSH support for MPLS L3VPN ····························································································································315
FIPS compliance ···························································································································································315
Configuring the device as an SSH server··················································································································315
SSH server configuration task list ······················································································································316
Generating local DSA or RSA key pairs···········································································································316
Enabling the SSH server function·······················································································································317
Enabling the SFTP server function······················································································································317
Configuring the user interfaces for SSH clients································································································317
Configuring a client's host public key···············································································································318
Configuring an SSH user····································································································································319
Setting the SSH management parameters ········································································································320
Configuring the device as an Stelnet client···············································································································321
Stelnet client configuration task list····················································································································321
Specifying a source IP address or source interface for the Stelnet client ······················································322
Enabling and disabling first-time authentication ······························································································322
Establishing a connection to an Stelnet server ·································································································323
Configuring the device as an SFTP client ··················································································································324
SFTP client configuration task list·······················································································································324
Specifying a source IP address or source interface for the SFTP client ·························································324
Establishing a connection to an SFTP server ····································································································325
Working with SFTP directories···························································································································325
Working with SFTP files······································································································································326
Displaying help information ·······························································································································327
Terminating the connection with the SFTP server ·····························································································327
Configuring the device as an SCP client ···················································································································327
SCP client configuration task list························································································································328
Transferring files with an SCP server·················································································································328
Displaying and maintaining SSH ·······························································································································329
viii
Stelnet configuration examples···································································································································329
Password authentication enabled Stelnet server configuration example ······················································329
Publickey authentication enabled Stelnet server configuration example·······················································331
Password authentication enabled Stelnet client configuration example························································336
Publickey authentication enabled Stelnet client configuration example························································339
SFTP configuration examples ······································································································································341
Password authentication enabled SFTP server configuration example··························································341
Publickey authentication enabled SFTP client configuration example ···························································343
SCP file transfer with password authentication·········································································································346
Network requirements·········································································································································347
Configuration procedure ····································································································································347
Configuring SSL······················································································································································· 349
Overview·······································································································································································349
SSL security mechanism ······································································································································349
SSL protocol stack ···············································································································································350
FIPS compliance ···························································································································································350
Configuration task list ··················································································································································350
Configuring an SSL server policy ·······························································································································350
Configuring an SSL client policy ································································································································352
Displaying and maintaining SSL·································································································································353
Troubleshooting SSL·····················································································································································353
SSL handshake failure·········································································································································353
Configuring SSL VPN·············································································································································· 355
Overview·······································································································································································355
Advantages of SSL VPN ··············································································································································356
Configuring SSL VPN at the CLI ·································································································································356
SSL VPN configuration example at the CLI ···············································································································357
Configuring SSL VPN in the Web interface ··············································································································359
Recommended configuration procedure···········································································································359
Configuring PKI ···················································································································································360
Configuring the SSL VPN service·······················································································································371
Configuring Web proxy server resources·········································································································372
Configuring TCP application resources ············································································································375
Configuring IP network resources······················································································································381
Configuring a resource group ···························································································································387
Configuring local users·······································································································································388
Configuring a user group···································································································································391
Viewing user information····································································································································393
Performing basic configurations for the SSL VPN domain··············································································394
Configuring authentication policies···················································································································397
Configuring a security policy ·····························································································································408
Customizing the SSL VPN user interface···········································································································411
User access to SSL VPN ··············································································································································415
Logging in to the SSL VPN service interface·····································································································416
Accessing SSL VPN resources····························································································································417
Getting help information·····································································································································418
Changing the login password····························································································································419
SSL VPN configuration example in the Web interface ····························································································419
Network requirements·········································································································································419
Configuration prerequisites ································································································································420
Configuration procedure ····································································································································420
Verifying the configuration·································································································································433
ix
Configuring firewall ················································································································································ 437
Overview·······································································································································································437
ACL based packet-filter·······································································································································437
ASPF······································································································································································437
Configuring a packet-filter firewall·····························································································································440
Packet-filter firewall configuration task list ········································································································440
Enabling the firewall function·····························································································································440
Configuring the default filtering action of the firewall·····················································································440
Configuring packet filtering on an interface ····································································································441
Displaying and maintaining a packet-filter firewall·························································································442
Packet-filter firewall configuration example······································································································442
Configuring an ASPF ···················································································································································444
ASPF configuration task list ································································································································444
Enabling the firewall function·····························································································································444
Configuring an ASPF policy·······························································································································444
Applying an ASPF policy to an interface··········································································································445
Configuring port mapping··································································································································445
Displaying ASPF ··················································································································································446
ASPF configuration example······························································································································446
Configuring ALG····················································································································································· 448
ALG process ·································································································································································448
Enabling ALG ·······························································································································································450
FTP ALG configuration example ·································································································································450
SIP/H.323 ALG configuration example ····················································································································451
NBT ALG configuration example ·······························································································································451
Managing sessions ················································································································································· 453
Overview·······································································································································································453
Session management principle ··························································································································453
Session management functions ··························································································································453
Session management task list ·····································································································································454
Setting session aging times based on protocol state·······················································································454
Configuring session aging time based on application layer protocol type··················································455
Configuring early aging for sessions ················································································································456
Setting the maximum number of sessions ·········································································································456
Enabling checksum verification··························································································································456
Specifying the persistent session rule ················································································································457
Clearing sessions manually································································································································457
Configuring session logging ·······································································································································458
Enabling session logging····································································································································458
Setting session logging thresholds·····················································································································458
Configuring session log export··························································································································459
Displaying and maintaining session management···································································································459
Configuring connection limits································································································································· 461
Overview·······································································································································································461
Connection limit configuration task list ······················································································································461
Creating a connection limit policy ·····························································································································461
Configuring the connection limit policy ·····················································································································461
Applying the connection limit policy··························································································································462
Displaying and maintaining connection limiting ······································································································462
Connection limit configuration example····················································································································462
Network requirements·········································································································································462
Configuration procedure ····································································································································463
Verifying the configuration·································································································································463
x
Troubleshooting connection limiting···························································································································464
Connection limit rules with overlapping segments···························································································464
Connection limit rules with overlapping protocol types ··················································································464
Configuring web filtering········································································································································ 466
Overview·······································································································································································466
URL address filtering ···········································································································································466
IP address-supported URL address filtering·······································································································466
URL parameter filtering ·······································································································································467
Java blocking·······················································································································································467
ActiveX blocking··················································································································································468
Configuring web filtering ············································································································································468
Configuring URL address filtering······················································································································468
Configuring IP address-supported URL address filtering ·················································································468
Configuring URL parameter filtering··················································································································469
Configuring Java blocking ·································································································································469
Configuring ActiveX blocking ····························································································································470
Displaying and maintaining web filtering ·················································································································470
URL address filtering configuration example·············································································································471
URL parameter filtering configuration example ········································································································472
Java blocking configuration example ························································································································473
Troubleshooting web filtering ·····································································································································474
Failed to add filtering entry or suffix keyword due to upper limit··································································474
Invalid characters are present in the configured parameter···········································································475
Invalid use of wildcard ·······································································································································475
Invalid blocking suffix ·········································································································································476
ACL configuration failed·····································································································································476
Unable to access the HTTP server by IP address······························································································477
Configuring attack detection and protection ········································································································ 478
Overview·······································································································································································478
Types of network attacks the device can defend against ···············································································478
Blacklist function ··················································································································································480
Traffic statistics function ······································································································································480
TCP proxy·····························································································································································481
Attack detection and protection configuration task list ····························································································483
Configuring attack protection functions for an interface ·························································································484
Creating an attack protection policy·················································································································484
Configuring an attack protection policy ···········································································································484
Applying an attack protection policy to an interface ······················································································487
Configuring TCP proxy················································································································································488
Configuring the blacklist function·······························································································································488
Enabling traffic statistics on an interface ···················································································································489
Displaying and maintaining attack detection and protection ·················································································489
Attack detection and protection configuration examples ························································································490
Attack protection functions on interfaces configuration example···································································490
Blacklist configuration example ·························································································································492
Traffic statistics configuration example ·············································································································493
TCP proxy configuration example ·····················································································································495
Configuring TCP attack protection························································································································· 497
Overview·······································································································································································497
Enabling the SYN Cookie feature ······························································································································497
Enabling protection against Naptha attacks·············································································································498
Displaying and maintaining TCP attack protection ··································································································498
xi
Configuring IP source guard ·································································································································· 499
Overview·······································································································································································499
Static IP source guard entries·····························································································································499
Dynamic IP source guard entries ·······················································································································500
Configuring IPv4 source guard···································································································································500
Enabling IPv4 source guard on a port ··············································································································500
Configuring a static IPv4 source guard entry···································································································501
Setting the maximum number of IPv4 source guard entries············································································502
Displaying and maintaining IP source guard············································································································502
Static IPv4 source guard entry configuration example ····························································································503
Dynamic IPv4 source guard by DHCP snooping configuration example ······························································505
Dynamic IPv4 source guard by DHCP relay configuration example······································································506
Troubleshooting IP source guard ································································································································507
Configuring ARP attack protection························································································································· 508
Overview·······································································································································································508
ARP attack protection configuration task list ·············································································································508
Configuring unresolvable IP attack protection ··········································································································509
Configuring ARP source suppression ················································································································509
Enabling ARP black hole routing ·······················································································································509
Displaying and maintaining ARP source suppression ·····················································································510
Configuration example ·······································································································································510
Configuring ARP packet rate limit ······························································································································511
Configuring ARP packet source MAC consistency check························································································511
Configuring ARP active acknowledgement ···············································································································512
Configuring authorized ARP ·······································································································································512
Configuration example (on a DHCP server)·····································································································513
Authorized ARP configuration example (on a DHCP relay agent) ································································514
Configuring ARP detection··········································································································································515
Configuring user validity check ·························································································································516
Configuring ARP packet validity check·············································································································517
Configuring ARP restricted forwarding ·············································································································517
Displaying and maintaining ARP detection ······································································································518
User validity check configuration example·······································································································518
User validity check and ARP packet validity check configuration example··················································520
ARP restricted forwarding configuration example ···························································································521
Configuring ARP automatic scanning and fixed ARP·······························································································523
Configuration guidelines ····································································································································523
Configuration procedure ····································································································································524
Configuring ARP gateway protection ························································································································524
ARP gateway protection configuration example······························································································525
Configuring ARP filtering·············································································································································525
ARP filtering configuration example··················································································································526
Configuring ND attack defense ····························································································································· 527
Overview·······································································································································································527
Enabling source MAC consistency check for ND packets·······················································································528
Configuring URPF···················································································································································· 529
Overview·······································································································································································529
URPF check modes ··············································································································································529
URPF features ·······················································································································································529
URPF work flow····················································································································································530
Network application ···········································································································································532
Configuring URPF on an interface······························································································································532
URPF configuration example·······································································································································533
xii
Network requirements·········································································································································533
Configuration procedure ····································································································································533
Configuring FIPS······················································································································································ 534
Overview·······································································································································································534
FIPS self-tests ·································································································································································534
Power-up self-tests················································································································································534
Conditional self-tests············································································································································535
Triggering a self-test ············································································································································535
Configuration changes in FIPS mode·························································································································535
Configuration considerations······································································································································536
Enabling FIPS mode·····················································································································································536
Displaying and maintaining FIPS ·······························································································································536
FIPS configuration example·········································································································································536
Network requirements·········································································································································536
Configuration procedure ····································································································································537
Verifying the configuration·································································································································538
Support and other resources ·································································································································· 539
Contacting HP ······························································································································································539
Subscription service ············································································································································539
Related information······················································································································································539
Documents····························································································································································539
Websites·······························································································································································539
Conventions ··································································································································································540
Index ········································································································································································ 542
1
Security overview
Network security threats are happened or potential threats to data confidentiality, data integrity, data
availability or authorized usage of some resource in a network system. Network security services provide
solutions to solve or reduce those threats to different extents.
Network security threats
•Information disclosure—Information is leaked to an unauthorized person or entity.
•Data integrity damage—Data integrity is damaged by unauthorized modification or malicious
destruction.
•Denial of service—Makes information or other network resources unavailable to their intended
users.
•Unauthorized usage—Resources are used by unauthorized persons or in unauthorized ways.
Network security services
One security service is implemented by one or more network security technologies. One technology can
implement multiple services. A safe network needs the following services:
•Identity authentication—Identifies users and determines if a user is valid. Typical ways include
AAA-based username plus password authentication, and PKI digital certificate-based
authentication.
•Access security—Controls behaviors in which a user accesses network resources based on the
identity authentication result to prevent unauthorized access and usage of the network resources.
Major access security protocols include 802.1X, MAC authentication, and portal authentication,
which work together with AAA to implement user identity authentication.
•Data security—Encrypts and decrypts data during data transmission and storage. Typical
encryption mechanisms include symmetric encryption and asymmetric encryption, and their
common applications are IPsec, SSL, and SSH. IPsec secures IP communications. SSL and SSH
protects data transfer based on TCP.
•Firewall—A highly effective network security model to block unauthorized Internet access to a
protected network. Major firewall implementations are ACL based packet filter, ASPF, and ALG.
•Attack detection and protection—Identifies attacks by inspecting network traffic behaviors or
application layer protocol packet contents. According to the inspection result, it takes measures to
deal with the attacks or would-be attacks at the data link layer, network layer, or application layer.
2
Network security technologies
Identity authentication
AAA
AAA provides a uniform framework for implementing network access management. It provides the
following security functions:
•Authentication—Identifies network users and determines whether the user is valid.
•Authorization—Grants user rights and controls user access to resources and services. For example,
a user who has successfully logged in to the device can be granted read and print permissions to
the files on the device.
•Accounting—Records all network service usage information, including the service type, start time,
and traffic. The accounting function provides information required for charging, and allows for user
behavior auditing.
AAA can be implemented through multiple protocols, such as RADIUS, HWTACACS, and LDAP, among
which RADIUS is most often used.
PKI
PKI uses a general security infrastructure to provide information security through public key technologies.
PKI employs the digital certificate mechanism to manage the public keys. The digital certificate
mechanism binds public keys to their owners, helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication, e-commerce, and
e-Government with security services.
HP's PKI system provides digital certificate management for IPsec and SSL.
Access security
802.1X
802.1X is a port-based network access control protocol for securing wireless LANs (WLANs), and it has
also been widely used on Ethernet networks for access control. 802.1X controls network access by
authenticating the devices connected to 802.1X-enabled LAN ports.
MAC authentication
MAC authentication controls network access by authenticating source MAC addresses on a port. It does
not require client software and users do not need to enter a username and password for network access.
The device initiates a MAC authentication process when it detects an unknown source MAC address on
a MAC authentication enabled port. If the MAC address passes authentication, the user can access
authorized network resources.
Port security
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network
access control. It applies to networks that require different authentication methods for different users on
a port, such as a WLAN. Port security prevents unauthorized access to a network by checking the source
MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination
MAC address of outbound traffic.
3
Portal authentication
Portal authentication, also called "Web authentication," controls user access at the access layer and
other data entrance that needs protection. It does not require client software to authenticate users. Users
only need to enter a username and a password on the webpage for authentication.
With portal authentication, an access device redirects all unauthenticated users to a specific webpage,
and users can freely access resources on the webpage. However, to access other resources on the
Internet, a user must pass portal authentication on the portal authentication page.
Data security
Managing public keys
Public key configuration enables you to manage the local asymmetric key pairs (such as creating and
destroying a local asymmetric key pair, displaying or exporting the local host public key), and configure
the peer host public keys on the local device.
IPsec and IKE
IPsec is a security framework for securing IP communications. It is a Layer 3 VPN technology mainly for
data encryption and data origin authentication.
IKE provides automatic negotiation security parameters for IPsec, simplifying the configuration and
maintenance of IPsec. Security parameters for IKE negotiation include authentication and encryption
algorithms, authentication and encryption keys, IP packet encapsulation modes (tunnel mode and
transport mode), and key lifetime.
SSL and SSL VPN
SSL is a security protocol that provides secure connection services for TCP-based application layer
protocols by using the public key mechanism and digital certificates. SSL is independent of the
application layer protocol, so an application layer protocol can use a secure connection provided by SSL
without knowing SSL information. A common application is HTTPS—HTTP over SSL or HTTP Secure.
SSL VPN is a VPN technology based on SSL. It works between the transport layer and the application
layer. SSL VPN has been widely used for secure, remote Web-based access. For example, it can allow
remote users to access the corporate network securely.
SSH
SSH is a network security protocol implementing secure remote login and file transfer over an insecure
network. Using encryption and authentication, SSH protects devices against attacks such as IP spoofing
and plaintext password interception.
Firewall and connection control
ACL based packet-filter
An ACL packet-filter implements IP packet specific filtering.
Before forwarding an IP packet, the device obtains the following header information:
•Number of the upper layer protocol carried by the IP layer
•Source address
•Destination address
4
•Source port number
•Destination port number
The device compares the head information against the preset ACL rules and processes (discards or
forwards) the packet based on the comparison result.
ASPF
An ASPF implements status-based packet filtering, and provides the following functions:
•Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a TCP/UDP
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
•Application layer protocol inspection—ASPF checks application layer information for packets, such
as the protocol type and port number, and monitors the application layer protocol status for each
connection. ASPF maintains status information for each connection, and based on status
information, determines whether to permit a packet to pass through the firewall into the internal
network, thus defending the internal network against attacks.
ASPF also supports other security functions, such as port to application mapping, Java blocking, ActiveX
blocking, ICMP error message inspection and first packet inspection for TCP connection.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better meets the actual needs.
ALG
ALG processes payload information for application layer packets.
Working with NAT, ALG implements address translation in packet payloads. Working with ASPF, ALG
implements data connection detection and application layer status checking.
Session management
Session management is a common feature designed to implement session-based services such as NAT,
ASPF, and intrusion protection. Session management tracks the connection status by inspecting the
transport layer protocol (TCP or UDP) information, and regards packet exchanges at transport layer as
sessions, performing unified status maintenance and management of all connections.
In actual applications, session management works together with ASPF to dynamically determine whether
a packet can pass the firewall and enter the internal network according to connection status, thus
preventing intrusion.
The session management function only implements connection status tracking. It does not block potential
attack packets.
Connection limits
To protect internal network resources (hosts or servers) and correctly allocate system resources on the
device, you can configure connection limit policies to collect statistics and limit the number of connections,
connection establishment rate, and connection bandwidth.
Attack detection and protection
ARP attack protection
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices. HP has provided a
5
comprehensive and effective solution against common ARP attacks, such as user and gateway spoofing
attacks and flood attacks.
ND attack defense
The IPv6 ND protocol provides rich functions, but does not provide any security mechanisms. Attackers
can easily exploit the ND protocol to attack hosts and gateways by sending forged packets. To defend
against such attacks, the device provides multiple ND attack detection technologies, such as source MAC
consistency check for ND packets and ND Detection.
IP source guard
IP source guard uses binding entries to improve port security by blocking illegal packets. For example, it
can prevent illegal hosts from using a valid IP address to access the network. It is applied on an interface
connected to the user side.
IP source guard can filter packets according to the packet source IP address, source MAC address, and
VLAN ID. An IP source guard entry can be statically configured or dynamically added through DHCP or
ND.
URPF
URPF protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
Attack detection and protection
Attack detection and protection is an important network security feature. It determines whether received
packets are attack packets according to the packet contents and behaviors and, if detecting an attack,
take measures to deal with the attack, such as outputting alarm logs, dropping packets, and blacklisting
the source IP address. The attack protection function can detect network attacks such as single-packet
attacks, scanning attacks, and flood attacks.
TCP attack protection
Attackers can attack the device during the process of TCP connection establishment. To prevent such
attacks, the device provides the following features:
•SYN Cookie
•Protection against Naptha attacks
Web filtering
Web filtering can help devices prevent internal users from accessing unauthorized websites and block
Java applets and ActiveX objects from webpages to improve internal network security.
Other security technologies
The device also provides other network security technologies to implement a multifunctional and full
range of security protection for users.
User profile
A user profile provides a configuration template to save predefined configurations, such as a CAR policy
or a QoS policy. Different user profiles are applicable to different application scenarios.
The user profile supports working with PPPoE, 802.1X and portal authentications. It is capable of
restricting authenticated users' behaviors. After the authentication server verifies a user, it sends the
device the name of the user profile that is associated with the user.
6
Password control
Password control is a set of functions for enhancing the local password security. It controls user login
passwords, super passwords, and user login status based on predefined policies. Those policies include
minimum password length, minimum password update interval, password aging, and early notice on
pending password expiration.
RSH
RSH allows users to execute OS commands on a remote host that runs the RSH daemon. The RSH
daemon supports authentication of the privileged port on a trusted host. The device works as an RSH
client, and you can use the rsh command on the device to execute an OS command on a remote host.
Other manuals for HP ProCurve Series 6600
6
This manual suits for next models
1
Table of contents
Other HP Network Router manuals
HP
HP MSR SERIES User manual
HP
HP 1920 Gigabit Ethernet Switch Series User manual
HP
HP MSR20-1X Series User manual
HP
HP A8800 Series User manual
HP
HP Pavilion a6600 User manual
HP
HP FlexNetwork HSR6600 User manual
HP
HP StorageWorks SR2122 User manual
HP
HP StorageWorks M2402 User manual
HP
HP 5820X Series User manual
HP
HP ProCurve Networking J8454A User manual
