HPE FlexNetwork MSR Series User manual
HPE FlexNetwork MSR Router Series
Comware 5 Security Configuration Guide
Part number: 5200-2323
Software version: CMW710-R2516
Document version: 6W107-20160831
i
© Copyright 2016 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® andAcrobat® are trademarks ofAdobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
ii
Contents
Security overview····························································································1
Network security threats ····································································································································1
Network security services ··································································································································1
Network security technologies ···························································································································1
Identity authentication································································································································1
Access security··········································································································································2
Data security··············································································································································2
Firewall and connection control··················································································································3
Attack detection and protection··················································································································4
Other security technologies························································································································4
Configuring AAA ·····························································································6
Overview····························································································································································6
RADIUS······················································································································································7
HWTACACS·············································································································································11
Domain-based user management············································································································14
RADIUS server feature of the router········································································································15
AAA for MPLS L3VPNs····························································································································16
Protocols and standards ··························································································································17
RADIUS attributes····································································································································17
FIPS compliance··············································································································································20
AAA configuration considerations and task list································································································20
Configuring AAA schemes·······························································································································22
Configuring local users·····························································································································22
Configuring RADIUS schemes·················································································································26
Configuring HWTACACS schemes··········································································································37
Configuring AAA methods for ISP domains·····································································································43
Creating an ISP domain···························································································································43
Configuring ISP domain attributes ···········································································································44
Configuring authentication methods for an ISP domain···········································································45
Configuring authorization methods for an ISP domain·············································································48
Configuring accounting methods for an ISP domain················································································50
Tearing down user connections·······················································································································52
Configuring a NAS ID-VLAN binding ···············································································································53
Configuring the router as a RADIUS server·····································································································53
RADIUS server functions configuration task list·······················································································53
Configuring a RADIUS user·····················································································································54
Specifying a RADIUS client······················································································································54
Displaying and maintaining AAA······················································································································55
AAA configuration examples····························································································································55
Authentication/authorization for Telnet/SSH users by a RADIUS server·················································55
Local authentication/authorization for Telnet/FTP users··········································································61
AAA for PPP users by an HWTACACS server ························································································62
Level switching authentication for Telnet users by a RADIUS server······················································63
AAA for portal users by a RADIUS server································································································67
RADIUS authentication and authorization for Telnet users by a network device·····································74
Troubleshooting AAA·······································································································································75
Troubleshooting RADIUS·························································································································75
Troubleshooting HWTACACS··················································································································77
802.1X overview ···························································································78
802.1X architecture··········································································································································78
Controlled/uncontrolled port and port authorization status ··············································································78
802.1X-related protocols··································································································································79
Packet formats·········································································································································79
EAP over RADIUS ···································································································································80
Initiating 802.1X authentication························································································································81
iii
802.1X client as the initiator·····················································································································81
Access device as the initiator···················································································································81
802.1X authentication procedures ···················································································································81
Comparing EAP relay and EAP termination·····························································································82
EAP relay·················································································································································82
EAP termination·······································································································································84
Configuring 802.1X·······················································································86
Hewlett Packard Enterprise implementation of 802.1X····················································································86
Access control methods···························································································································86
Using 802.1X authentication with other features······················································································86
Configuration prerequisites······························································································································89
802.1X configuration task list···························································································································89
Enabling 802.1X···············································································································································90
Enabling EAP relay or EAP termination···········································································································90
Setting the port authorization state ··················································································································91
Specifying an access control method ··············································································································92
Setting the maximum number of concurrent 802.1X users on a port·······························································92
Setting the maximum number of authentication request attempts···································································93
Setting the 802.1X authentication timeout timers ····························································································93
Configuring the online user handshake function······························································································93
Configuration guidelines···························································································································94
Configuration procedure···························································································································94
Enabling the proxy detection function··············································································································94
Configuring the authentication trigger function ································································································95
Configuration guidelines···························································································································95
Configuration procedure···························································································································95
Specifying a mandatory authentication domain on a port················································································96
Configuring the quiet timer·······························································································································96
Enabling the periodic online user re-authentication function ···········································································97
Configuring an 802.1X guest VLAN·················································································································97
Configuration guidelines···························································································································97
Configuration prerequisites······················································································································98
Configuration procedure···························································································································98
Configuring an Auth-Fail VLAN························································································································98
Configuration guidelines···························································································································98
Configuration prerequisites······················································································································98
Configuration procedure···························································································································98
Configuring an 802.1X critical VLAN················································································································99
Configuration guidelines···························································································································99
Configuration prerequisites······················································································································99
Configuration procedure···························································································································99
Specifying supported domain name delimiters ······························································································100
Configuring 802.1X MAC address binding·····································································································100
Displaying and maintaining 802.1X················································································································101
802.1X authentication configuration example································································································101
Network requirements····························································································································101
Configuration procedure·························································································································102
Verifying the configuration······················································································································103
802.1X guest VLAN and VLAN assignment configuration example ······························································103
Network requirements····························································································································103
Configuration procedure·························································································································104
Verifying the configuration······················································································································106
802.1X with ACL assignment configuration example·····················································································106
Network requirements····························································································································106
Configuration procedure·························································································································106
Verifying the configuration······················································································································107
Configuring EAD fast deployment·······························································108
Overview························································································································································108
Free IP ···················································································································································108
URL redirection······································································································································108
iv
Hardware compatibility with EAD fast deployment ························································································108
Configuration prerequisites····························································································································109
Configuring a free IP······································································································································109
Configuring the redirect URL ·························································································································109
Setting the EAD rule timer ·····························································································································109
Displaying and maintaining EAD fast deployment ·························································································110
EAD fast deployment configuration example·································································································110
Network requirements····························································································································110
Configuration procedure·························································································································111
Verifying the configuration······················································································································112
Troubleshooting EAD fast deployment ··········································································································112
Web browser users cannot be correctly redirected················································································112
Configuring MAC authentication ·································································114
Overview························································································································································114
User account policies·····························································································································114
Authentication methods··························································································································114
MAC authentication timers·····················································································································115
Using MAC authentication with other features·······························································································115
VLAN assignment ··································································································································115
ACL assignment·····································································································································115
Configuration task list·····································································································································116
Basic configuration for MAC authentication···································································································116
Configuring MAC authentication globally·······························································································116
Configuring MAC authentication on a port·····························································································117
Specifying a MAC authentication domain ······································································································118
Configuring MAC authentication delay···········································································································118
Displaying and maintaining MAC authentication····························································································119
MAC authentication configuration examples··································································································119
Local MAC authentication configuration example··················································································119
RADIUS-based MAC authentication configuration example··································································120
ACL assignment configuration example·································································································122
Configuring port security·············································································125
Overview························································································································································125
Port security features·····························································································································125
Port security modes ·······························································································································125
Support for WLAN··································································································································128
Working with guest VLAN and Auth-Fail VLAN······················································································129
Configuration task list·····································································································································129
Enabling port security ····································································································································129
Setting port security's limit on the number of MAC addresses on a port ·······················································130
Setting the port security mode ·······················································································································130
Configuration prerequisites····················································································································131
Configuration procedure·························································································································131
Configuring port security features··················································································································132
Configuring NTK·····································································································································132
Configuring intrusion protection ·············································································································133
Enabling port security traps····················································································································133
Configuring secure MAC addresses ··············································································································134
Configuration prerequisites····················································································································135
Configuration procedure·························································································································135
Configuring port security for WLAN ports ······································································································135
Setting the port security mode of a WLAN port······················································································136
Enabling key negotiation························································································································136
Configuring a PSK··································································································································137
Ignoring authorization information from the server ························································································137
Displaying and maintaining port security ·······································································································137
Port security configuration examples·············································································································138
Configuring the autoLearn mode············································································································138
Configuring the userLoginWithOUI mode ······························································································140
Configuring the macAddressElseUserLoginSecure mode·····································································144
v
Troubleshooting port security·························································································································147
Cannot set the port security mode·········································································································147
Cannot configure secure MAC addresses ·····························································································147
Cannot change port security mode when a user is online ·····································································148
Configuring IPsec························································································149
Overview························································································································································149
Basic concepts·······································································································································149
IPsec implementation on an encryption card·························································································151
IPsec tunnel interface·····························································································································152
IPsec for IPv6 routing protocols·············································································································153
IPsec RRI···············································································································································153
Protocols and standards ························································································································154
FIPS compliance············································································································································154
Implementing IPsec ·······································································································································154
Implementing ACL-based IPsec ····················································································································155
Configuring an ACL································································································································156
Configuring an IPsec transform set········································································································158
Configuring an IPsec policy····················································································································160
Applying an IPsec policy group to an interface······················································································165
Binding an IPsec policy, IPsec policy group, or IPsec profile to an encryption card······························166
Enabling the encryption engine··············································································································167
Enabling the IPsec module backup function··························································································167
Configuring the IPsec session idle timeout····························································································168
Enabling ACL checking of de-encapsulated IPsec packets···································································168
Configuring the IPsec anti-replay function ·····························································································168
Configuring a shared source interface policy group···············································································169
Configuring packet information pre-extraction ·······················································································170
Enabling invalid SPI recovery ················································································································170
Configuring IPsec RRI····························································································································171
Enabling transparent data transmission without NAT············································································172
Enabling fragmentation before/after encryption·····················································································172
Implementing tunnel interface-based IPsec···································································································173
Configuring an IPsec profile···················································································································174
Configuring an IPsec tunnel interface····································································································175
Enabling packet information pre-extraction on the IPsec tunnel interface·············································176
Applying a QoS policy to an IPsec tunnel interface ···············································································177
Configuring IPsec for IPv6 routing protocols··································································································177
Displaying and maintaining IPsec··················································································································178
IPsec configuration examples························································································································179
Configuring manual mode IPsec tunnel·································································································179
Configuring IKE-based IPsec tunnel······································································································181
Configuring encryption cards for IPsec services····················································································183
Configuring IPsec interface backup ·······································································································185
Configuring IPsec with IPsec tunnel interfaces······················································································189
Configuring IPsec for RIPng···················································································································193
Configuring IPsec RRI····························································································································196
Configuring IKE···························································································200
Overview························································································································································200
IKE security mechanism·························································································································200
IKE operation ·········································································································································200
IKE functions··········································································································································201
Relationship between IKE and IPsec·····································································································202
Protocols and standards ························································································································202
FIPS compliance············································································································································202
IKE configuration task list·······························································································································203
Configuring a name for the local security gateway ························································································203
Configuring an IKE proposal··························································································································204
Configuring an IKE peer·································································································································205
Setting keepalive timers·································································································································207
Setting the NAT keepalive timer ····················································································································207
vi
Configuring a DPD detector···························································································································208
Disabling next payload field checking············································································································208
Displaying and maintaining IKE ·····················································································································209
IKE configuration examples ···························································································································209
Configuring main mode IKE with pre-shared key authentication ···························································209
Configuring aggressive mode IKE with NAT traversal···········································································213
Troubleshooting IKE ······································································································································216
Invalid user ID········································································································································216
Proposal mismatch·································································································································217
Failed to establish an IPsec tunnel ········································································································217
ACL configuration error··························································································································218
Configuring IKEv2·······················································································219
Overview························································································································································219
New features in IKEv2····························································································································219
Protocols and standards ························································································································220
IKEv2 configuration task list···························································································································220
Configuring global IKEv2 parameters ············································································································221
Configuring the cookie challenging function···························································································221
Configuring the IKEv2 DPD function······································································································221
Setting limits on the number of IKEv2 SAs ····························································································222
Configuring an address pool for assigning addresses to initiators·························································222
Configuring an IKEv2 proposal ······················································································································223
Configuring an IKEv2 policy···························································································································223
Configuring an IKEv2 keyring ························································································································224
Configuring an IKEv2 profile ··························································································································225
Displaying and maintaining IKEv2 ·················································································································227
IKEv2 configuration examples ·······················································································································227
Configuring IKEv2 pre-shared key authentication··················································································227
Configuring IKEv2 certificate authentication ··························································································233
Troubleshooting IKEv2···································································································································240
No matching IKEv2 proposal found········································································································240
IPsec tunnels cannot be set up··············································································································240
Configuring PKI···························································································241
Overview························································································································································241
PKI terminology······································································································································241
PKI architecture······································································································································242
PKI operation ·········································································································································242
PKI applications ·····································································································································243
FIPS compliance············································································································································243
PKI configuration task list·······························································································································243
Configuring an entity DN································································································································244
Configuring a PKI domain······························································································································245
Requesting a PKI certificate···························································································································246
Configuring automatic certificate request·······························································································247
Manually requesting a certificate············································································································248
Retrieving a certificate manually····················································································································249
Verifying PKI certificates································································································································249
Verifying certificates with CRL checking································································································250
Verifying certificates without CRL checking···························································································250
Destroying the local RSA key pair ·················································································································250
Deleting a certificate ······································································································································251
Configuring a certificate access control policy·······························································································251
Displaying and maintaining PKI ·····················································································································252
PKI configuration examples ···························································································································252
Certificate request from an RSA Keon CA server··················································································252
Certificate request from a Windows 2003 CA server·············································································255
IKE negotiation with RSA digital signature·····························································································258
Certificate access control policy configuration example·········································································260
Troubleshooting PKI configurationTroubleshooting PKI configuration···························································262
Failed to obtain the CA certificate··········································································································262
vii
Failed to request local certificates··········································································································262
Failed to retrieve CRLs ··························································································································263
Managing public keys ·················································································264
FIPS compliance············································································································································264
Configuration task list·····································································································································265
Creating a local asymmetric key pair·············································································································265
Displaying or exporting the local host public key ···························································································266
Displaying and recording the host public key information··············································································267
Displaying the host public key in a specific format and saving it to a file·······················································267
Exporting the host public key in a specific format to a file ·············································································267
Destroying a local asymmetric key pair ·········································································································268
Configuring the local RSA key pair for certificate request··············································································268
Exporting an RSA key pair·····························································································································268
Importing an RSA key pair·····························································································································269
Specifying the peer public key on the local device ························································································269
Displaying public keys····································································································································270
Public key configuration examples·················································································································270
Manually specifying the peer public key on the local device··································································270
Importing a public key from a public key file ··························································································272
Exporting and importing an RSA key pair······························································································275
Configuring RSH·························································································278
Configuration prerequisites····························································································································278
Configuration procedure ································································································································278
RSH configuration example ···························································································································278
Configuring portal authentication ································································281
Overview························································································································································281
Extended portal functions·······················································································································281
Portal system components·····················································································································281
Portal system using the local portal server ····························································································283
Portal authentication modes···················································································································284
Portal support for EAP ···························································································································285
Layer 2 portal authentication process····································································································285
Layer 3 portal authentication process····································································································286
Portal authentication across VPNs·········································································································290
Portal configuration task list···························································································································290
Configuration prerequisites····························································································································292
Specifying the portal server ···························································································································292
Specifying the local portal server for Layer 2 portal authentication························································292
Specifying a portal server for Layer 3 portal authentication···································································293
Configuring the local portal server ·················································································································294
Customizing authentication pages·········································································································294
Configuring the local portal server ·········································································································297
Enabling portal authentication························································································································298
Enabling Layer 2 portal authentication···································································································298
Enabling Layer 3 portal authentication···································································································298
Controlling access of portal users··················································································································299
Configuring a portal-free rule ·················································································································299
Configuring an authentication source subnet·························································································300
Configuring an authentication destination subnet··················································································301
Setting the maximum number of online portal users··············································································301
Specifying an authentication domain for portal users ············································································301
Configuring Layer 2 portal authentication to support Web proxy···························································302
Enabling support for portal user moving ································································································303
Configuring RADIUS related attributes ··········································································································303
Specifying NAS-Port-Type for an interface····························································································304
Specifying the NAS-Port-ID for an interface···························································································304
Specifying a NAS ID profile for an interface···························································································304
Specifying a source IP address for outgoing portal packets··········································································305
Specifying an autoredirection URL for authenticated portal users·································································306
viii
Configuring portal detection functions············································································································306
Configuring online Layer 2 portal user detection····················································································306
Configuring online Layer 3 portal user detection····················································································307
Configuring the portal server detection function·····················································································307
Configuring portal user information synchronization··············································································308
Logging off portal users ·································································································································309
Including the MAC address parameter in the redirection URL·······································································309
Configuring mandatory Web page pushing····································································································310
Displaying and maintaining portal··················································································································311
Portal configuration examples························································································································312
Configuring direct portal authentication··································································································312
Configuring re-DHCP portal authentication····························································································316
Configuring cross-subnet portal authentication······················································································318
Configuring direct portal authentication with extended functions···························································320
Configuring re-DHCP portal authentication with extended functions·····················································321
Configuring cross-subnet portal authentication with extended functions···············································324
Configuring portal server detection and portal user information synchronization ··································326
Cross-subnet portal authentication across VPNs···················································································331
Troubleshooting portal ···································································································································333
Inconsistent keys on the access device and the portal server·······························································333
Incorrect server port number on the access device···············································································333
Configuring firewall ·····················································································334
Overview························································································································································334
ACL based packet-filter··························································································································334
ASPF······················································································································································335
Configuring a packet-filter firewall··················································································································338
Packet-filter firewall configuration task list ·····························································································338
Enabling the firewall function ·················································································································338
Configuring the default filtering action of the firewall··············································································338
Enabling fragment inspection·················································································································339
Configuring the high and low thresholds for fragment inspection ··························································339
Configuring packet filtering on an interface····························································································340
Configuring Ethernet frame filtering ·······································································································341
Displaying and maintaining a packet-filter firewall ·················································································341
Packet-filter firewall configuration example····························································································342
Configuring an ASPF ·····································································································································343
ASPF configuration task list···················································································································343
Enabling the firewall function ·················································································································344
Configuring an ASPF policy···················································································································344
Applying an ASPF policy to an interface································································································344
Enabling the session logging function for ASPF····················································································345
Configuring port mapping·······················································································································345
Displaying and maintaining ASPF··········································································································346
ASPF configuration example··················································································································346
Configuring SSH·························································································348
Overview························································································································································348
How SSH works·····································································································································348
SSH authentication methods··················································································································349
SSH support for MPLS L3VPN ··············································································································350
FIPS compliance············································································································································350
Configuring the device as an SSH server······································································································351
SSH server configuration task list··········································································································351
Generating local DSA or RSA key pairs·································································································351
Enabling the SSH server function··········································································································352
Enabling the SFTP server function ········································································································352
Configuring the user interfaces for SSH clients ·····················································································352
Configuring a client's host public key·····································································································353
Configuring an SSH user ·······················································································································354
Setting the SSH management parameters ····························································································355
Configuring the device as an Stelnet client····································································································356
ix
Stelnet client configuration task list········································································································356
Specifying a source IP address or source interface for the Stelnet client··············································356
Enabling and disabling first-time authentication·····················································································357
Establishing a connection to an Stelnet server······················································································358
Configuring the device as an SFTP client······································································································358
SFTP client configuration task list··········································································································359
Specifying a source IP address or source interface for the SFTP client················································359
Establishing a connection to an SFTP server························································································359
Working with SFTP directories···············································································································360
Working with SFTP files·························································································································361
Displaying help information····················································································································362
Terminating the connection with the SFTP server·················································································362
Configuring the device as an SCP client········································································································362
SCP client configuration task list············································································································362
Transferring files with an SCP server·····································································································363
Displaying and maintaining SSH····················································································································363
Stelnet configuration examples······················································································································364
Password authentication enabled Stelnet server configuration example···············································364
Publickey authentication enabled Stelnet server configuration example···············································366
Password authentication enabled Stelnet client configuration example ················································371
Publickey authentication enabled Stelnet client configuration example·················································374
SFTP configuration examples················································································································376
Password authentication enabled SFTP server configuration example·················································376
Publickey authentication enabled SFTP client configuration example···················································378
SCP configuration example ···························································································································381
Network requirements····························································································································381
Configuration procedure·························································································································382
Configuring SSL··························································································384
Overview························································································································································384
SSL security mechanism························································································································384
SSL protocol stack·································································································································384
FIPS compliance············································································································································385
Configuration task list·····································································································································385
Configuring an SSL server policy···················································································································386
Configuring an SSL client policy ····················································································································387
Displaying and maintaining SSL ····················································································································388
SSL server policy configuration example·······································································································388
Troubleshooting SSL ·····································································································································390
SSL handshake failure···························································································································390
Configuring SSL VPN ·················································································392
Configuration procedure ································································································································393
SSL VPN configuration example····················································································································393
Configuring a user profile············································································397
Overview························································································································································397
Configuration restrictions and guidelines·······································································································397
User profile configuration task list··················································································································397
Creating a user profile····································································································································397
Performing configurations in user profile view ·······························································································398
Enabling a user profile ···································································································································398
Displaying and maintaining user profile ·········································································································398
Configuring ARP attack protection······························································399
Overview························································································································································399
ARP attack protection configuration task list··································································································399
Configuring unresolvable IP attack protection ·······························································································399
Configuring ARP source suppression····································································································400
Displaying and maintaining ARP source suppression············································································400
Configuration example···························································································································400
Configuring source MAC-based ARP attack detection ··················································································401
x
Displaying and maintaining source MAC-based ARP attack detection··················································402
Source MAC-based ARP attack detection configuration example·························································402
Configuring ARP packet source MAC consistency check··············································································403
Configuring ARP active acknowledgement····································································································403
Configuring ARP automatic scanning and fixed ARP ····················································································403
Configuration guidelines·························································································································404
Configuration procedure·························································································································404
Configuring IP source guard·······································································405
Overview························································································································································405
Static IP source guard binding entries ···································································································405
Dynamic IP source guard binding entries ······························································································406
IPv4 source guard configuration task list ·······································································································406
Configuring IPv4 source guard ······················································································································406
Enabling IPv4 source guard on a port····································································································407
Configuring a static IPv4 source guard binding entry·············································································408
Setting the maximum number of IPv4 source guard binding entries······················································408
Displaying and maintaining IP source guard··································································································409
Static IPv4 source guard binding entry configuration example······································································409
Dynamic IPv4 source guard using DHCP snooping configuration example ··················································411
Troubleshooting IP source guard···················································································································412
Configuring attack detection and protection················································413
Overview························································································································································413
Types of network attacks the device can defend against·······································································413
Blacklist function ····································································································································414
Traffic statistics function·························································································································415
Attack detection and protection configuration task list···················································································416
Configuring attack protection functions for an interface·················································································416
Creating an attack protection policy·······································································································416
Configuring an attack protection policy··································································································417
Applying an attack protection policy to an interface···············································································420
Configuring the blacklist function ···················································································································420
Enabling traffic statistics on an interface········································································································421
Enabling TCP fragment attack protection ······································································································421
Displaying and maintaining attack detection and protection··········································································421
Attack detection and protection configuration examples················································································422
Attack protection functions on interfaces configuration example···························································422
Blacklist configuration example··············································································································424
Traffic statistics configuration example··································································································425
Configuring TCP attack protection······························································427
Overview························································································································································427
Enabling the SYN Cookie feature ··················································································································427
Enabling protection against Naptha attacks···································································································428
Displaying and maintaining TCP attack protection ························································································428
Configuring connection limits······································································429
Overview························································································································································429
Connection limit configuration task list···········································································································429
Creating a connection limit policy ··················································································································429
Configuring the connection limit policy···········································································································429
Configuring the default connection limit action and parameters ····························································429
Configuring an ACL-based connection limit rule····················································································430
Applying the connection limit policy ···············································································································431
Displaying and maintaining connection limiting ·····························································································431
Troubleshooting connection limiting···············································································································431
Symptom················································································································································431
Analysis··················································································································································432
Solution··················································································································································432
xi
Configuring password control ·····································································433
Overview························································································································································433
FIPS compliance············································································································································435
Password control configuration task list·········································································································436
Enabling password control·····························································································································436
Setting global password control parameters··································································································437
Setting user group password control parameters ··························································································438
Setting local user password control parameters····························································································438
Setting super password control parameters ··································································································439
Setting a local user password in interactive mode·························································································440
Displaying and maintaining password control································································································440
Password control configuration example ·······································································································440
Configuring HABP·······················································································443
Configuring an HABP server··························································································································444
Configuring an HABP client ···························································································································444
Displaying and maintaining HABP ·················································································································445
HABP configuration example·························································································································445
Configuring URPF·······················································································448
Overview························································································································································448
Configuring URPF··································································································································448
URPF features ·······································································································································448
URPF work flow ·····································································································································448
Network application································································································································450
Configuring URPF··········································································································································450
URPF configuration example·························································································································451
Network requirements····························································································································451
Configuration procedure·························································································································451
Configuring WLAN client isolation·······························································452
Configuring group domain VPN ··································································453
Overview························································································································································453
Group domain VPN structure·················································································································453
Group domain VPN establishment·········································································································454
KS redundancy·······································································································································455
Protocols and standards ························································································································456
Configuration restrictions and guidelines·······································································································456
Configuring the GDOI KS·······························································································································457
GDOI KS configuration task list··············································································································457
Configuring basic settings for a GDOI KS group····················································································457
Configuring GDOI KS redundancy·········································································································459
Specifying the source address for packets sent by the KS····································································460
Configuring rekey parameters················································································································460
Displaying and maintaining GDOI KS····································································································461
Configuring the GDOI GM······························································································································461
GDOI GM configuration task list·············································································································462
Configuring a GDOI GM group···············································································································462
Configuring a GDOI IPsec policy ···········································································································463
Applying a GDOI IPsec policy to an interface························································································464
Displaying and maintaining GDOI GM···································································································464
Group domain VPN configuration example····································································································465
Network requirements····························································································································465
Configuration procedure·························································································································466
Verifying the configuration······················································································································474
Troubleshooting group domain VPN··············································································································479
IKE SA negotiation failure······················································································································479
GM registration failure····························································································································480
KS redundancy failure····························································································································480
xii
Configuring FIPS·························································································482
Overview························································································································································482
Hardware compatibility with FIPS mode ········································································································482
FIPS self-tests················································································································································482
Power-up self-tests ································································································································482
Conditional self-tests······························································································································483
Triggering self-tests································································································································483
Configuring FIPS mode··································································································································484
Configuration considerations··················································································································484
Enabling FIPS mode······························································································································484
Configuration changes in FIPS mode ····································································································484
Displaying and maintaining FIPS···················································································································485
FIPS configuration example···························································································································485
Network requirements····························································································································485
Configuration procedure·························································································································485
Verifying the configuration······················································································································486
Document conventions and icons·······························································487
Conventions···················································································································································487
Network topology icons··································································································································488
Support and other resources ······································································489
Accessing Hewlett Packard Enterprise Support ····························································································489
Accessing updates·········································································································································489
Websites ················································································································································490
Customer self repair·······························································································································490
Remote support······································································································································490
Documentation feedback ·······················································································································490
Index···········································································································492
1
Security overview
Network security threats are happened or potential threats to data confidentiality, data integrity, data
availability or authorized usage of some resource in a network system. Network security services
provide solutions to solve or reduce those threats to different extents.
Network security threats
•Information disclosure—Information is leaked to an unauthorized person or entity.
•Data integrity damage—Data integrity is damaged by unauthorized modification or malicious
destruction.
•Denial of service—Makes information or other network resources unavailable to their intended
users.
•Unauthorized usage—Resources are used by unauthorized persons or in unauthorized ways.
Network security services
One security service is implemented by one or more network security technologies. One technology
can implement multiple services. A safe network needs the following services:
•Identity authentication—Identifies users and determines if a user is valid. Typical ways
include AAA-based username plus password authentication, and PKI digital certificate-based
authentication.
•Access security—Controls behaviors in which a user accesses network resources based on
the identity authentication result to prevent unauthorized access and usage of the network
resources. Major access security protocols include 802.1X, MAC authentication, and portal
authentication, which work together withAAA to implement user identity authentication.
•Data security—Encrypts and decrypts data during data transmission and storage. Typical
encryption mechanisms include symmetric encryption and asymmetric encryption, and their
common applications are IPsec, SSL, and SSH. IPsec secures IP communications. SSL and
SSH protects data transfer based on TCP.
•Firewall—A highly effective network security model to block unauthorized Internet access to a
protected network. Major firewall implementations are ACL-based packet filter and ASPF.
•Attack detection and protection—Identifies attacks by inspecting network traffic behaviors or
application layer protocol packet contents.According to the inspection result, it takes measures
to deal with the attacks or would-be attacks at the data link layer, network layer, or application
layer. Measures include TCP attack protection, ARP attack protection, and IP source guard.
Network security technologies
Identity authentication
AAA
AAA provides a uniform framework for implementing network access management. It provides the
following security functions:
•Authentication—Identifies network users and determines whether the user is valid.
2
•Authorization—Grants user rights and controls user access to resources and services. For
example, a user who has successfully logged in to the device can be granted read and print
permissions to the files on the device.
•Accounting—Records all network service usage information, including the service type, start
time, and traffic. The accounting function provides information required for charging, and allows
for user behavior auditing.
AAA can be implemented through multiple protocols, such as RADIUS and HWTACACS, among
which RADIUS is most often used.
PKI
PKI uses a general security infrastructure to provide information security through public key
technologies. PKI employs the digital certificate mechanism to manage the public keys. The digital
certificate mechanism binds public keys to their owners, helping distribute public keys in large
networks securely. With digital certificates, the PKI system provides network communication,
e-commerce, and e-Government with security services.
The PKI system of Hewlett Packard Enterprise provides digital certificate management for IPsec and
SSL.
Access security
802.1X
802.1X is a port-based network access control protocol for securing wireless LANs (WLANs), and it
has also been widely used on Ethernet networks for access control. 802.1X controls network access
by authenticating the devices connected to 802.1X-enabled LAN ports.
MAC authentication
MAC authentication controls network access by authenticating source MAC addresses on a port. It
does not require client software and users do not need to enter a username and password for
network access. The device initiates a MAC authentication process when it detects an unknown
source MAC address on a MAC authentication enabled port. If the MAC address passes
authentication, the user can access authorized network resources.
Port security
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network
access control. It applies to networks that require different authentication methods for different users
on a port, such as a WLAN. Port security prevents unauthorized access to a network by checking the
source MAC addressof inbound traffic and prevents access to unauthorized devices by checking the
destination MAC address of outbound traffic.
Portal authentication
Portal authentication, also called "Web authentication," controls user access at the access layer and
other data entrance that needs protection. It does not require client software to authenticate users.
Users only need to enter a username and a password on the webpage for authentication.
With portal authentication, an access device redirects all unauthenticated users to a specific
webpage, and users can freely access resources on the webpage. However, to access other
resources on the Internet, a user must pass portal authentication on the portal authentication page.
Data security
Managing public keys
Public key configuration enables you to manage the local asymmetric key pairs (such as creating
and destroying a local asymmetric key pair, displaying or exporting the local host public key), and
configure the peer host public keys on the local device.
3
IPsec and IKE
IPsec is a security framework for securing IP communications. It is a Layer 3 VPN technology mainly
for data encryption and data origin authentication.
IKE provides automatic negotiation security parameters for IPsec, simplifying the configuration and
maintenance of IPsec. Security parameters for IKE negotiation include authentication and encryption
algorithms, authentication and encryption keys, IP packet encapsulation modes (tunnel mode and
transport mode), and key lifetime.
SSL and SSL VPN
SSL is a security protocol that provides secure connection services for TCP-based application layer
protocols by using the public key mechanism and digital certificates. SSL is independent of the
application layer protocol, so an application layer protocol can use a secure connection provided by
SSL without knowing SSL information. A common application is HTTPS—HTTP over SSL or HTTP
Secure.
SSL VPN is a VPN technology based on SSL. It works between the transport layer and the
application layer. SSL VPN has been widely used for secure, remote Web-based access. For
example, it can allow remote users to access the corporate network securely.
SSH
SSH is a network security protocol implementing secure remote login and file transfer over an
insecure network. Using encryption and authentication, SSH protects devices against attacks such
as IP spoofing and plaintext password interception.
Firewall and connection control
ACL based packet-filter
An ACL packet-filter implements IP packet specific filtering.
Before forwarding an IP packet, the device obtains the following header information:
•Number of the upper layer protocol carried by the IP layer
•Source address
•Destination address
•Source port number
•Destination port number
The device compares the head information against the presetACL rules and processes (discards or
forwards) the packet based on the comparison result.
ASPF
An ASPF implements status-based packet filtering, and provides the following functions:
•Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a
TCP/UDP packet's source and destination addresses and port numbers to determine whether
to permit the packet to pass through the firewall into the internal network.
•Application layer protocol inspection—ASPF checks application layer information for
packets, such as the protocol type and port number, and monitors the application layer protocol
status for each connection.ASPF maintains status information for each connection, and based
on status information, determines whether to permit a packet to pass through the firewall into
the internal network, thus defending the internal network against attacks.
ASPF also supports other security functions, such as port to application mapping, Java blocking,
ActiveX blocking, ICMP error message inspection and first packet inspection for TCP connection.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide
the network with a security policy that is more comprehensive and better satisfies the actual needs.
4
Connection limits
To protect internal network resources (hosts or servers) and correctly allocate system resources on
the device, you can configure connection limit policies to collect statistics and limit the number of
connections, connection establishment rate, and connection bandwidth.
Attack detection and protection
ARP attack protection
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices. Hewlett Packard
Enterprise has provided a comprehensive and effective solution against common ARP attacks, such
as user and gateway spoofing attacks and flood attacks.
IP source guard
IP source guard uses binding entries to improve port security by blocking illegal packets. For
example, it can prevent illegal hosts from usinga valid IPaddress to access the network. It is applied
on an interface connected to the user side.
IP source guard can filter packets according to the packet source IP address, source MAC address,
and VLAN ID. An IP source guard entry can be statically configured or dynamically added through
DHCP.
URPF
URPF protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
Attack detection and protection
Attack detection and protection is an important network security feature. It determines whether
received packets are attack packets according to the packet contents and behaviors and, if detecting
an attack, take measures to deal with the attack, such as outputting alarm logs, dropping packets,
and blacklisting the source IP address. The attack protection function can detect network attacks
such as single-packet attacks, scanning attacks, and flood attacks.
TCP attack protection
Attackers can attack the device during the process of TCP connection establishment. To prevent
such attacks, the device provides the following features:
•SYN Cookie
•Protection against Naptha attacks
Other security technologies
The device also provides other network security technologies to implement a multifunctional and full
range of security protection for users.
User profile
A user profile provides a configuration template to save predefined configurations, such as a CAR
policy or a QoS policy. Different user profiles are applicable to different application scenarios.
The user profile supports working with PPPoE, 802.1X and portal authentications. It is capable of
restricting authenticated users' behaviors.After the authentication server verifies a user, it sends the
device the name of the user profile that is associated with the user.
Password control
Password control is a set of functions for enhancing the local password security. It controls user login
passwords, super passwords, and user login status based on predefined policies. Those policies
5
include minimum password length, minimum password update interval, password aging, and early
notice on pending password expiration.
RSH
RSH allows users to execute OS commands on a remote host that runs the RSH daemon. The RSH
daemon supports authentication of the privileged port on a trusted host. The device works as an
RSH client, and you can use the rsh command on the device to execute an OS command on a
remote host.
6
Configuring AAA
The HPE MSR series routers support EXEC user access.
The HPE MSR series routers do not support the attribute access-limit command.
The idle-cut enable command, which is used in ISP domain view to configure the idle cut function,
takes effect only on LAN users.
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It provides the following security functions:
•Authentication—Identifies users and determines whether a user is valid.
•Authorization—Grants user rights and controls user access to resources and services. For
example, a user who has successfully logged in to the device can be granted read and print
permissions to the files on the device.
•Accounting—Records all network service usage information, including service type, start time,
and traffic. The accounting function provides information required for charging, and allows for
network security surveillance.
AAAtypically uses a client/server model,as shown in Figure 1. The client runs on the network access
server (NAS), which is alsocalled the access device. The server maintains user information centrally.
In an AAA network, the NAS is a server for users but a client for AAAservers.
Figure 1 AAA application scenario
The NAS uses the authentication server to authenticate any user who tries to log in, use network
resources, or access other networks. The NAS transparently transmits authentication, authorization,
and accounting information between the user and the servers. The RADIUS and HWTACACS
protocols define how a NAS and a remote server exchange user information.
The network shown in Figure 1 comprises a RADIUS server and an HWTACACS server. You can use
different servers to implement different security functions. For example, you can use the
HWTACACS server for authentication and authorization, and the RADIUS server for accounting.
You can implement any of the three security functions provided by AAA as needed. For example, if
your company wants employees to be authenticated before they access specific resources,
configure an authentication server. If network usage information is needed, you must also configure
an accounting server.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
7
AAAcan be implemented through multiple protocols. The device supports RADIUS and HWTACACS,
of which RADIUS is most often used.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. It can protect networks against unauthorized access and is
often used in network environments that require both high security and remote user access.
RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, including Ethernet and ADSL.
RADIUS provides access authentication, authorization, and accounting services. The accounting
function collects and records network resource usage information.
Client/server model
RADIUS clients run on NASs located throughout the network. NASs pass user information to
RADIUS servers, and determine to reject or accept user access requests depending on the
responses from RADIUS servers.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network access. It receives connection requests,
authenticates users, and returns access control information (for example, rejecting or accepting the
user access request) to the clients.
The RADIUS server typically maintains the following databases: Users, Clients, and Dictionary.
See Figure 2.
Figure 2 RADIUS server databases
•Users—Stores user information, such as usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and
encrypt user passwords exchanged between them. For security purposes, this key must be manually
configured on the client and the server.
RADIUS servers support multiple authentication protocols, including PPP PAP and CHAP. A
RADIUS server can also act as the client of another AAA server to provide authentication proxy
services.
Basic RADIUS message exchange process
Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
RADIUS servers
Users Clients Dictionary
Other manuals for FlexNetwork MSR Series
7
Table of contents
Other HPE Network Router manuals
HPE
HPE FlexFabric 5930 Series User manual
HPE
HPE FlexNetwork MSR954 User manual
HPE
HPE FlexNetwork MSR954 Installation manual
HPE
HPE FlexNetwork 10500 SERIES User manual
HPE
HPE FlexNetwork 5130 Series User manual
HPE
HPE FlexNetwork HSR6800 series User manual
HPE
HPE FlexNetwork MSR Series User manual
HPE
HPE FlexFabric 7900 Series User manual
HPE
HPE FlexNetwork 5510 HI Series User manual
HPE
HPE Aruba 2930F 24G User manual
HPE
HPE FlexNetwork MSR Series User manual
HPE
HPE FlexNetwork 5130 EI Series User manual
HPE
HPE FlexNetwork VSR1000 User manual
HPE
HPE FlexNetwork MSR Series User manual
HPE
HPE FlexNetwork MSR Series User manual
HPE
HPE FlexNetwork HSR6800 series Installation manual
HPE
HPE FlexNetwork 6600 Installation manual
HPE
HPE FlexNetwork HSR6800 series Installation manual
HPE
HPE 2530 User manual
HPE
HPE FlexNetwork MSR958 User manual
Popular Network Router manuals by other brands
TP-Link
TP-Link TD-W8101G Quick installation guide
Nokia
Nokia G-240W-C quick start guide
Teldat
Teldat M2 installation manual
MikroTik
MikroTik RouterBOARD 751U-2HnD Quick setup guide and warranty information
ZyXEL Communications
ZyXEL Communications ZyAIR G-3000H Firmware release notes
Bkav
Bkav QCS605 user manual
