1-9
Security Overview
Network Security Features
Key
Management
System (KMS)
none
KMS is available in several HP switch models and is
designed to configure and maintain key chains for use
with KMS-capable routing protocols that use time-
dependent or time-independent keys. (A key chain is a
set of keys with a timing mechanism for activating and
deactivating individual keys.) KMS provides specific
instances of routing protocols with one or more Send or
Accept keys that must be active at the time of a request.
Chapter 16, “Key
Management System”
Connection-
Rate Filtering
based on
Virus-Throttling
Technology
none
This feature helps protect the network from attack and
is recommended for use on the network edge. It is
primarily focused on the class of worm-like malicious
code that tries to replicate itself by taking advantage of
weaknesses in network applications behind unsecured
ports. In this case, the malicious code tries to create a
large number of outbound connections on an interface
in a short time. Connection-Rate filtering detects hosts
that are generating traffic that exhibits this behavior, and
causes the switch to generate warning messages and
(optionally) to throttle or drop all traffic from the
offending hosts.
Chapter 3, “Virus Throttling
(Connection-Rate Filtering)”
ICMP
Rate-Limiting
none
This feature helps defeat ICMP denial-of-service
attacks by restricting ICMP traffic to percentage levels
that permit necessary ICMP functions, but throttle
additional traffic that may be due to worms or viruses
(reducing their spread and effect).
Management and
Configuration Guide
, in the
chapter on
“Port Traffic
Controls”
refer to the section
“ICMP Rate-Limiting”
Spanning Tree
Protection
none
These features prevent your switch from malicious
attacks or configuration errors:
•
BPDU Filtering and BPDU Protection
: Protects the
network from denial-of-service attacks that use
spoofing BPDUs by dropping incoming BPDU frames
and/or blocking traffic through a port.
•
STP Root Guard
: Protects the STP root bridge from
malicious attacks or configuration mistakes.
Advanced Traffic
Management Guide
, refer to
the chapter
“Multiple
Instance Spanning-Tree
Operation”
DHCP Snooping,
Dynamic ARP
Protection, and
Dynamic IP
Lockdown
none
These features provide the following additional
protections for your network:
•
DHCP Snooping
: Protects your network from
common DHCP attacks, such as address spoofing
and repeated address requests.
•
Dynamic ARP Protection
: Protects your network
from ARP cache poisoning.
•
Dynamic IP Lockdown
: Prevents IP source address
spoofing on a per-port and per-VLAN basis
•
Instrumentation Monitor
. Helps identify a variety of
malicious attacks by generating alerts for detected
anomalies on the switch.
Chapter 11, “Configuring
Advanced Threat
Protection”
Feature
Default
Setting
Security Guidelines
More Information and
Configuration Details
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......