11-24
Configuring Advanced Threat Protection
Dynamic IP Lockdown
Protection Against IP Source Address Spoofing
Many network attacks occur when an attacker injects packets with forged IP
source addresses into the network. Also, some network services use the IP
source address as a component in their authentication schemes. For example,
the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source address for packet
authentication. SNMPv1 and SNMPv2c also frequently use authorized IP
address lists to limit management access. An attacker that is able to send
traffic that appears to originate from an authorized IP source address may gain
access to network services for which he is not authorized.
Dynamic IP lockdown provides protection against IP source address spoofing
by means of IP-level port security. IP packets received on a port enabled for
dynamic IP lockdown are only forwarded if they contain a known IP source
address and MAC address binding for the port.
Dynamic IP lockdown uses information collected in the DHCP Snooping lease
database and through statically configured IP source bindings to create inter-
nal, per-port lists. The internal lists are dynamically created from known IP-
to-MAC address bindings to filter VLAN traffic on both the source IP address
and source MAC address.
Prerequisite: DHCP Snooping
Dynamic IP lockdown requires that you enable DHCP snooping as a
prerequisite for its operation on ports and VLAN traffic:
■
Dynamic IP lockdown only enables traffic for clients whose leased IP
addresses are already stored in the lease database created by DHCP
snooping or added through a static configuration of an IP-to-MAC binding.
Therefore, if you enable DHCP snooping after dynamic IP lockdown is
enabled, clients with an existing DHCP-assigned address must either
request a new leased IP address or renew their existing DHCP-assigned
address. Otherwise, a client’s leased IP address is not contained in the
DHCP binding database. As a result, dynamic IP lockdown will not allow
inbound traffic from the client.
■
It is recommended that you enable DHCP snooping a week before you
enable dynamic IP lockdown to allow the DHCP binding database to learn
clients’ leased IP addresses. You must also ensure that the lease time for
the information in the DHCP binding database lasts more than a week.
Alternatively, you can configure a DHCP server to re-allocate IP addresses
to DHCP clients. In this way, you repopulate the lease database with
current IP-to-MAC bindings.
Содержание HP ProCurve Series 6600
Страница 2: ......
Страница 6: ...iv ...
Страница 26: ...xxiv ...
Страница 102: ...2 48 Configuring Username and Password Security Password Recovery ...
Страница 204: ...4 72 Web and MAC Authentication Client Status ...
Страница 550: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 612: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 734: ...14 44 Configuring and Monitoring Port Security Operating Notes for Port Security ...
Страница 756: ...16 8 Key Management System Configuring Key Chain Management ...
Страница 776: ...20 Index web server proxy 14 42 webagent access 6 6 wildcard See ACL wildcard See ACL ...
Страница 777: ......