Secure Connection - HP 1820 Management And Configuration Manual

Field
Prevent TCP
Fragment
Attack
Check First
Fragment Only
Prevent Smurf
Attack
Prevent Ping
Flood Attack
Prevent SYN
Flood Attack
Click Apply to save any changes for the current boot session. The changes take effect immediately.

Secure Connection

The HP 1820 series switch software allows the administrator to enable or disable Secure HTTP protocol
(HTTPS). When enabled, the administrator can establish a secure connection with the switch using the Secure
Sockets Layer (SSL) protocol. Secure HTTP can help ensure that communication between the management
system and the switch is protected from eavesdropping and man-in-the-middle attacks. The HP 1820 series
switch software supports SSL v1.0.
You can upload an SSL certificate to the switch or have the switch generate its own certificate. The SSL certificate
functions as a digital passport, enabling client web browsers to verify the identity of the switch before accessing
it.
Not e
SSL is described in client/server terminology, where the SSL-enabled switch is the server and a web browser
is the client.
The certificate provides information to the browser such as the server name, the trusted certificate authority
(CA) that issued the certificate, the date it was issued, and the switch's public key.
The browser and server use this information to negotiate a secure connection in the following manner:
■
■
To enable secure HTTPS connections via SSL, the HTTPS Admin mode must be enabled on the switch, and
the web server must have a public key certificate. The switch can generate its own certificates, or you can
generate these externally and upload them to the switch.
■
Description
Enable this option to drop IP packets that have an IP fragment offset equal to 1.
Enable this option to drop packets that have a TCP header smaller than the minimum TCP header
size, which is hard-coded to 20 bytes.
Enable this option to drop ICMP Echo packets (ping) that are sent to a broadcast IP address.
Enable this option to prevent ping flooding by limiting the number of ICMP ping packets.
Enable this option to limit the rate of TCP connection requests so that they are not received faster
than they can be processed.
The browser verifies the certificate authority's authenticity by checking it against its own list of CAs.
(web browsers such as Microsoft Internet Explorer and Mozilla Firefox maintain data on trusted CAs.)
After validating the CA, the browser and switch negotiate the highest level of security available to
both. The browser uses the public key to encrypt a random number and send it to the switch. The switch
uses a private key stored in memory (not advertised on the certificate) to decrypt it. From this process,
the browser and switch determine an algorithm for encrypting and decrypting all further communication
during the HTTPS session.
Certificates generated by the switch are self-signed; that is, the validity of the information provided in
the certificate is attested to by the switch itself.
Security
Secure Connection
9-3