Page 1: Configuration Guide
HPE FlexFabric 7900 Switch Series Security Configuration Guide Part number: 5998-8250R Software version: Release 213x Document version: 6W101-20151113...
Page 2 © Copyright 2015 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents Configuring AAA ····························································································· 1 Overview ···························································································································································· 1 RADIUS ······················································································································································ 2 HWTACACS ··············································································································································· 6 AAA implementation on the device ············································································································ 9 Protocols and standards ·························································································································· 10 RADIUS attributes ···································································································································· 11 FIPS compliance ·············································································································································· 14 ...
Page 4 Configuration guidelines ··························································································································· 57 Configuration procedure ··························································································································· 58 Distributing a local host public key ··················································································································· 58 Exporting a host public key in a specific format to a file ··········································································· 59 Displaying a host public key in a specific format and saving it to a file ···················································· 59 ...
Page 5 SSL protocol stack ··································································································································· 99 Feature and software version compatibility ···································································································· 100 FIPS compliance ············································································································································ 100 SSL configuration task list ······························································································································ 100 Configuring an SSL server policy ··················································································································· 100 Configuring an SSL client policy ···················································································································· 102 ...
Page 6 IPsec SA negotiation failed due to invalid identity information ······························································· 140 Configuring SSH ························································································· 143 Overview ························································································································································ 143 How SSH works ····································································································································· 143 SSH authentication methods ·················································································································· 144 FIPS compliance ············································································································································ 145 Configuring the device as an SSH server ······································································································ 145 ...
Page 7 Configuring ARP blackhole routing ········································································································ 186 Displaying and maintaining unresolvable IP attack protection ······························································· 186 Configuration example ··························································································································· 187 Configuring ARP packet rate limit ·················································································································· 188 Configuration guidelines ························································································································· 188 Configuration procedure ························································································································· 188 ...
Page 8 Enabling TCP fragment attack prevention ····································································································· 215 Document conventions and icons ······························································· 216 Conventions ··················································································································································· 216 Network topology icons ·································································································································· 217 Support and other resources ······································································ 218 Accessing Hewlett Packard Enterprise Support ···························································································· 218 ...
Page 9: Configuring Aaa
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.
Page 10: Radius
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Page 11 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 12 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Packet type Description From the client to the server.
Page 13 Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. Value—Value of the attribute. Its format and content depend on the Type subfield. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
Page 14: Hwtacacs
• Vendor-Type—Type of the subattribute. • Vendor-Length—Length of the subattribute. • Vendor-Data—Contents of the subattribute. For more information about the proprietary RADIUS subattributes of HPE, see "HPE proprietary RADIUS subattributes." Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492).
Page 15 HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing authentication and obtaining authorized rights, a user logs in to the device and performs operations.
Page 16 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
Page 17: Aaa Implementation On The Device
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
Page 18: Protocols And Standards
• No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method. • Local authentication—The NAS authenticates users by itself, based on the locally configured user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.
Page 19: Radius Attributes
User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Page 20 Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HPE proprietary RADIUS subattributes Subattribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
Page 21 Subattribute Description Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value. The client response of a retransmitted Control_Identifier packet must also include this attribute and the value of this attribute must be the same.
Page 22: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. AAA configuration considerations and task list To configure AAA, complete the following tasks on the NAS: Configure the required AAA schemes: Local authentication—Configure local users and the related attributes, including the usernames and passwords, for the users to be authenticated.
Page 23: Configuring Aaa Schemes
Tasks at a glance (Optional.) Setting the maximum number of concurrent login users Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, and HWTACACS schemes. Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device.
Page 24 Local user configuration task list Tasks at a glance (Required.) Configuring local user attributes (Optional.) Configuring user group attributes (Optional.) Displaying and maintaining local users and local user groups Configuring local user attributes When you configure local user attributes, follow these guidelines: •...
Page 25: Configuring User Group Attributes
Step Command Remarks limit of concurrent logins logins is not limited for the local using the local user user. name. This command takes effect only when local accounting is configured for the local user. It does not apply to FTP, SFTP, or SCP users, who do not support accounting.
Page 26: Configuring Radius Schemes
By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view. To configure user group attributes: Step Command Remarks...
Page 27 Configuration task list Tasks at a glance (Required.) Creating a RADIUS scheme (Required.) Specifying the RADIUS authentication servers (Optional.) Specifying the RADIUS accounting servers and the relevant parameters (Optional.) Specifying the shared keys for secure RADIUS communication (Optional.) Specifying a VPN for the scheme (Optional.) Setting the username format and traffic statistics units (Optional.)
Page 28 Step Command Remarks Enter RADIUS scheme radius scheme radius-scheme-name view. • Specify the primary RADIUS authentication server: primary authentication { host-name | ipv4-address } By default, no authentication [ port-number | key { cipher | server is specified. simple } string | vpn-instance Two authentication servers in a vpn-instance-name ] * Specify RADIUS...
Page 29 Step Command Remarks accounting attempts. Specifying the shared keys for secure RADIUS communication The RADIUS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. The client and server must use the same key for each type of communication.
Page 30 Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name user-name-format Set the format for usernames By default, the ISP domain name { keep-original | with-domain | sent to the RADIUS servers. is included in a username. without-domain } data-flow-format { data { byte | (Optional.) Set the data flow...
Page 31 • The search process continues until the device finds an available secondary server or has checked all secondary servers in active state. If no server is available, the device considers the authentication or accounting attempt a failure. • When the quiet timer of a server expires or you manually set the server to the active state, the status of the server changes back to active.
Page 32 • If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet. The source address of outgoing RADIUS packets is typically the IP address of an egress interface on the NAS to communicate with the RADIUS server.
Page 33 When you set RADIUS timers, follow these guidelines: • Consider the number of secondary servers when you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer. If the RADIUS scheme includes many secondary servers, the retransmission process might be too long and the client connection in the access module, such as Telnet, can time out.
Page 34 IP address of the security policy server on the NAS. The security policy server is the management and control center of the HPE EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.
Page 35: Configuring Hwtacacs Schemes
• Excessive authentication failures notification—The number of authentication failures to the total number of authentication attempts exceeds the specified threshold. You can configure SNMP parameters to control the output of these SNMP notifications. For more information, see Network Management and Monitoring Configuration Guide. To enable SNMP notifications for RADIUS: Step Command...
Page 36 Step Command Remarks Enter system view. system-view Create an HWTACACS hwtacacs scheme By default, no HWTACACS scheme and enter hwtacacs-scheme-name scheme is defined. HWTACACS scheme view. Specifying the HWTACACS authentication servers You can specify one primary authentication server and a maximum of 16 secondary authentication servers for an HWTACACS scheme.
Page 37 Step Command Remarks { host-name | ipv4-address } Two HWTACACS authorization [ port-number | key { cipher | servers in a scheme, primary or simple } string | secondary, cannot have the same single-connection | vpn-instance combination of hostname, IP vpn-instance-name ] * address, port number, and VPN.
Page 38 Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, no shared key is Specify a shared key for specified. secure HWTACACS key { accounting | The shared key configured on the authentication, authorization, authentication | authorization } device must be the same as the or accounting { cipher | simple } string...
Page 39 Specifying the source IP address for outgoing HWTACACS packets The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. When the HWTACACS server receives a packet, it checks whether the source IP address of the packet is the IP address of a managed NAS.
Page 40 response from the server within the timer, it sets the server to the blocked state and resends the request to another HWTACACS server. • Real-time accounting timer (realtime-accounting)—Defines the interval at which the device sends real-time accounting packets to the HWTACACS accounting server for online users. •...
Page 41: Configuring Aaa Methods For Isp Domains
Step Command Remarks many system resources. When there are 1000 or more users, set a longer interval. By default, the server quiet timer Set the server quiet timer. timer quiet minutes is 5 minutes. Displaying and maintaining HWTACACS Execute display commands in any view and reset commands in user view. Task Command Display the configuration or server...
Page 42: Setting The Isp Domain Status
Step Command Remarks Enter system view. system-view Create an ISP domain and domain isp-name enter ISP domain view. Return to system view. quit (Optional.) Specify the domain default enable By default, the default ISP domain is the default ISP domain. isp-name system-defined ISP domain system.
Page 43: Configuring Authorization Methods For An Isp Domain
Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authentication default { hwtacacs-scheme By default, the default hwtacacs-scheme-name [ radius-scheme authentication method is Specify the default radius-scheme-name ] [ local ] [ none ] | local local.
Page 44: Configuring Accounting Methods For An Isp Domain
Step Command Remarks [ none ] } By default, the default authorization command authorization method is used Specify the command { hwtacacs-scheme for command authorization. authorization method. hwtacacs-scheme-name [ local [ none ] | The none keyword is not local [ none ] | none } supported in FIPS mode.
Page 45: Enabling The Session-Control Feature
Step Command Remarks method for login users. hwtacacs-scheme-name accounting method is used [ radius-scheme radius-scheme-name ] for login users. [ local ] [ none ] | local [ none ] | none | The none keyword is not radius-scheme radius-scheme-name supported in FIPS mode.
Page 46: Aaa Configuration Examples
AAA configuration examples AAA for SSH users by an HWTACACS server Network requirements As shown in Figure 9, configure the switch to meet the following requirements: • Use the HWTACACS server for SSH user authentication, authorization, and accounting. • Assign the default user role network-operator to SSH users after they pass authentication. •...
Page 47: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users
# Create ISP domain bbb and configure the domain to use the HWTACACS scheme for authentication, authorization, and accounting of login users. [Switch-isp-bbb] authentication login hwtacacs-scheme hwtac [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login hwtacacs-scheme hwtac [Switch-isp-bbb] quit # Create local RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service.
Page 48 Figure 10 Network diagram Configuration procedure Configure the HWTACACS server. (Details not shown.) Configure the RADIUS server. (Details not shown.) Configure the switch: # Assign IP addresses to interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Switch>...
Page 49: Authentication And Authorization For Ssh Users By A Radius Server
# Create ISP domain bbb and configure the login users to use local authentication, HWTACACS authorization, and RADIUS accounting. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login radius-scheme rd [Switch-isp-bbb] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator.
Page 50 # Add the switch to the IMC Platform as an access device. Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree. Then, click Add to configure an access device as follows: a.
Page 51 Figure 13 Adding an account for device management Configure the switch: # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
Page 52: Troubleshooting Radius
[Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit # Create ISP domain bbb and configure authentication, authorization, and accounting methods...
Page 53: Radius Packet Delivery Failure
If the problem persists, contact Hewlett Packard Enterprise Support. RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The NAS is not configured with the IP address of the RADIUS server. •...
Page 54: Configuring Password Control
Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.
Page 55: Password Updating And Expiration
when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
Page 56: User Login Control
Current login passwords of device management users are not stored in the password history, because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login With the global password control feature enabled, users must change the password at first login before they can access the system.
Page 57: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.
Page 58: Setting Global Password Control Parameters
Step Command Remarks • In FIPS mode, the global password control feature is enabled and cannot be disabled by default. password-control { aging | (Optional.) Enable a specific By default, all four password composition | history | length } password control feature. control features are enabled.
Page 59: Setting User Group Password Control Parameters
Step Command Remarks Set the number of days during which a user is password-control The default setting is 7 days. notified of the pending alert-before-expire alert-time password expiration. 10. Set the maximum number of password-control By default, a user can log in three days and maximum number expired-user-login delay delay times within 30 days after the...
Page 60: Setting Super Password Control Parameters
Step Command Remarks users. For information about how to configure a local user, see "Configuring AAA." By default, the setting equals that for the user group to which the Configure the password password-control aging local user belongs. If no expiration expiration time for the local time is configured for the user aging-time...
Page 61: Displaying And Maintaining Password Control
Step Command Remarks composition type-number passwords. at least one character type type-number [ type-length and at least one character for type-length ] each type. • In FIPS mode, a default super password must contain at least four character types and at least one character for each type.
Page 62: Configuration Procedure
• A super password must contain at least four character types and at least five characters for each type. Configure a password control policy for the local Telnet user test to meet the following requirements: • The password must contain at least 24 characters. •...
Page 63: Verifying The Configuration
[Sysname-luser-manage-test] service-type telnet # Set the minimum password length to 24 for the local user. [Sysname-luser-manage-test] password-control length 24 # Specify that the password of the local user must contain at least four character types and at least five characters for each type. [Sysname-luser-manage-test] password-control composition type-number 4 type-length 5 # Set the password for the local user to expire after 20 days.
Page 64 Bind attributes: Authorization attributes: Work directory: flash: User role list: network-operator Password control configurations: Password aging: Enabled (20 days) Password length: Enabled (24 characters) Password composition: Enabled (4 types, 5 characters per type)
Page 65: Managing Public Keys
Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 14.
Page 66: Configuration Procedure
• The key modulus length must be appropriate (see Table 5). The longer the key modulus length, the higher the security, the longer the key generation time. • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default.
Page 67: Exporting A Host Public Key In A Specific Format To A File
This section covers only the first task. The following are the methods available for recording or exporting a local host public key: • Exporting a host public key in a specific format to a file. Use this method if you can import public keys from a file on the peer device.
Page 68: Destroying A Local Key Pair
If the key is valid, for IMPORTANT: example, the key displayed by Manually enter (type or copy) If the peer device is an HPE device, the display public-key local the peer public key use the display public-key local public command, the system public command to display the saves the key.
Page 69: Importing A Peer Host Public Key From A Public Key File
Importing a peer host public key from a public key file Step Command Remarks Enter system view. system-view Import a peer host public key public-key peer keyname import By default, no peer host from a public key file. sshkey filename public key exists.
Page 70 Figure 15 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).
Page 71: Example For Importing A Public Key From A Public Key File
[DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA...
Page 72 <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 73 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred 301 bytes received in 0.003 seconds (98.0 kbyte/s)
Page 74: Configuring Pki
PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. HPE's PKI system provides certificate management for IPsec and SSL. PKI terminology Digital certificate A digital certificate is an electronic document signed by a CA that binds a public key with the identity of its owner.
Page 75: Pki Architecture
• The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.
Page 76: Pki Applications
A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.
Page 77: Feature And Software Version Compatibility
Feature and software version compatibility The PKI feature is available in Release 2137 and later versions. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
Page 78: Configuring A Pki Domain
Step Command Remarks Enter system view. system-view By default, no PKI entities exist. Create a PKI entity and pki entity entity-name To create multiple PKI entities, repeat enter its view. this step. Set a common name for the common-name By default, the common name is not entity.
Page 79 Step Command Remarks Do not configure this command when you request a certificate in offline mode. (Optional.) Set the By default, the switch polls the CA SCEP polling interval server for the certificate request certificate request polling { count and maximum status every 20 minutes.
Page 80: Requesting A Certificate
Step Command Remarks the CA policy, and they might be different from those specified in the PKI domain. This task is required if the CA policy requires that the CA server accept certificate requests from a 12. (Optional.) Specify a specific IP address or subnet.
Page 81: Configuring Automatic Certificate Request
Configuring automatic certificate request IMPORTANT: The device does not support automatic certificate rollover. To avoid service interruptions, you must manually submit a certificate renewal request before the current certificate expires. In auto request mode, a PKI entity automatically submits a certificate request to the CA when an application works with the PKI entity that does not have a local certificate.
Page 82: Aborting A Certificate Request
Step Command Remarks a key pair if the key pair specified in the PKI domain does not exist. The name, algorithm, and length of the key pair are configured in the PKI domain. Aborting a certificate request Before the CA issues a certificate, you can abort a certificate request and change its parameters, such as the common name, country code, or FQDN.
Page 83: Configuration Procedure
• If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first. • If local or peer certificates already exist, you can obtain new local or peer certificates to overwrite the existing ones.
Page 84: Verifying Certificates Without Crl Checking
Step Command Remarks Enter system view. system-view Enter PKI domain view. pki domain domain-name (Optional.) Specify the URL crl url url-string [ vpn-instance By default, the URL of the CRL of the CRL repository. vpn-instance-name ] repository is not specified. By default, CRL checking is Enable CRL checking.
Page 85: Exporting Certificates
After you change the storage path for certificates or CRLs, the certificate files (with the .cer or .p12 extension) and CRL files (with the .crl extension) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Remarks...
Page 86: Configuring A Certificate-Based Access Control Policy
To remove a certificate: Step Command Remarks Enter system view. system-view If you use the peer keyword without pki delete-certificate domain domain-name { ca specifying a serial Remove a certificate. | local | peer [ serial serial-num ] } number, the command removes all peer certificates.
Page 87: Displaying And Maintaining Pki
Step Command Remarks By default, no certificate access control rules are configured, and all certificates can pass the verification. Create a certificate access rule [ id ] { deny | permit } control rule. group-name You can create multiple access control rules are for a certificate-based access control policy.
Page 88 Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA. Subject DN—DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).
Page 89 ......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain torsa ca The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully.
Page 90: Requesting A Certificate From A Windows Server 2003 Ca Server
Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA...
Page 91 a. Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu. b. Select Web Sites from the navigation tree. c. Right-click Default Web Site and select Properties > Home Directory. d. Specify the path for certificate service in the Local path box. e.
Page 92 SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain winserver Start to request the general certificate ... …… Certificate requested successfully. Verifying the configuration # Display information about the local certificate in PKI domain winserver.
Page 93: Requesting A Certificate From An Openca Server
herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access: CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03:...
Page 94 Configuring the OpenCA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals. When you configure the CA server, use the OpenCA version later than version 0.9.2 because the earlier versions do not support SCEP. Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates.
Page 95 fingerprint:5AA3 DEFD 7B23 2A25 16A3 14F4 C81C C0FA SHA1 fingerprint:9668 4E63 D742 4B09 90E0 4C78 E213 F15F DC8E 9122 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain openca Start to request the general certificate ... ……...
Page 96: Certificate Import And Export Configuration Example
Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B X509v3 Authority Key Identifier: keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B X509v3 Issuer Alternative Name: DNS:root@docm.com, DNS:, IP Address:192.168.154.145, IP Address:192.168.154.138 Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl...
Page 97 Figure 22 Network diagram Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a .pem file. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
Page 98 friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...
Page 99 Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63: ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:f5:00:...
Page 100 Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info:...
Page 101: Troubleshooting Pki Configuration
X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/...
Page 102: Failed To Obtain The Ca Certificate
Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. •...
Page 103: Failed To Request Local Certificates
Check the registration policy on the CR or RA, and make sure the attributes of the PKI entity meet the policy requirements. Obtain the CRL from the CRL repository. Specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator.
Page 104: Failed To Import The Ca Certificate
Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No CA certificate has been obtained before you try to obtain CRLs. • The URL of the CRL repository is not configured and cannot be obtained from the CA certificate or local certificates in the PKI domain.
Page 105: Failed To Import A Local Certificate
Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis • The PKI domain does not have a locally stored CA certificate, and the certificate file to be imported does not contain the CA certificate chain. •...
Page 106: Failed To Set The Storage Path
If the problem persists, contact Hewlett Packard Enterprise recommends Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis • The specified storage path does not exist. • The specified storage path is illegal. •...
Page 107: Configuring Ssl
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...
Page 108: Feature And Software Version Compatibility
Figure 24 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.
Page 109 NOTE: • SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). By default, the SSL server can communicate with clients running SSL 3.0 or TLS 1.0. When the server receives an SSL 2.0 Client Hello message from a client supporting both SSL 2.0 and SSL 3.0/TLS 1.0, it notifies the client to use SSL 3.0 or TLS 1.0 for communication.
Page 110: Configuring An Ssl Client Policy
Configuring an SSL client policy An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the server. An SSL client policy takes effect only after it is associated with an application such as DDNS. You can specify the SSL version (SSL 3.0 or TLS 1.0) for an SSL client policy: •...
Page 111: Displaying And Maintaining Ssl
Step Command Remarks • In FIPS mode: version tls1.0 Enable the SSL client to By default, SSL server authenticate servers through server-verify enable authentication is enabled. digital certificates. Displaying and maintaining SSL Execute display commands in any view. Task Command Display SSL server policy information.
Page 112: Configuring Ipsec
Configuring IPsec The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide). CAUTION: •...
Page 113 • AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown Figure 27. AH can provide data origin authentication, data integrity, and anti-replay services to prevent data tampering, but it cannot prevent eavesdropping. Therefore, it is suitable for transmitting non-confidential data.
Page 114: Security Association
Figure 27 Security protocol encapsulations in different modes Mode Transport Tunnel Protocol Data AH IP Data Data ESP-T ESP IP Data ESP-T AH-ESP Data ESP-T Data ESP-T Security association A security association (SA) is an agreement negotiated between two communicating parties called "IPsec peers."...
Page 115: Ipsec Implementation
Encryption algorithms IPsec uses symmetric encryption algorithms, which encrypt and decrypt data by using the same keys. The following encryption algorithms are available for IPsec on the device: • DES—Encrypts a 64-bit plaintext block with a 56-bit key. DES is the least secure but the fastest algorithm.
Page 116: Ipsec Tunnel Establishment
• RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload IPsec tunnel establishment Implementing ACL-based IPsec protects packets identified by an ACL. To establish an ACL-based IPsec tunnel, configure an IPsec policy, reference an ACL in the policy, and apply the policy to an interface (see "Implementing ACL-based IPsec").
Page 117: Configuring An Acl
Tasks at a glance (Optional.) Binding a source interface to an IPsec policy (Optional.) Enabling QoS pre-classify (Optional.) Enabling logging of IPsec packets (Optional.) Configuring the DF bit of IPsec packets (Optional.) Configuring SNMP notifications for IPsec Configuring an ACL IPsec uses ACLs to identify the traffic to be protected.
Page 118: Configuring An Ipsec Transform Set
Configuring an IPsec transform set An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms. Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the updated parameters.
Page 119: Configuring A Manual Ipsec Policy
Step Command Remarks pfs dh-group14 The security level of the Diffie-Hellman (DH) group of the initiator must be higher than or equal to that of the responder. The end without the PFS feature performs SA negotiation according to the PFS requirements of the peer end.
Page 120: Configuring An Ike-Based Ipsec Policy
Step Command Remarks address of the IPsec IPsec tunnel is not specified. tunnel. The local IPv4 address of the IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied. • To configure an SPI for the inbound IPsec SA: sa spi inbound { ah | esp } Configure an SPI for the...
Page 121 • An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.
Page 122: Applying An Ipsec Policy To An Interface
Step Command Remarks address of the IPsec tunnel. ipv4-address } of the IPsec tunnel is not specified. sa duration { time-based By default, the global SA lifetime Set the IPsec SA lifetime. seconds | traffic-based is used. kilobytes } 10. (Optional.) Set the IPsec SA By default, the global SA idle sa idle-time seconds idle timeout.
Page 123: Enabling Acl Checking For De-Encapsulated Packets
Enabling ACL checking for de-encapsulated packets This feature uses the ACL in the IPsec policy to match the IP packets that are de-encapsulated from incoming IPsec packets in tunnel mode, and it discards the IP packets that fail to match the ACL to avoid attacks using forged packets.
Page 124: Binding A Source Interface To An Ipsec Policy
Step Command Remarks anti-replay window. Binding a source interface to an IPsec policy For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively.
Page 125: Enabling Logging Of Ipsec Packets
Step Command Remarks disabled. Enabling logging of IPsec packets Perform this task to enable the logging of IPsec packets that are discarded because of reasons such as IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information includes the source and destination IP addresses, the SPI value, and the sequence number of a discarded IPsec packet, and the reason for the failure.
Page 126: Configuring Snmp Notifications For Ipsec
Step Command Remarks Enter system view. system-view By default, IPsec copies the DF Configure the DF bit of ipsec global-df-bit { clear | copy | bit in the original IP header to the IPsec packets globally. set } new IP header. Configuring SNMP notifications for IPsec After you enable SNMP notifications for IPsec, the IPsec module notifies the NMS of important module events.
Page 127: Ipsec Configuration Examples
IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets As shown in Figure 28, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches. Configure the tunnel as follows: • Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as AES-CBC-192, and the authentication algorithm as HMAC-SHA1.
Page 128 # Configure inbound and outbound SPIs for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg [SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba [SwitchA-ipsec-policy-manual-map1-10] quit # Apply the IPsec policy map1 to VLAN-interface 1.
Page 129: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets
[SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration After the configuration is completed, an IPsec tunnel between Switch A and Switch B is established, and the traffic between the switches is IPsec protected. This example uses Switch A to verify the configuration.
Page 130 Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Define an ACL to identify data flows from Switch A to Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] quit...
Page 131 # Specify the card in slot 1 to process the traffic for VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] service slot 1 # Apply the IPsec policy map1 to VLAN-interface 1. [SwitchA-Vlan-interface1] ipsec apply policy map1 Configure Switch B: # Configure an IP address for VLAN-interface 1. <SwitchB>...
Page 132 # Apply the IKE profile profile1. [SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1 [SwitchB-ipsec-policy-isakmp-use1-10] quit # Specify the card in slot 1 to process the traffic for VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] service slot 1 # Apply the IPsec policy use1 to VLAN-interface 1. [SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration After the configuration is completed, IKE negotiation is triggered to set up IPsec SAs when there are...
Page 133: Configuring Ike
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
Page 134: Ike Security Mechanism
Figure 31 IKE exchange process in main mode As shown in Figure 31, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. • Key exchange—Used for exchanging the DH public value and other values, such as the random number.
Page 135: Protocols And Standards
DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.
Page 136: Configuring An Ike Profile
Tasks at a glance Remarks (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation. To configure an IKE profile, you can do the following: Configure peer IDs.
Page 137: Configuring An Ike Proposal
Step Command Remarks { ipv4-address [ mask | mask-length ] | Each of the two peers must range low-ipv4-address have at least one peer ID high-ipv4-address } [ vpn-instance configured. vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } } Configure either or both commands as required.
Page 138 Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE negotiation: • The initiator sends its IKE proposals to the peer. If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer.
Page 139: Configuring An Ike Keychain
Configuring an IKE keychain Perform this task when you configure the IKE to use the pre-shared key for authentication. Follow these guidelines when you configure an IKE keychain: Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.
Page 140: Configuring The Ike Keepalive Function
Step Command Remarks By default, the IP address of the Configure the global ike identity { address ipv4-address | interface to which the IPsec identity to be used by the dn | fqdn [ fqdn-name ] | user-fqdn policy is applied is used as the local end.
Page 141: Configuring Ike Dpd
Step Command Remarks Enter system view. system-view Set the IKE NAT keepalive ike nat-keepalive seconds The default interval is 20 seconds. interval. Configuring IKE DPD DPD detects dead peers. It can operate in periodic mode or on-demand mode. • Periodic DPD—Sends a DPD message at regular intervals. It features an earlier detection of dead peers, but consumes more bandwidth and CPU.
Page 142: Setting The Maximum Number Of Ike Sas
sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic. The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent.
Page 143: Displaying And Maintaining Ike
Step Command Remarks Enable SNMP By default, SNMP notifications notifications for IKE snmp-agent trap enable ike global for IKE are enabled. globally. snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | Enable SNMP decrypt-failure | encrypt-failure | By default, SNMP notifications notifications for the invalid-cert-auth | invalid-cookie |...
Page 144 Configure Switch A: # Assign an IP address to VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-vlan-interface1] ip address 1.1.1.1 255.255.0.0 [SwitchA-vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-adv-3101] quit # Create IPsec transform set tran1.
Page 145 [SwitchA-Vlan-interface1] service slot 1 # Apply IPsec policy map1 to VLAN-interface 1. [SwitchA-Vlan-interface1] ipsec apply policy map1 Configure Device B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.0.0 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch B and Switch A.
Page 146: Verifying The Configuration
[SwitchB-ipsec-policy-isakmp-use1-10] ike-profile profile1 [SwitchB-ipsec-policy-isakmp-use1-10] quit # Specify the card in slot 1 to forward the traffic for VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] service slot 1 # Apply IPsec policy use1 to VLAN-interface 1. [SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration When there is traffic between Switch A and Switch B, IKE negotiation is triggered.
Page 147: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found
------------------------------------------------------------------ 192.168.222.5 Unknown IPSEC Flags: RD--READY RL--REPLACED FD-FADING The following IKE event debugging or packet debugging message appeared: IKE event debugging message: Notification PAYLOAD_MALFORMED is received. IKE packet debugging message: Construct notification packet: PAYLOAD_MALFORMED. Analysis • If the following debugging information appeared, the matched IKE profile is not referencing the matched IKE proposal: Failed to find proposal 1 in profile profile1.
Page 148: Ipsec Sa Negotiation Failed Due To Invalid Identity Information
IPsec SA negotiation failed due to invalid identity information Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.
Page 149 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: isakmp ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: 192.168.222.71 Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Verify that the ACL referenced by the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.
Page 150 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile, remove the reference. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, modify the responder's ACL so the ACL defines a flow range equal to or greater than that of the initiator's ACL.
Page 151: Configuring Ssh
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.
Page 152: Ssh Authentication Methods
Stages Description client initiates a connection request, the server and the client establish a TCP connection. Version negotiation The two parties determine a version to use after negotiation. SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: •...
Page 153: Fips Compliance
NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.
Page 154: Generating Local Dsa Or Rsa Key Pairs
Tasks at a glance Remarks Required if the authentication method is publickey, password-publickey, or any. (Required/optional.) Configuring an SSH user Optional if the authentication method is password. (Optional.) Configuring the SSH management parameters Generating local DSA or RSA key pairs IMPORTANT: Do not generate the local DSA key pair when the device operates in FIPS mode as an SSH server.
Page 155: Enabling The Stelnet Server
Enabling the Stelnet server After you enable the Stelnet server on the device, a client can log in to the device through Stelnet. To enable the Stelnet server: Step Command Remarks Enter system view. system-view By default, the Stelnet server is Enable the Stelnet server.
Page 156: Configuring User Lines For Ssh Login
Step Command Remark Enter system view. system-view Enable NETCONF over By default, NETCONF over SSH is netconf ssh server enable SSH. disabled. Specify a port to listen for netconf ssh server port By default, port 830 listens for NETCONF-over-SSH port-number NETCONF-over-SSH connections.
Page 157: Configuring An Ssh User
Step Command Remarks Enter system view. system-view Enter public key view. public-key peer keyname The host public key must be in the DER encoding format without being converted. When you enter the content for a host public key, you can use Configure a client's host Enter the content of the host spaces and carriage returns...
Page 158: Configuring The Ssh Management Parameters
Configuration guidelines When you configure an SSH user, follow these restrictions and guidelines: • An SSH server supports up to 1024 SSH users. • For an SFTP or SCP user, the working directory depends on the authentication method: If the authentication method is password, the working directory is authorized by AAA. If the authentication method is publickey or password-publickey, the working folder is specified by the authorization-attribute command in the associated local user view.
Page 159: Configuring The Device As An Stelnet Client
Step Command Remarks This command is not available in FIPS mode. The default setting is 60 seconds. Set the SSH user ssh server If a user does not finish the authentication timeout authentication-timeout authentication when the timeout period. time-out-value timer expires, the connection cannot be established.
Page 160: Establishing A Connection To An Stelnet Server
• Improving the manageability of Stelnet clients in authentication service. To specify the source IP address for SSH packets: Step Command Remarks Enter system view. system-view By default, the source IP address for SSH packets is not ssh client source { interface configured.
Page 161: Configuring The Device As An Sftp Client
Configuring the device as an SFTP client SFTP client configuration task list Tasks at a glance (Optional.) Specifying the source IP address for SFTP packets (Required.) Establishing a connection to an SFTP server (Optional.) Working with SFTP directories (Optional.) Working with SFTP files (Optional.) Displaying help information (Optional.)
Page 162: Working With Sftp Directories
To establish a connection to an SFTP server: Task Command Remarks • In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } |...
Page 163: Displaying Help Information
Task Command Remarks Available in SFTP client view. • dir [ -a | -l ] [ remote-path ] Display files under a directory. The dir command has the same • ls [ -a | -l ] [ remote-path ] function as the ls command. Available in SFTP client view.
Page 164: Displaying And Maintaining Ssh
Task Command Remarks • In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } |...
Page 165: Password Authentication Enabled Stelnet Server Configuration Example
Password authentication enabled Stelnet server configuration example Network requirements As shown in Figure • The switch acts as the Stelnet server and uses password authentication. • The username and password of the client are saved on the switch. Establish an Stelnet connection between the host and the switch, so you can log in to the switch for configuration management.
Page 166 [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Create a local device management user client001. [Switch] local-user client001 class manage # Set the password to aabbcc in plain text for the local user client001.
Page 167: Publickey Authentication Enabled Stelnet Server Configuration Example
Figure 34 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server.
Page 168 Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
Page 169 Figure 37 Generating process c. After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save. Figure 38 Saving a key pair on the client d. Click Save private key to save the private key.
Page 170 A confirmation dialog box appears. e. Click Yes, enter a file name (private.ppk in this example), and click Save. f. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate RSA key pairs. <Switch>...
Page 171 [Switch-luser-manage-client002] service-type ssh # Assign the user role network-admin to the local user client002. [Switch-luser-manage-client002] authorization-attribute user-role network-admin [Switch-luser-manage-client002] quit Specify the private key file and establish a connection to the Stelnet server: a. Launch PuTTY.exe on the Stelnet client to enter the interface shown in Figure b.
Page 172 Figure 40 Specifying the preferred SSH version e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 41 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.
Page 173: Password Authentication Enabled Stelnet Client Configuration Example
g. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in...
Page 174 # Enable the Stelnet server. [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the destination address of the SSH connection. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines.
Page 175 [SwitchA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B 68950387811C7DA33021500C773218C [SwitchA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009 14EC474BAF2932E69D3B1F18517AD95 [SwitchA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D0 492B3959EC6499625BC4FA5082E22C5 [SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C 9B09EEF0381840002818000AF995917 [SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5 F257523777D033BEE77FC378145F2AD [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server 192.168.1.40 and specify the host public key of the server as key1. <SwitchA>...
Page 176: Publickey Authentication Enabled Stelnet Client Configuration Example
Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:y client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2004-2014 Hewlett Packard Enterprise Development LP. All rights reserved.
Page 177 Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate RSA key pairs.
Page 178: Sftp Configuration Examples
# Create an SSH user client002, specify the authentication method as publickey for the user, and assign the public key switchkey to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user client002. [SwitchB] local-user client002 class manage # Authorize the local user client002 to use the SSH service.
Page 179 Establish an SFTP connection between the host and the switch, so you can log in to the switch to execute file management and transfer operations. Figure 44 Network diagram Configuration procedure Configure the SFTP server: # Generate RSA key pairs. <Switch>...
Page 180: Publickey Authentication Enabled Sftp Client Configuration Example
# Assign the user role network-admin and working directory flash:/ to the local user client002. [Switch-luser-manage-client002] authorization-attribute user-role network-admin work-directory flash:/ [Switch-luser-manage-client002] quit # Create an SSH user client002, specify the authentication method as password and service type as sftp for the user. [Switch] ssh user client002 service-type sftp authentication-type password Establish a connection between the SFTP client and the SFTP server: The device supports different types of SFTP client software.
Page 181 Figure 46 Network diagram Configuration procedure In the server configuration, the client's host public key is required. Generate RSA key pairs on the client before configuring the SFTP server. Configure the SFTP client: # Assign an IP address to VLAN-interface 2. <SwitchA>...
Page 182 The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully.
Page 183: Scp File Transfer With Password Authentication
Removing /z sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup...
Page 184: Network Requirements
When you configure SCP on a device that operates in FIPS mode, follow these guidelines: • The modulus length of the key pair must be 2048 bits. • When the device acts as the SCP server, only RSA key pairs are supported. Do not generate a DSA key pair on the SCP server.
Page 185 [SwitchB] scp server enable # Configure an IP address for VLAN-interface 2. The client uses this address as the destination for SCP connection. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Create a local device management user client001. [SwitchB] local-user client001 class manage # Set the password to aabbcc in plain text for the local user client001.
Page 186: Configuring Ip Source Guard
Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops all packets that do not match the table. The IPSG binding table can include the following bindings: •...
Page 187: Dynamic Ipsg Bindings
• Filter IPv4 incoming packets on the interface. • Cooperate with ARP detection for user validity checking. For information about ARP detection, see "Configuring ARP attack protection." Dynamic IPSG bindings IPSG can automatically obtain user information from other modules to generate dynamic bindings. The source modules include DHCP relay, DHCP snooping, and DHCP server.
Page 188: Configuring A Static Ipv4Sg Binding
Step Command Remarks The following interface types are supported: interface interface-type • Layer 2 Ethernet interface. Enter interface view. interface-number • Layer 3 Ethernet interface. • VLAN interface. By default, the feature is disabled on an interface. ip verify source { ip-address | If you configure this command on Enable the IPv4SG feature.
Page 189: Displaying And Maintaining Ipsg
Displaying and maintaining IPSG Execute display commands in any view and reset commands in user view. Task Command display ip source binding [ static | [ vpn-instance vpn-instance-name ] Display IPv4SG bindings [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] (in standalone mode).
Page 190: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example
[SwitchA-FortyGigE1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [SwitchA-FortyGigE1/0/2] quit # Enable IPv4SG on FortyGigE 1/0/1. [SwitchA] interface fortygige 1/0/1 [SwitchA-FortyGigE1/0/1] ip verify source ip-address mac-address # On FortyGigE 1/0/1, configure a static IPv4SG binding for Host A. [SwitchA-FortyGigE1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [SwitchA-FortyGigE1/0/1] quit Configure Switch B:...
Page 191: Dynamic Ipv4Sg Using Dhcp Relay Configuration Example
• Enable DHCP snooping on the switch to make sure the DHCP client obtains an IP address from the authorized DHCP server. To generate a DHCP snooping entry for the DHCP client, enable recording of client information in DHCP snooping entries. •...
Page 192 Figure 51 Network diagram Configuration procedure Configure dynamic IPv4SG: # Configure IP addresses for the interfaces. (Details not shown.) # Enable IPv4SG on VLAN-interface 100 and verify the source IP address and MAC address for dynamic IPSG. <Switch> system-view [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit Configure the DHCP relay agent:...
Page 193: Configuring Arp Attack Protection
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
Page 194: Configuring Arp Source Suppression
• ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer (25 seconds) is reached or the route becomes reachable. After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request.
Page 195: Configuration Example
Configuration example Network requirements As shown in Figure 52, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack.
Page 196: Configuring Arp Packet Rate Limit
Configuring ARP packet rate limit IMPORTANT: This feature is available in Release 2137 and later versions. The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP detection-enabled device will send all received ARP packets to the CPU for inspection. Processing excessive ARP packets will make the device malfunction or even crash.
Page 197: Configuring Source Mac-Based Arp Attack Detection
NOTE: If you enable notification sending and logging for ARP packet rate limit on a Layer 2 aggregate interface, the features apply to all aggregation member ports. Configuring source MAC-based ARP attack detection IMPORTANT: This feature is available in Release 2137 and later versions. This feature checks the number of ARP packets delivered to the CPU.
Page 198: Configuration Example
Task Command display arp source-mac { slot slot-number | interface Display ARP attack entries detected by source MAC-based ARP attack detection. interface-type interface-number } Configuration example Network requirements As shown in Figure 53, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients.
Page 199: Configuring Arp Packet Source Mac Consistency Check
# Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection. [Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check IMPORTANT: This feature is available in Release 2137 and later versions. This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.
Page 200: Configuring Authorized Arp
Step Command Remarks Enable the ARP active arp active-ack [ strict ] By default, this feature is disabled. acknowledgement feature. enable Configuring authorized ARP IMPORTANT: This feature is available in Release 2137 and later versions. Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent.
Page 201: Configuring Arp Packet Validity Check
match is found from those entries, the ARP packet is considered valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded. Static IP source guard bindings are created by using the ip source binding command. For more information, see "Configuring IP source guard."...
Page 202: Configuring Arp Restricted Forwarding
Step Command Remarks By default, ARP detection is Enable ARP detection. arp detection enable disabled. Return to system view. quit Enable ARP packet validity check arp detection validate By default, ARP packet validity and specify the objects to be { dst-mac | ip | src-mac } check is disabled.
Page 203: Displaying And Maintaining Arp Detection
To enable ARP detection logging: Step Command Remarks Enter system view. system-view Enable ARP detection By default, ARP detection logging arp detection log enable logging. is disabled. Displaying and maintaining ARP detection Execute display commands in any view and reset commands in user view. Task Command Display the VLANs enabled with...
Page 204: Configuring Arp Scanning And Fixed Arp
Configure the DHCP server on Switch A, and configure DHCP address pool 0. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure Host A (DHCP client) and Host B. (Details not shown.) Configure Switch B: # Enable DHCP snooping.
Page 205: Configuration Restrictions And Guidelines
Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning) to static ARP entries. This feature prevents ARP entries from being modified by attackers. Static ARP entries can also be manually configured by the arp static command. Configuration restrictions and guidelines When you configure ARP scanning and fixed ARP, follow these restrictions and guidelines: •...
Page 206: Configuration Procedure
• You can enable ARP gateway protection for a maximum of eight gateways on an interface. • Do not configure both the arp filter source and arp filter binding commands on an interface. • If ARP gateway protection works with ARP detection, MFF, and ARP snooping, ARP gateway protection applies first.
Page 207: Configuring Arp Filtering
[SwitchB-FortyGigE1/0/2] arp filter source 10.1.1.1 Verifying the configuration # Verify that FortyGigE 1/0/1 and FortyGigE 1/0/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway. Configuring ARP filtering IMPORTANT: This feature is available in Release 2137 and later versions. The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
Page 208 Figure 56 Network diagram Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface fortygige 1/0/1 [SwitchB-FortyGigE1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-FortyGigE1/0/1] quit [SwitchB] interface fortygige 1/0/2 [SwitchB-FortyGigE1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 Verifying the configuration # Verify that FortyGigE 1/0/1 permits ARP packets from Host A and discards other ARP packets.
Page 209: Configuring Urpf
Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Page 210 Figure 58 uRPF work flow Checks the received packet Broadcast source address? All-zero source address? Broadcast destination Discards the packet address? Matching FIB entry Default route found? found? Loose uRPF? Loose uRPF? Matching route is a direct Receiving route? interface matches the output interface of the default route？...
Page 211 If yes, proceeds to step 3. If no, proceeds to step 6. uRPF checks whether the check mode is loose: If yes, proceeds to step 8. If no, uRPF checks whether the matching route is a direct route: − If yes, proceeds to step 5. −...
Page 212: Network Application
Network application Figure 59 Network diagram Configure strict uRPF check between an ISP network and a customer network, and loose uRPF check between ISPs. Configuring uRPF To enable uRPF globally: Step Command Remarks Enter system view. system-view Enable uRPF globally. ip urpf { loose | strict } By default, uRPF is disabled.
Page 213: Urpf Configuration Example
uRPF configuration example Network requirements As shown in Figure 60, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks. Figure 60 Network diagram Configuration procedure Enable strict uRPF check on Switch A.
Page 214: Configuring Fips
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high.
Page 215: Configuring Fips Mode
• Do not use FIPS and non-FIPS devices to create an IRF fabric. • To enable FIPS mode for an IRF fabric, you must reboot the entire IRF fabric. • The default MDC supports FIPS commands. Other MDCs do not support FIPS commands. Configuring FIPS mode Entering FIPS mode After you enable FIPS mode and reboot the device, the device operates in FIPS mode.
Page 216: Configuration Changes In Fips Mode
Save the configuration file and specify it as the startup configuration file. Delete the startup configuration file in binary format (an .mdb file). 10. Reboot the device. The system enters FIPS mode. You can use the configured username and password to log in to the device in FIPS mode.
Page 217: Fips Self-Tests
The system reboots the device by using the default non-FIPS configuration file. After the reboot, you are directly logged into the device. Manual reboot This method requires that you manually complete the configurations for entering non-FIPS mode, and then reboot the device. To log in to the device after the reboot, you must enter user information according to the authentication mode.
Page 218: Conditional Self-Tests
Table 8 Power-up self-test list Type Operations Tests the following algorithms: • DSA (signature and authentication) • RSA (signature and authentication) • RSA (encryption and decryption) Cryptographic algorithm • self-test • 3DES • SHA1 • HMAC-SHA1 • Random number generator algorithms Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked.
Page 219: Fips Configuration Examples
FIPS configuration examples Entering FIPS mode through automatic reboot Network requirements Use the automatic reboot method to enter FIPS mode, and use a console port to log in to the device in FIPS mode. Configuration procedure # If you want to save the current configuration, execute the save command before you enable FIPS mode.
Page 220: Entering Fips Mode Through Manual Reboot
local-user root class manage service-type terminal authorization-attribute user-role network-admin fips mode enable return <Sysname> Entering FIPS mode through manual reboot Network requirements Use the manual reboot method to enter FIPS mode, and use a console port to log in to the device in FIPS mode.
Page 221: Exiting Fips Mode Through Automatic Reboot
# Delete the startup configuration file in binary format. <Sysname> delete flash:/startup.mdb Delete flash:/startup.mdb?[Y/N]:y Deleting file flash:/startup.mdb...Done. # Reboot the device. <Sysname> reboot Verifying the configuration After the device reboots, enter the username test and the password 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode.
Page 222: Exiting Fips Mode Through Manual Reboot
Exiting FIPS mode through manual reboot Network requirements A user has logged in to the device in FIPS mode through SSH with the username test and password 12345zxcvb!@#$%ZXCVB. Use the manual reboot method to exit FIPS mode. Configuration procedure # Disable FIPS mode. [Sysname] undo fips mode enable FIPS mode change requires a device reboot.
Page 223: Configuring Attack Detection And Prevention
Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to drop attack packets to protect a private network. The device supports only TCP fragment attack prevention. Enabling TCP fragment attack prevention The TCP fragment attack prevention feature takes effect only on Layer 3 packets.
Page 224: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Page 225: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 226: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 227: Websites
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 228: Index
Index RADIUS authentication server, 19 Numerics RADIUS display, 27 3DES RADIUS implementation, 2 IPsec encryption algorithm, 107 RADIUS maintain, 27 RADIUS request transmission attempts max, 22 RADIUS scheme, 18 concurrent login user max, 37 RADIUS scheme creation, 19 configuration, 1, 14, 38 RADIUS scheme VPN, 21 device implementation, 9 RADIUS security policy server IP address, 26...
Page 229 AAA RADIUS common standard attributes, 11 IPsec policy to interface, 114 AAA RADIUS extended attributes, 6 architecture AAA RADIUS HPE proprietary attributes, 12 PKI, 67 AAA RADIUS Login-Service attribute check method, 26 attack protection. See ARP attack protection AAA RADIUS scheme, 18...
Page 230 IPsec configuration, 104, 119 IPsec Encapsulating Security Payload. Use binding IPsec IKE configuration (main mode/pre-shared IP source guard (IPSG) dynamic binding, 179 key authentication), 135 IP source guard (IPSG) static binding, 178 IPsec IKE DSA signature authentication, 126 IPsec source interface to policy, 116 IPsec IKE pre-shared key authentication, 126 IPv4 source guard (IPv4SG) dynamic binding IPsec IKE RSA signature authentication, 126...
Page 231 PKI certificate verification (CRL checking), 75 ARP attack protection blackhole routing (unresolvable IP attack), 186 PKI certificate verification (w/o CRL checking), 76 ARP attack protection source suppression (unresolvable IP attack), 186 security uRPF loose check mode, 201 ARP filtering, 199, 199 security uRPF strict check mode, 201 ARP gateway protection, 197, 198 classifying...
Page 232 PKI certificate import/export, 88 security SSH Stelnet server publickey authentication, 159 PKI certificate request (automatic), 73 security SSH user, 149 PKI certificate request (manual), 73 security uRPF, 201, 205 PKI certificate request abort, 74 SSL, 99, 100 PKI certificate-based access control policy, 78 SSL client policy, 102 PKI domain, 70 SSL server policy, 100...
Page 233 IPv4 source guard (IPv4SG) dynamic PKI entity configuration, 69 binding+DHCP relay configuration, 183 PKI local certificate, 66 password control configuration, 46, 49, 53 PKI OpenCA server certificate request, 85 password control parameters (global), 50 PKI peer certificate, 66 password control parameters (local user), 51 PKI RA certificate, 66 password control parameters (super), 52 PKI RSA Keon CA server certificate request, 79...
Page 234 IPsec IKE signature authentication, 126 IPsec encryption algorithm (DES), 107 security public key management, 57, 61 IPsec IKE-based tunnel for IPv4 packets configuration, 121 security SSH client host public key configuration, 148 IPsec tunnel for IPv4 packets configuration, 119 security SSH DSA host key pair, 146 security peer public key entry, 61 security SSH Stelnet client publickey security public key import from file, 63...
Page 235 SSH local DSA key pair, 146 PKI, 69 security SSH local RSA key pair, 146 public key management, 57 SSH, 145 SSL, 100 AAA RADIUS HPE proprietary attributes, 12 fixed ARP configuration, 196 handshake protocol (SSL), 99 configuration restrictions, 197 history...
Page 236 server response timeout timer AAA HWTACACS, 6 (response-timeout), 31 AAA on device, 9 shared keys, 29 AAA RADIUS, 2 SSH user local authentication+HWTACACS ACL-based IPsec, 107, 108 authorization+RADIUS accounting, 39 IPsec, 107 traffic statistics units, 30 importing troubleshooting, 45 PKI certificate import/export, 88 username format, 30 security peer host public key from file, 61 Hypertext Transfer Protocol.
Page 237 static binding, 178 maintaining, 118 mirror image ACLs, 109 ip validity check (ARP), 193 non-mirror image ACLs, 109 IPsec ACL configuration, 109 packet DF bit configuration, 117 ACL de-encapsulated packet check, 115 packet logging enable, 117 ACL IPsec anti-replay configuration, 115 PKI configuration, 66, 69, 79, 99 ACL rule keywords, 109 policy application to interface, 114...
Page 238 security ARP detection logging enable, 194 keepalive IPsec IKE function configuration, 132 logging in IPsec IKE NAT function configuration, 132 AAA concurrent login user max, 37 password expired login, 47 IPsec IKE pre-shared key authentication, 126 password user first login, 48 PKI configuration, 66, 69, 79, 99 password user login attempt limit, 48 password user login control, 48...
Page 239 IPsec mirror image ACLs, 109 AAA local user, 15 IPsec non-mirror image ACLs, 109 AAA RADIUS implementation, 2 AAA RADIUS scheme, 18 mode FIPS, 207 AAA RADIUS server SSH user authentication+authorization, 41 IPsec ACL-based implementation aggregation, 107 AAA scheme, 15 IPsec ACL-based implementation per-host, 107 AAA SSH user local authentication+HWTACACS authorization+RADIUS accounting, 39...
Page 240 IPv4 source guard (IPv4SG) dynamic binding security SSH SCP client device configuration, 155 configuration, 182 security SSH Secure Telnet client user line, 148 IPv4 source guard (IPv4SG) dynamic security SSH server configuration, 145 binding+DHCP relay configuration, 183 security SSH SFTP client device configuration, 153 IPv4 source guard (IPv4SG) enable on security SSH SFTP directories, 154 interface, 179...
Page 241 security SSH SFTP client publickey ARP attack protection blackhole routing authentication, 172 (unresolvable IP attack), 186 security SSH SFTP configuration, 170 ARP attack protection source suppression (unresolvable IP attack), 186 security SSH SFTP server password authentication, 170 ARP filtering, 199, 199 security SSH Stelnet client password ARP packet rate limit, 188 authentication, 165...
Page 242 configuration, 46, 49, 53 certificate request, 72 display, 53 certificate request (automatic), 73 enable, 49 certificate request (manual), 73 event logging, 48 certificate request abort, 74 expired password login, 47 certificate verification, 75 FIPS compliance, 49 certificate verification (CRL checking), 75 maintain, 53 certificate verification (w/o CRL checking), 76 max user account idle time, 48...
Page 243 SSL server policy configuration, 100 configuring FIPS mode, 207 configuring fixed ARP, 196 power-up self-test (FIPS), 209 configuring IP source guard (IPSG), 179 preventing detection and prevention. See attack D&P configuring IPsec, 119 procedure configuring IPsec ACL, 109 applying IPsec policy to interface, 114 configuring IPsec ACL anti-replay function, 115 binding IPsec source interface to policy, 116 configuring IPsec IKE, 127...
Page 244 configuring PKI OpenCA server certificate configuring security SSH Stelnet server publickey request, 85 authentication, 159 configuring PKI RSA Keon CA server certificate configuring security SSH user, 149 request, 79 configuring security uRPF, 205 configuring PKI Windows 2003 CA server configuring SSL, 100 certificate request, 82 configuring SSL client policy, 102 configuring security ARP detection, 192...
Page 245 enabling password control, 49 setting AAA RADIUS timer, 24 enabling security ARP detection logging, 194 setting AAA RADIUS traffic statistics unit, 21 enabling security SFTP server, 147 setting AAA RADIUS username format, 21 enabling security SSH Stelnet server, 147 setting password control parameters (global), 50 enabling SSH SCP server, 147 setting password control parameters (local user), 51 enabling TCP fragment attack prevention, 215...
Page 246 61 display, 27 extended attributes, 6 file import, 63 HPE proprietary attributes, 12 host public key display, 59, 59 HWTACACS/RADIUS differences, 7 host public key export to file, 59 information exchange security, 2 host public key save to file, 59...
Page 247 real-time accounting timer, 24 PKI certificate request abort, 74 request transmission attempts max, 22 requesting PKI certificate request, 72 scheme configuration, 18 scheme creation, 19 restricted forwarding configuration (ARP), 194 restrictions scheme VPN specification, 21 ARP scanning configuration, 197 security policy server IP address, 26 FIPS configuration, 206 server quiet timer, 24 fixed ARP configuration, 197...
Page 248 security SSH file transfer with password ARP attack protection source suppression authentication, 175 (unresolvable IP attack), 186 server enable, 147 ARP detection configuration, 192 ARP detection logging enable, 194 secure shell. Use ARP filtering, 199, 199 Secure Sockets Layer. Use Secure Telnet ARP gateway protection, 197, 198 client user line configuration, 148...
Page 249 IP source guard (IPSG) dynamic binding, 179 IPsec tunnel for IPv4 packets configuration, 119 IP source guard (IPSG) static binding, 178 IPv4 source guard (IPv4SG) configuration, 179 IPsec ACL de-encapsulated packet check, 115 IPv4 source guard (IPv4SG) dynamic binding configuration, 182 IPsec ACL-based implementation, 108 IPv4 source guard (IPv4SG) dynamic IPsec anti-replay configuration, 115...
Page 250 PKI certificate request (manual), 73 SSH SFTP server connection termination, 155 PKI certificate request abort, 74 SSH SFTP server password authentication, 170 PKI certificate verification, 75 SSH Stelnet client device configuration, 151 PKI certificate verification (CRL checking), 75 SSH Stelnet client password authentication, 165 PKI certificate verification (w/o CRL SSH Stelnet client publickey authentication, 168 checking), 76...
Page 251 AAA RADIUS session-control, 37 software version static LSP feature compatibility, 69, 100 security SSH DSA or RSA key pairs, 146 source setting ARP attack detection (source AAA concurrent login user max, 37 MAC-based), 189, 190 AAA HWTACACS timer, 31 security ARP src-mac validity check, 193 AAA HWTACACS traffic statistics unit, 30 specifying AAA HWTACACS username format, 30...
Page 252 SCP client device configuration, 155 server policy configuration, 100 SCP file transfer with password static authentication, 175 IP source guard (IPSG) static binding, 178 SCP server enable, 147 IPv4 source guard (IPv4SG) static binding configuration, 180, 181 Secure Copy. Use Secure FTP.
Page 253 security SSH Stelnet client device triggering configuration, 151 FIPS self-test, 210 security SSH Stelnet client password troubleshooting authentication, 165 AAA HWTACACS, 45 security SSH Stelnet client publickey AAA RADIUS, 44 authentication, 168 AAA RADIUS accounting error, 45 security SSH Stelnet configuration, 156 AAA RADIUS authentication failure, 44 security SSH Stelnet server connection AAA RADIUS packet delivery failure, 45...
Page 254 displaying, 204 PKI certificate, 75 network application, 204 PKI certificate verification (w/o CRL checking), 76 operation, 201 PKI certificate with CRL checking, 75 user VLAN AAA concurrent login user max, 37 IP source guard (IPSG) configuration, 178, 179, 181 security ARP user validity check, 192 IPv4 source guard (IPv4SG) dynamic binding configuration, 182 security ARP user/packet validity check, 195...

HPE FlexFabric 7900 Series Security Configuration Manual

Configuring AAA

Configuring Password Control

Managing Public Keys

Configuring PKI

Configuring SSL

Configuring Ipsec

Configuring IKE

Configuring SSH

Configuring IP Source Guard

Configuring ARP Attack Protection

Configuring Urpf

Configuring FIPS

Configuring Attack Detection and Prevention

Document Conventions and Icons

Quick Links

Configuration Guide

Troubleshooting

Need help?

Questions and answers

Related Manuals for HPE FlexFabric 7900 Series

Summary of Contents for HPE FlexFabric 7900 Series