HPE FlexNetwork 7500 Series Security Configuration Manual page 10

Configuration procedure ························································································································· 367
Verifying the configuration ······················································································································ 368
Configuring SSL ·························································································· 369
Overview ························································································································································ 369
SSL security services ····························································································································· 369
SSL protocol stack ································································································································· 369
FIPS compliance ············································································································································ 370
SSL configuration task list ······························································································································ 370
Configuring an SSL server policy ··················································································································· 370
Configuring an SSL client policy ···················································································································· 373
Displaying and maintaining SSL ···················································································································· 375
SSL server policy configuration example ······································································································· 375
Configuring attack detection and prevention ··············································· 378
Overview ························································································································································ 378
Attacks that the device can prevent ··············································································································· 378
Single-packet attacks ····························································································································· 378
Scanning attacks ···································································································································· 379
Flood attacks ·········································································································································· 380
TCP fragment attack ······························································································································ 381
Login DoS attack ···································································································································· 381
Login dictionary attack ··························································································································· 381
Blacklist feature ·············································································································································· 381
IP blacklist ·············································································································································· 381
User blacklist ·········································································································································· 382
Attack detection and prevention configuration task list ·················································································· 382
Configuring an attack defense policy ············································································································· 382
Creating an attack defense policy ·········································································································· 382
Configuring a single-packet attack defense policy ················································································· 383
Configuring a scanning attack defense policy ························································································ 384
Configuring a flood attack defense policy ······························································································ 385
Configuring attack detection exemption ································································································· 389
Applying an attack defense policy to an interface ·················································································· 390
Applying an attack defense policy to the device ···················································································· 390
Enabling log non-aggregation for single-packet attack events ······························································· 391
Configuring TCP fragment attack prevention ································································································· 391
Configuring the IP blacklist feature ················································································································ 391
Configuring the user blacklist feature ············································································································· 392
Configuring login attack prevention ················································································································ 392
Enabling the login delay ································································································································· 393
Displaying and maintaining attack detection and prevention ········································································· 393
Attack detection and prevention configuration examples ··············································································· 395
Interface-based attack detection and prevention configuration example ··············································· 395
IP blacklist configuration example ·········································································································· 399
User blacklist configuration example ······································································································ 400
Configuring TCP attack prevention ····························································· 401
Overview ························································································································································ 401
Configuring Naptha attack prevention ············································································································ 401
Configuring IP source guard ······································································· 402
Overview ························································································································································ 402
Static IPSG bindings ······························································································································ 402
Dynamic IPSG bindings ························································································································· 403
Configuration restrictions and guidelines ······································································································· 404
IPSG configuration task list ···························································································································· 404
Configuring the IPv4SG feature ····················································································································· 404
Enabling IPv4SG on an interface ··········································································································· 404
Configuring a static IPv4SG binding ······································································································ 405
Excluding IPv4 packets from IPSG filtering ···························································································· 406
Configuring the IPv6SG feature ····················································································································· 406
viii