Table of Contents
Advertisement
Feature
Default
Setting
Key
none
Management
System (KMS)
Connection-
none
Rate Filtering
based on
Virus-Throttling
Technology
ICMP
none
Rate-Limiting
Spanning Tree
none
Protection
DHCP Snooping,
none
Dynamic ARP
Protection, and
Dynamic IP
Lockdown
Security Guidelines
KMS is available in several HP switch models and is
designed to configure and maintain key chains for use
with KMS-capable routing protocols that use time-
dependent or time-independent keys. (A key chain is a
set of keys with a timing mechanism for activating and
deactivating individual keys.) KMS provides specific
instances of routing protocols with one or more Send or
Accept keys that must be active at the time of a request.
This feature helps protect the network from attack and
is recommended for use on the network edge. It is
primarily focused on the class of worm-like malicious
code that tries to replicate itself by taking advantage of
weaknesses in network applications behind unsecured
ports. In this case, the malicious code tries to create a
large number of outbound connections on an interface
in a short time. Connection-Rate filtering detects hosts
that are generating traffic that exhibits this behavior, and
causes the switch to generate warning messages and
(optionally) to throttle or drop all traffic from the
offending hosts.
This feature helps defeat ICMP denial-of-service
attacks by restricting ICMP traffic to percentage levels
that permit necessary ICMP functions, but throttle
additional traffic that may be due to worms or viruses
(reducing their spread and effect).
These features prevent your switch from malicious
attacks or configuration errors:
• BPDU Filtering and BPDU Protection: Protects the
network from denial-of-service attacks that use
spoofing BPDUs by dropping incoming BPDU frames
and/or blocking traffic through a port.
• STP Root Guard: Protects the STP root bridge from
malicious attacks or configuration mistakes.
These features provide the following additional
protections for your network:
• DHCP Snooping: Protects your network from
common DHCP attacks, such as address spoofing
and repeated address requests.
• Dynamic ARP Protection: Protects your network
from ARP cache poisoning.
• Dynamic IP Lockdown: Prevents IP source address
spoofing on a per-port and per-VLAN basis
• Instrumentation Monitor. Helps identify a variety of
malicious attacks by generating alerts for detected
anomalies on the switch.
Security Overview
Network Security Features
More Information and
Configuration Details
Chapter 16, "Key
Management System"
Chapter 3, "Virus Throttling
(Connection-Rate Filtering)"
Management and
Configuration Guide, in the
chapter on "Port Traffic
Controls" refer to the section
"ICMP Rate-Limiting"
Advanced Traffic
Management Guide, refer to
the chapter "Multiple
Instance Spanning-Tree
Operation"
Chapter 11, "Configuring
Advanced Threat
Protection"
1-9
Hide quick links:
Advertisement
Table of Contents
