Secure Connection - HP ProCurve 1810G Management And Configuration Manual

Security

Secure Connection

Table 5-1. Advanced Security Fields
Field
Auto DoS
Storm Control
■
Secure Connection
HP ProCurve 1810G switch software allows the administrator to enable or disable Secure HTTP
protocol (HTTPS). When enabled, the administrator can establish a secure connection with the switch
using the Secure Sockets Layer (SSL) protocol. Secure HTTP can help ensure that communication
between the management system and the switch is protected from eavesdropping and man-in-the-
middle attacks. The HP ProCurve 1810G switch software supports SSL version 3.0.
SSL enables the switch to generate and store a certificate that functions as a digital passport, enabling
client Web browsers to verify the identity of the switch before accessing it.
Note
SSL is described in client/server terminology, where the SSL-enabled switch is the server and a Web
browser is the client.
The certificate provides information to the browser such as the server name, the trusted certificate
authority (CA) that issued the certificate, the date it was issued, and the switch's public key.
The browser and server use this information negotiate a secure connection in the following manner:
■
5-2
Description
Select Enable to enable the following protections, or clear to disable all protections.
• Prevent Land Attack—Prevents receiving packets with same source and destination IP
addresses.
• Prevent PingOfDeath Attack—Prevents receiving ping packets with a size larger than 512 bytes
through the use of fragments, which can target vulnerable systems.
• Prevent InvalidTCPFlags Attack—Prevents receiving packets with invalid TCP flags:
– TCP Flag SYN set and Source Port less than 1024
– TCP Control Flags = 0 and TCP Sequence Number = 0
– TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0
– TCP Flags SYN and FIN set
• Prevent PingFlood Attack—Prevents Ping Flood by limiting the number of ICMP Ping packets.
The rate is 1000 ICMP packets per second.
Select Enable to activate Storm Control protection for broadcast and multicast globally in the
system. The threshold is 5% of the port speed; i.e., only 5% of the traffic will be received. Clear to
not use the Storm Control feature.
Click Apply to save any changes for the current boot session; the changes take effect
immediately. Use the Maintenance > Save Configuration page to have the settings remain in effect
after a reboot.
The browser verifies the certificate authority's authenticity by checking it against its own list
of CAs. (Web browsers such as Microsoft Internet Explorer and Mozilla Firefox maintain data
on trusted CAs.)