Connection Control; Attack Detection And Protection - HP 12500 Series Configuration Manual
Routing
Hide thumbs
Also See for 12500 Series:
- Configuration manual (402 pages) ,
- Network management and monitoring command reference (320 pages) ,
- Command reference manual (157 pages)
Table of Contents
Advertisement
IPsec
IPsec is a security framework for securing IP communications. It is a Layer 3 VPN technology mainly for
data encryption and data origin authentication.
SSL
SSL is a security protocol that provides secure connection services for TCP-based application layer
protocols such as HTTPS by using the public key mechanism and digital certificates. SSL is independent
of the application layer, so the connection at the application layer is safe, and unknown to SSL.
SSH
SSH is a network security protocol implementing remote login and file transfer securely over an insecure
network. Using encryption and authentication, SSH protects devices against attacks such as IP spoofing
and plaintext password interception.
Connection control
You can configure connection limit policies to collect statistics and limit the number of connections,
connection establishment rate, and connection bandwidth for protecting internal network resources
(hosts or servers) and properly allocating system resources on the device.
Attack detection and protection
ARP attack protection
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices, such as faking a trusted
user or gateway and ARP flooding attacks. HP has provided a comprehensive and effective solution
against those attacks.
ND attack defense
The IPv6 Neighbor Discovery (ND) protocol provides rich functions, but does not provide any security
mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending
forged packets. The device implements multiple ND attack detection technologies for defending against
these attacks, such as source MAC consistency check for ND packets and ND Detection.
IP Source Guard
IP Source Guard uses a binding entry to improve port security by blocking illegal packets. For example,
it can prevent invalid hosts from using a valid IP address to access the network. It is applied on an
interface connecting to the user side.
IP Source Guard can filter packets according to the packet source IP address, source MAC address, and
VLAN ID. A binding entry can be statically configured or dynamically added through DHCP or ND.
URPF
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks,
such as denial of service (DoS) and distributed denial of service (DDoS) attacks.
TCP and ICMP attack protection
Attackers can attack the device during the process of TCP connection establishment or by sending a large
number of ICMP fragments. To prevent such attacks, the device provides the following features:
•
SYN Cookie
3
Advertisement
Table of Contents
Troubleshooting
