| Secure File Transfers |
not applicable |
Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP for transferring sensitive information such as configuration files and log information between the switch and other devices.
|
Management and Configuration Guide, see "File Transfers" and "Using Secure Copy and SFTP"
|
USB Autorun
|
|
|
|
IMPORTANT: This feature is only available for the HP Switch 2910al and 2920 series.
|
|
|
|
enabled (disabled once a password has been set) |
Used in conjunction with HP PCM+, this feature allows diagnosis and automated updates to the switch via the USB flash drive. When enabled in secure mode, this is done with secure credentials to prevent tampering. Note that the USB Autorun feature is disabled automatically, once a password has been set on the switch.
|
Management and Configuration Guide, see "File Transfers" and "USB Autorun"
|
| Traffic/Security Filters |
none |
These statically configured filters enhance in-band security (and improve control over access to network resources) by forwarding or dropping inbound network traffic according to the configured criteria. Filter options include:
-
source-port filters: Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.
-
multicast filters: Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports or dropped on a per-port (destination) basis.
-
protocol filters: Inbound traffic having the selected frame (protocol) type will be forwarded or dropped on a per-port (destination) basis.
|
Traffic/Security Filters and Monitors.
|
| Access Control Lists (ACLs) |
none |
ACLs can filter traffic to or from a host, a group of hosts, or entire subnets. Layer 3 IP filtering with Access Control Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for:
-
Switch Management Access: Permits or denies in-band management access. This includes preventing the use of certain TCP or UDP applications (such as Telnet, SSH, WebAgent, and SNMP) for transactions between specific source and destination IP addresses.)
-
Application Access Security: Eliminating unwanted IP, TCP, or UDP traffic by filtering packets where they enter or leave the switch on specific interfaces.
|
|
|
|
NOTE: On ACL Security Use:
ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.
|
|
|
|
IPv4 Access Control Lists (ACLs)
|
| Port Security, MAC Lockdown, and MAC Lockout |
none |
The features listed below provide device-based access security in the following ways:
-
Port security: Enables configuration of each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through the switch. Some switch models also include eavesdrop prevention in the port security feature.
-
MAC lockdown: This "static addressing" feature is used as an alternative to port security to prevent station movement and MAC address "hijacking" by allowing a given MAC address to use only one assigned port on the switch. MAC lockdown also restricts the client device to a specific VLAN.
-
MAC lockout: This feature enables blocking of a specific MAC address so that the switch drops all traffic to or from the specified address.
|
Configuring and Monitoring Port Security
See also Precedence of port-based security options
|
| Key Management System (KMS) |
none |
KMS is available in several HP switch models and is designed to configure and maintain key chains for use with KMS-capable routing protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request.
|
Key Management System
|
ICMP Rate-Limiting
|
|
|
|
IMPORTANT: This feature is only available for the HP Switch 2620-series.
|
|
|
|
none |
This feature helps defeat ICMP denial-of-service attacks by restricting ICMP traffic to percentage levels that permit necessary ICMP functions, but throttle additional traffic that may be due to worms or viruses (reducing their spread and effect).
|
Management and Configuration Guide, see “Port Traffic Controls" and "ICMP Rate-Limiting"
|
| Spanning Tree Protection |
none |
These features prevent your switch from malicious attacks or configuration errors:
-
BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port.
-
STP Root Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.
|
Advanced Traffic Management Guide, see "Multiple Instance Spanning-Tree Operation"
|
| DHCP Snooping, Dynamic ARP Protection, and Dynamic IP Lockdown |
none |
These features provide the following additional protections for your network:
-
DCHP Snooping: Protects your network from common DHCP attacks, such as address spoofing and repeated address requests.
-
Dynamic ARP Protection: Protects your network from ARP cache poisoning.
-
Dynamic IP Lockdown: Prevents IP source address spoofing on a per-port and per-VLAN basis.
-
Instrumentation Monitor: Helps identify a variety of malicious attacks by generating alerts for detected anomalies on the switch.
|
Configuring Advanced Threat Protection.
|
![[IMPORTANT: ]](images/important.gif)
![[NOTE: ]](images/note.gif)