HP ProCurve 3500yl manual 4

Features and benefits (continued)

•Virus throttling: detects traffic patterns typical of WORM-type viruses and either throttles or entirely prevents the ability of the virus to spread across the routed VLANs or bridged interfaces, without requiring external appliances

•ICMP throttling: defeats ICMP denial-of- service attacks by enabling any switch port to automatically throttle ICMP traffic

•Multiple user authentication methods:

–IEEE 802.1X: industry-standard way of user authentication using an IEEE 802.1X supplicant on the client in conjunction with a RADIUS server

–Web-based authentication: authenticates from Web browser for clients that do not support 802.1X supplicant; customized remediation can be processed on an external Web server

–MAC-based authentication: client is authenticated with the RADIUS server based on client’s MAC address

•Authentication flexibility:

–Multiple IEEE 802.1X users per port: provides authentication of multiple IEEE 802.1X users per port; prevents user “piggybacking” on another user’s IEEE 802.1X authentication

–Concurrent IEEE 802.1X and Web or MAC authentication schemes per port: switch port will accept any of IEEE 802.1X and either Web or MAC authentications

•Access control lists (ACLs): provide filtering based on the IP field, source/destination IP address/subnet, and source/destination TCP/UDP port number on a per-VLAN or per- port basis

•Identity-driven ACL: enables implementation of a highly granular and flexible access security policy specific to each authenticated network user

•DHCP protection: blocks DHCP packets from unauthorized DHCP servers, preventing denial- of-service attacks

•BPDU port protection: blocks Bridge Protocol Data Units (BPDU) on ports that do not require BPDUs, preventing forged BPDU attacks

•Dynamic IP lockdown: works with DHCP protection to block traffic from unauthorized host, preventing IP source address spoofing

•Dynamic ARP protection: blocks ARP broadcasts from unauthorized hosts, preventing eavesdropping or theft of network data

NEW STP Root Guard: protects root bridge from malicious attack or configuration mistakes

•Detection of malicious attacks: monitors 10 types of network traffic and sends a warning when an anomaly that potentially can be caused by malicious attacks is detected

•Port security: allows access only to specified MAC addresses, which can be learned or specified by the administrator

•MAC address lockout: prevents configured particular MAC addresses from connecting to the network

•Source-port filtering: allows only specified ports to communicate with each other

•TACACS+: eases switch management security administration by using a password authentication server

•Secure Shell (SSHv2): encrypts all transmitted data for secure, remote command-line interface (CLI) access over IP networks

•Secure Sockets Layer (SSL): encrypts all HTTP traffic, allowing secure access to the browser- based management GUI in the switch