HP 6120 Dynamic ARP Protection

Configuring Advanced Threat Protection

Dynamic ARP Protection

Dynamic ARP Protection

Introduction

On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded. For more information about the ARP cache, refer to “ARP Cache Table” in the Multicast and Routing Guide.

ARP requests are ordinarily broadcast and received by all devices in a broadcast domain. Most ARP devices update their IP-to-MAC address entries each time they receive an ARP packet even if they did not request the information. This behavior makes an ARP cache vulnerable to attacks.

Because ARP allows a node to update its cache entries on other systems by broadcasting or unicasting a gratuitous ARP reply, an attacker can send his own IP-to-MAC address binding in the reply that causes all traffic destined for a VLAN node to be sent to the attacker's MAC address. As a result, the attacker can intercept traffic for other hosts in a classic "man-in-the-middle" attack.

The attacker gains access to any traffic sent to the poisoned address and can capture passwords, e-mail, and VoIP calls or even modify traffic before resending it.

Another way in which the ARP cache of known IP addresses and associated MAC addresses can be poisoned is through unsolicited ARP responses. For example, an attacker can associate the IP address of the network gateway with the MAC address of a network node. In this way, all outgoing traffic is prevented from leaving the network because the node does not have access to outside networks. As a result, the node is overwhelmed by outgoing traffic destined to another network.

Dynamic ARP protection is designed to protect your network against ARP poisoning attacks in the following ways:

■Allows you to differentiate between trusted and untrusted ports.

■Intercepts all ARP requests and responses on untrusted ports before forwarding them.

■Verifies IP-to-MAC address bindings on untrusted ports with the informa- tion stored in the lease database maintained by DHCP snooping and user- configured static bindings (in non-DHCP environments):

8-16

Contents

Page Page Page Product Documentation 1 Security Overview 2 Configuring Username and Password Security 3 Web and MAC Authentication 4 TACACS+ Authentication 5 RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Local Authentication Process Controlling Web Browser Interface Access VLAN Assignment in an Authentication Session 6 Configuring Secure Shell (SSH) 7 Configuring Secure Socket Layer (SSL) 8 Configuring Advanced Threat Protection Page 9 Traffic/Security Filters and Monitors Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-AuthenticatedDevices 11 Configuring and Monitoring Port Security 12 Using Authorized IP Managers Page Page Product Documentation Software Feature Index Page Page Page Security Overview Page Access Security Features Table 1-1.Access Security and Switch Authentication Features Page Page Page Network Security Features Table 1-2.Network Security—DefaultSettings and Security Guidelines Page Getting Started with Access Security setup mgmt-interfaces Figure 1-1.Example of Management Interface Wizard Configuration CTRL-C [n] CLI Wizard: Operating Notes and Restrictions no password Setup Wizard Figure 1-2.Management Interface Wizard: Welcome Window Continue Manager Password, SNMP, Telnet, SSH, Web Management GUI, Timeout Exit Back Figure 1-3.Management Interface Wizard: Summary Setup Apply Web Wizard: Operating Notes and Restrictions SNMP Access to the Authentication Configuration MIB. A N o t e o n S N M P A c c e s s t o M I B If SNMP access to the hpSwitchAuth MIB is considered a security risk snmp-servermib hpswitchauthmib excluded Precedence of Security Options Page www.procurve.com/solutions Security Products Page ProCurve Identity-DrivenManager (IDM) Configuring Username and Password Security Password Recovery Feature Default Menu CLI Web Menu Interface: CLI: C a u t i o n Configuring Local Password Security 3. Console Passwords Figure 2-1.The Set Password Screen Enter new password again [Enter] To Delete Password Protection (Including Recovery from a Lost Password): Set Passwords Delete Password Protection Continue Deletion of password protection? No Configuring Manager and Operator Passwords Figure 2-2.Example of Configuring Manager and Operator Passwords Figure 2-3.Removing a Password and Associated Username from the Switch no password all To Configure (or Remove) Usernames and Passwords in the Web Browser Interface Saving Security Credentials in a Config File running-config: write terminal: manager: operator: port-access: user-name plaintext sha-1 auth md5 priv Figure 2-4.Example of Security Credentials Saved in the Running-Config port-access) password manager password operator Page Page show config running-config Figure 2-5.Example of SSH Public Keys copy include-credentials commands copy config config copy config tftp copy tftp config copy config xmodem snmpv3 user Page Front-PanelSecurity Figure 2-6. Front-PanelButton Locations on a ProCurve 6120G/XG Switch Figure 2-7. Front-PanelButton Locations on a ProCurve 6120XG Switch Figure 2-8.Press the Clear Button for Five Seconds To Reset the Password(s) Figure 2-9.Press and hold the Reset Button for One Second To Reboot the Switch Page front-panel-security Clear Password: Enabled Disabled Note: Password Recovery: CAUTION: Figure 2-10.The Default Front-PanelSecurity Settings Page Disabled password-clear Figure 2-12.Example of Re-Enablingthe Clear Button’s Default Operation factory-reset Default: Notes: Figure 2-13.Example of Disabling the Factory Reset Option Password Recovery Note: To disable password-recovery: Steps for Disabling Password-Recovery factory- reset no front-panel-security password-recovery CAUTION Figure 2-14.Example of the Steps for Disabling Password-Recovery Web and MAC Authentication Page Page Page Page How Web and MAC Authentication Operate Figure 3-1.Example of Default User Login Screen Figure 3-2.Progress Message During Authentication redirect-url Figure 3-3.Authentication Completed reauth-period reauthenticate logoff-period unauth-vid unauth- vid addr-format addr-limit addr-moves server-timeout max- requests quiet-period Authorized-Client Authentication Server: Authenticator: CHAP: Client: Operating Rules and Notes Port Access Management Page Web/MAC Authentication and LACP show Setup Procedure for Web/MAC Page Page Page Page Page Configuring Web Authentication ping Page spanning-tree edge-port controlled- directions in statistics Page Page Page MACbased clients detailed Figure 4. Example of show port-access web-basedCommand Output n/a - IPv6 no info Figure 5. Example of show port-access web-basedclients Command Output Example of show port-access web-basedclients detailed Command Output No) Figure 8. Example of show port-access web-basedconfig detail Command Output Page Customizing Web Authentication HTML Files (Optional) ewa-server index.html accept.html User Login Page (index.html) Figure 8. User Login Page Figure 9. HTML Code for User Login Page Template Access Granted Page (accept.html) Figure 9-10.Access Granted Page Figure 11. HTML Code for Access Granted Page Template Authenticating Page (authen.html) Figure 12. Authenticating Page authen.html Figure 13. HTML Code for Authenticating Page Template Invalid Credentials Page (reject_unauthvlan.html) Figure 10. Invalid Credentials Page reject_unauthvlan.html Figure 14. HTML Code for Invalid Credentials Page Template Timeout Page (timeout.html) Figure 15. Timeout Page timeout.html Figure 16. HTML Code for Timeout Page Template Retry Login Page (retry_login.html) Figure 17. Retry Login Page retry_login.html max-retries Figure 18. HTML Code for Retry Login Page Template SSL Redirect Page (sslredirect.html) Figure 19. SSL Redirect Page sslredirect ssl-login Figure 20. HTML Code for SSL Redirect Page Template Access Denied Page (reject_novlan.html) Figure 11. Access Denied Page reject_novlan Figure 21. HTML Code for Access Denied Page Template Configuring MAC Authentication on the Switch no-delimiter single-dash multi-dash multi-colon no-delimiter-uppercase — specifies an AABBCCDDEEFF format Page Page Page Figure 3-22.Example of show port-access mac-basedCommand Output Example of show port-access mac-basedclients detail Command Output Page Example of show port-access mac-basedconfig detail Command Output Page Client Status show... clients’ TACACS+ Authentication A3 or A2 or Figure 4-1.Example of TACACS+ Operation Terminology Used in TACACS Applications: NAS (Network Access Server): TACACS+ Server: Authentication: Page Notes General System Requirements General Authentication Setup Procedure Page Note on Privilege Levels Caution telnet login telnet enable Configuring TACACS+ on the Switch aaa authentication: tacacs-server: Figure 4-2.Example Listing of the Switch’s Authentication Configuration paris-1 show tacacs Figure 4-3.Example of the Switch’s TACACS+ Configuration Listing aaa authentication login tacacs radius Table 4-1.AAA Authentication Parameters local none Figure 4-4.Advanced TACACS+ Settings Section of the TACACS+ Server User Setup Figure 4-5.The Shell Section of the TACACS+ Server User Setup Table 4-2.Primary/Secondary Authentication Table Caution Regarding Login Primary Access Console Login (Operator or Read-Only)Access: Primary using TACACS+ server Secondary using Local Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server The host IP address(es) The timeout value Note on Encryption Keys Page Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 4-6.Example of the Switch with Two TACACS+ Server Addresses Configured Configuring an Encryption Key Procurve(config)# tacacs-serverkey <keystring show config running write mem How Authentication Operates Figure 4-8.Using a TACACS+ Server for Authentication Page Page Global key: Server-Specific key: Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Page RADIUS Authentication, Authorization, and Accounting Page Page Page EXEC Session: Host: See RADIUS Server RADIUS Client: RADIUS Host: RADIUS Server: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Preparation: Table 5-1.Preparation for Configuring RADIUS on the Switch Figure 5-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Page Page Page Page Page Page Page Page Page Page Page Page Using SNMP To View and Configure Switch Authentication Features S e c u r i t y N o t e s snmp-server mib hpswitchauthmib excluded excluded: included Excluded MIBs show run Local Authentication Process Controlling Web Browser Interface Access CLI: no web-management 2.Switch Configuration 1.System Information Web Agent Enabled: No Commands Authorization radius: Figure 5-10.Example of Show Authorization Command Page Page Page New > key Submit + Restar 1.Select System Configuration Logging Submit Page VLAN Assignment in an Authentication Session vlan100 Page Configuring RADIUS Accounting Network accounting: System accounting: Commands accounting: RADIUS accounting with IP attribute: show radius [key key-string Accounting types: Trigger for sending accounting reports to a RADIUS server: Updating: Page Exec: exec System: system system Network: Web or MAC ■Start-Stop: start-stop Figure 5-12.Example of Configuring Accounting Types Updates: Suppress: Page Viewing RADIUS Statistics show radius Figure 5-14.Example of General RADIUS Information from Show Radius Command Figure 5-15.RADIUS Server Information From the Show Radius Host Command Figure 5-16.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 5-17.Example of RADIUS Authentication Information from a Specific Server Figure 5-18.Listing the Accounting Configuration in the Switch Figure 5-19.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 5-21.Search Order for Accessing a RADIUS Server Figure 5-22.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 6-1.Client Public Key Authentication Model www.openssh.com login Figure 6-2.Switch/User Authentication SSH Server: Private Key: Enable Level: Login Level: SSH Enabled: generate ssh [dsa | rsa] Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication Table SSH Options login public- key erase startup-config Configuring the Switch for SSH Page Page Page Page Page Page Page Page Page Page Page Page Page Page Further Information on SSH Client Public-KeyAuthentication copy tftp aaa authentication ssh Figure 6-13.Example of a Client Public Key Note on Public Keys smith@support.cairns.com append operator keylist-str manager clear crypto Messages Related to SSH Operation tftp After you execute the generate ssh [dsa | rsa] Note Page Configuring Secure Socket Layer (SSL) Server Certificate authentication with User Password Authentication Switch/User Authentication N o t e : SSL Server: Key Pair: Digital Certificate: Root Certificate: Manager Level: Operator Level: Local password or username: SSL Enabled: Prerequisite for Using SSL Steps for Configuring and Using SSL for Switch and Client Authentication Page Configuring the Switch for SSL Page Page Page Page Page Page Page Page Page Page Page Page Page Common Errors in SSL setup Configuring Advanced Threat Protection Page Page DHCP Snooping authorized server: database: tftp://ip-addr/ascii-string option yes trust untrusted verify Figure 8-2.Example of Show DHCP Snooping Statistics Figure 8-3.Example of DCHP Snooping on a VLAN Example of Setting Trusted Ports Figure 8-5.Example of Authorized Servers for DHCP Snooping mac: subnet-ip: subnet-ip untrusted drop: Figure 8-6.Example of DHCP Snooping Option 82 using the VLAN IP Address Figure 8-7.Example Showing the DHCP Snooping Verify MAC Setting file delay timeout Figure 8-8.Example Showing DHCP Snooping Binding Database Contents agent event packet Server <ip-address>packet received on untrusted port <port-number dropped Client packet destined to untrusted port <port-number Unauthorized server <ip-address>detected on port Received untrusted relay information from client <mac-address>on Client address <mac-address>not equal to source MAC <mac-address detected on port Attempt to release address <ip-address>leased to port <port-number Lease table is full, DHCP lease was not added. The lease table is full Snooping table is full Dynamic ARP Protection Page vlan-range Figure 8-9.Configuring Trusted Ports for Dynamic ARP Protection port-list c1-c3 interface validate src-mac dst-mac Figure 8-1.The show arp-protectCommand Figure 8-2.Show arp-protectstatistics Command Figure 8-3.Example of debug arp-protectCommand Dynamic IP Lockdown Page Table 1. Sample DHCP Snooping Entries Figure 8-4.Example of Internal Statements used by Dynamic IP Lockdown deny any permit any source-lockdown dhcp-snooping Page Page Page status Figure 8-5.Example of show ip source-lockdownstatus Command Output bindings Figure 8-6.Example of show ip source-lockdownbindings Command Output debug dynamic-ip-lockdown debug destination session Figure 8-7.Example of debug dynamic-ip-lockdownCommand Output Using the Instrumentation Monitor Figure 8-8.Example of Event Log Message generated by Instrumentation Monitor Figure 8-9.Example of rate limiting when multiple messages are generated Known Limitations: enabled [all] see parameter listings below [arp-requests] 1000 (med) instrumentation monitor The show instrumentation monitor configuration command displays the config Figure 8-10.Viewing the Instrumentation Monitor Configuration Traffic/Security Filters and Monitors Page Filter Types and Operation Filter Types and Criteria Figure 9-1.Example of a Source-PortFilter Application trk1 trk2 trk Figure 9-2.Example of a Filter Blocking Traffic only from Port 5 to Server "A Figure 9-3.The Filter for the Actions Shown in Figure no filter named-filter <filter-name show filter accounting Filter Name Port List NOT USED Action Figure 9-4.Network Configuration for Named Source-PortFilters Example Figure 9-6.Source Port Filters Applied to Switch Ports Figure 9-7.Example of the show filter Command IDX Value Figure 9-8.Example Showing Traffic Filtered on Specific Ports Figure 9-9.Example of Source Port Filtering with Internet Traffic Figure 9-10.Expanded Network Configuration for Named Source-PortFilters Example Action Figure 9-11.Example Showing Network Traffic Management with Source Port Filters Figure 9-12.Named Source-PortFilters Managing Traffic Configuring Traffic/Security Filters Forward Trk1 trk6 Figure 9-13.Example of Switch Response to Adding a Filtered Source Port to a Trunk Figure 9-14.Assigning Additional Destination Ports to an Existing Filter Table 9-2.Filter Example Figure 9-15.Configuring Various Traffic/Security Filters show filter index Page Configuring Port-Basedand User-BasedAccess Control (802.1X) Page Page Page Page Page CHAP (MD5): User-Based Guest VLAN: EAP EAPOL: Supplicant: General 802.1X Authenticator Operation Page Figure 10-1.Priority of VLAN Assignment for an Authenticated Client Page Error configuring port X: LACP and 802.1X cannot be run together Applying Web Authentication or MAC Authentication Concurrently General Setup Procedure for Access Control Figure 10-2.Example of the Password Port-AccessCommand Figure 10-3.Example of show port-accessconfig Command Output Page auto eap-radius chap-radius radius host Configuring Switch Ports as 802.1X Authenticators Page User-Based802.1X Authentication Port-Based802.1X Authentication authenticator Figure 10-4.Example of Configuring User-Based802.1X Authentication Figure 10-5.Example of Configuring Port-Based802.1X Authentication unauthorized: max-requests Page none or authorized Figure 10-6.Example of 802.1X (Port-Access)Authentication Page aaa port- access authenticator control auto Prerequisite spanning- tree Page authenticator config Figure 10-7.Example of Configuring 802.1X Controlled Directions 802.1X Open VLAN Mode 1st Priority: 2nd Priority: 3rd Priority: Page Table 10-2.802.1X Open VLAN Mode Options 802.1X Per-PortConfiguration Port Response Note for a Port Configured To Allow Multiple Client Sessions: If any Page Only Unauthorized-Client Authorized-Client Condition Rule Page Page Page Page Page Page rad4all Page Option For Authenticator Ports: Configure Port-Security Devices Figure 10-8. Port-AccessSupport for Port-SecurityOperation Configure the port access type Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Figure 10-9.Example of Supplicant Operation Page Page (Syntax Continued) Enter secret: < password Repeat secret: < password Displaying 802.1X Configuration, Statistics, and Counters Yes or No •Port COS: cos-value •% In Limit: rate-limit-value Figure 10-10.Exampleof show port-accessauthenticator Command authenticator show running Figure 10-11.Exampleof show port-accessauthenticator config Command Page Figure 10-12.Exampleof show port-accessauthenticator statistics Command in-progress terminated Figure 10-13.Exampleof show port-accessauthenticator session-countersCommand authenticator control Figure 10-14.Exampleof show port-accessauthenticator vlan Command n/a - no info Page show port- access authenticator vlan Figure 10-17.Example Showing Ports Configured for Open VLAN Mode Auth VLAN ID Current VLAN ID Unauth VLAN ID Table 10-1.Output for Determining Open VLAN Mode Status (Figure 10-17, Upper) Table 10-3.Output for Determining Open VLAN Mode Status (Figure 10-17, Lower) %Curr. Rate Limit Inbound Figure 10-18.Exampleof Showing a VLAN with Ports Configured for Open VLAN Mode secret Connecting Authenticated Acquired Authenticating How RADIUS/802.1X Authentication Affects VLAN Operation If the Port Used by the Client Is Not Configured as an Untagged Page Page Page Figure 10-19.Exampleof an Active VLAN Configuration show vlan Page Page unknown-vlans Messages Related to 802.1X Operation Table 10-4.802.1X Operating Messages Configuring and Monitoring Port Security Page Port Security (Page 4) MAC Lockdown (Page 11-22) MAC Lockout (Page Port Security Default Port Security Operation Intruder Protection Eavesdrop Protection Action: Static: Configured: Authorized (MAC) Addresses: Figure 11-1.Example of How Port Security Controls Access show log Port Security Commands Used in This Section Displaying Port Security Settings Listing Authorized and Detected MAC Addresses mac-address: port list: vlan < vid >: Figure 11-4.Examples of Show Mac-AddressOutputs continuous port-security MAC Age Interval show system information mac-age-time static: limited-continuous Page none: Learned Addresses mac-addr address-list ■Delete it by using no port-security< port-number > mac-address< mac-addr Figure 11-5.Example of Adding an Authorized Device to a Port Figure 11-6.Example of Adding a Second Authorized Device to a Port Figure 11-7.Example of Port Security on Port A1 with an Address Limit of “1” Figure 11-8.Example of Two Authorized Addresses on Port A1 Figure 11-9.Example of Port A1 After Removing One MAC Address MAC Lockdown How It Works Other Useful Information Limits Event Log Messages MAC Lockout Page Table 11-10.Limits on Lockout MACs Page Web: Displaying and Configuring Port Security Features Reading Intrusion Alerts and Resetting Alert Flags –The show port-security intrusion-log command displays the Intrusion Log log Figure 11-11.Example of Multiple Intrusion Log Entries for the Same Port Send-Disable Operation 1.Status and Counters 4.Port Status Figure 11-12.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 11-13.Example of the Intrusion Log Display prior to show interfaces brief intrusion-log Figure 11-16.Exampleof Port Status Screen After Alert Flags Reset From the CLI search-text ffi security From the Menu Interface: ext page rev page Status Operating Notes for Port Security Page Using Authorized IP Managers Authorized IP Manager Features Options Access Levels Manager: Operator: Defining Authorized Management Stations Authorizing Single Stations: Manager Operator 2. Switch Configuration … 7. IP Authorized Managers Figure 12-1.Example of How To Add an Authorized Manager Entry Figure 12-2.Example of How To Add an Authorized Manager Entry (Continued) Edit Delete authorized-managers Figure 12-3.Exampleof the Show IP Authorized-ManagerDisplay To Delete an Authorized Manager Entry. This command uses the IP Web: Configuring IP Authorized Managers Building IP Masks Figure 12-5.Analysis of IP Mask for Single-StationEntries Figure 12-6.Analysis of IP Mask for Multiple-StationEntries Duplicate IP Addresses: Web Proxy Servers: Page Index Numerics