Hewlett-Packard 6120 Manual

A SERVICE OF

next previous

1-8

Security Overview

Network Security Features

Connection-

Rate Filtering

based on

Virus-Throttling

Technology

none This feature helps protect the network from attack and

is recommended for use on the network edge. It is

primarily focused on the class of worm-like malicious

code that tries to replicate itself by taking advantage of

weaknesses in network applications behind unsecured

ports. In this case, the malicious code tries to create a

large number of outbound connections on an interface

in a short time. Connection-Rate filtering detects hosts

that are generating traffic that exhibits this behavior, and

causes the switch to generate warning messages and

(optionally) to throttle or drop all traffic from the

offending hosts.

Chapter 3, “Virus Throttling

(Connection-Rate Filtering)”

ICMP

Rate-Limiting

none This feature helps defeat ICMP denial-of-service

attacks by restricting ICMP traffic to percentage levels

that permit necessary ICMP functions, but throttle

additional traffic that may be due to worms or viruses

(reducing their spread and effect).

Management and

Configuration Guide, in the

chapter on “Port Traffic

Controls” refer to the section

“ICMP Rate-Limiting”

Spanning Tree

Protection

none These features prevent your switch from malicious

attacks or configuration errors:

• BPDU Filtering and BPDU Protection: Protects the

network from denial-of-service attacks that use

spoofing BPDUs by dropping incoming BPDU frames

and/or blocking traffic through a port.

• STP Root Guard: Protects the STP root bridge from

malicious attacks or configuration mistakes.

Advanced Traffic

Management Guide, refer to

the chapter “Multiple

Instance Spanning-Tree

Operation”

DHCP Snooping,

Dynamic ARP

Protection, and

Dynamic IP

Lockdown

none These features provide the following additional

protections for your network:

• DHCP Snooping: Protects your network from

common DHCP attacks, such as address spoofing

and repeated address requests.

• Dynamic ARP Protection: Protects your network

from ARP cache poisoning.

• Dynamic IP Lockdown: Prevents IP source address

spoofing on a per-port and per-VLAN basis

• Instrumentation Monitor. Helps identify a variety of

malicious attacks by generating alerts for detected

anomalies on the switch.

Chapter 11, “Configuring

Advanced Threat

Protection”

Feature Default

Setting

Security Guidelines More Information and

Configuration Details