HP A 5120 Manual

 
241 
SSL configuration 
SSL overview 
Secure  Sockets  Layer  (SSL)  is  a  security  protocol that provides secure  connection  services for  TCP-based 
application  layer  protocols, such  as HTTP.  It  is  widely  used  in  E-business  and  online  banking to ensure 
secure data transmission over the Internet.  
SSL security mechanism 
Secure connections provided by SSL have these features: 
 Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the asymmetric 
key...

 
242 
SSL protocol stack 
The SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL 
handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. 
Figure 73 SSL protocol stack 
 
 
 SSL  record  protocol—Fragments data  to  be  transmitted, computes and  adds MAC  to  the  data,  and 
encrypts the data before transmitting it to the peer end. 
 SSL  handshake  protocol—A  very  important  part  of  the  SSL  protocol  stack,...

 
243 
Configuration procedure 
Follow these steps to configure an SSL server policy: 
To do... Use the command... Remarks 
Enter system view system-view — 
Create an SSL server policy and 
enter its view ssl server-policy policy-name Required 
Specify a PKI domain for the SSL 
server policy pki-domain domain-name 
Required 
By default, no PKI domain is 
specified for an SSL server policy. 
Specify the cipher suite(s) for the 
SSL server policy to support 
ciphersuite [ 
rsa_3des_ede_cbc_sha |...

 
244 
 Configure Device to work as the HTTPS server and request a certificate for Device. 
 Request a certificate for Host so that Device can authenticate the identity of Host. 
 Configure a CA server to issue certificates to Device and Host.   
 NOTE: 
 In this example, Windows Server works as the CA server and the Simple Certificate Enrollment Protocol (SCEP) 
plug-in is installed on the CA server.  
 Before performing the following configurations, ensure that the device, the host, and the CA...

 
245 
# Create an SSL server policy named myssl.  
[Device] ssl server-policy myssl 
# Specify the PKI domain for the SSL server policy as 1.  
[Device-ssl-server-policy-myssl] pki-domain 1 
# Enable client authentication.  
[Device-ssl-server-policy-myssl] client-verify enable 
[Device-ssl-server-policy-myssl] quit 
# Configure HTTPS service to use SSL server policy myssl. 
[Device] ip https ssl-server-policy myssl 
# Enable HTTPS service. 
[Device] ip https enable 
# Create a local user named usera,...

 
246 
To do… Use the command… Remarks 
Create an SSL client policy and 
enter its view ssl client-policy policy-name Required 
Specify a PKI domain for the SSL 
client policy pki-domain domain-name 
Optional 
No PKI domain is configured by 
default.  
Specify the preferred cipher suite 
for the SSL client policy 
prefer-cipher { 
rsa_3des_ede_cbc_sha | 
rsa_aes_128_cbc_sha | 
rsa_aes_256_cbc_sha | 
rsa_des_cbc_sha | 
rsa_rc4_128_md5 | 
rsa_rc4_128_sha } 
Optional 
rsa_rc4_128_md5 by default 
Specify the...

 
247 
 The server and the client have no matching cipher suite. 
Solution 
1. Issue the debugging ssl command and view the debugging information to locate the problem: 
 If the  SSL  client  is  configured  to  authenticate  the  SSL  server  but the  SSL  server  has  no  certificate, 
request one for it. 
 If  the  server’s certificate  cannot  be  trusted,  install the root  certificate of  the  CA that issued the  local 
certificate  to  the  SSL  server on  the  SSL  client,  or  let  the...

 
248 
TCP attack protection configuration 
TCP attack protection overview 
An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an 
attack, the switch provides the SYN Cookie feature. 
Enabling the SYN cookie feature 
As a general rule, the establishment of a TCP connection involves the following three handshakes. 
1. The request originator sends a SYN message to the target server. 
2. After receiving the SYN message, the target server establishes a TCP...

 
249 
IP source guard configuration 
IP source guard overview 
Introduction to IP source guard 
IP source guard is  intended to  work  on  a  port  connecting  users.  It filters received packets to block illegal 
access  to network  resources,  improving network security. For  example,  it  can  prevent  illegal hosts  from 
using a legal IP address to access the network. 
IP source guard can filter packets according to the packet source IP address, and source MAC address. It 
supports these types of...

 
250 
 A  static  IPv4  source  guard  binding entry  filters IPv4  packets received by  the  port  or  checks the 
validity of users by cooperating with the ARP detection feature.  
 A  static  IPv6  source  guard  binding entry  filters IPv6  packets  received  by  the  port  or  checks the 
validity of users by cooperating with the ND detection feature.   
 NOTE: 
 For information about ARP detection, see the chapter “ARP attack protection configuration.”  
 For information about ND detection,...