Features and benefits (continued) – HP 3500yl Series User Manual

4

ProCurve Switch 5400zl/3500yl Series

Features and benefits
(continued)

• Virus throttling: detects traffic patterns typical

of WORM-type viruses and either throttles or
entirely prevents the ability of the virus to
spread across the routed VLANs or bridged
interfaces, without requiring external
appliances

• ICMP throttling: defeats ICMP denial-of-

service attacks by enabling any switch port to
automatically throttle ICMP traffic

• Multiple user authentication methods:

– IEEE 802.1X: industry-standard way of user

authentication using an IEEE 802.1X
supplicant on the client in conjunction with a
RADIUS server

– Web-based authentication: authenticates

from Web browser for clients that do not
support 802.1X supplicant; customized
remediation can be processed on an external
Web server

– MAC-based authentication: client is

authenticated with the RADIUS server based
on client’s MAC address

• Authentication flexibility:

– Multiple IEEE 802.1X users per port:

provides authentication of multiple IEEE
802.1X users per port; prevents user
“piggybacking” on another user’s IEEE 802.1X
authentication

– Concurrent IEEE 802.1X and Web or MAC

authentication schemes per port: switch
port will accept any of IEEE 802.1X and either
Web or MAC authentications

• Access control lists (ACLs): provide filtering

based on the IP field, source/destination IP
address/subnet, and source/destination
TCP/UDP port number on a per-VLAN or per-
port basis

• Identity-driven ACL: enables implementation

of a highly granular and flexible access security
policy specific to each authenticated network
user

• DHCP protection: blocks DHCP packets from

unauthorized DHCP servers, preventing denial-
of-service attacks

• BPDU port protection: blocks Bridge Protocol

Data Units (BPDU) on ports that do not require
BPDUs, preventing forged BPDU attacks

• Dynamic IP lockdown: works with DHCP

protection to block traffic from unauthorized
host, preventing IP source address spoofing

• Dynamic ARP protection: blocks ARP

broadcasts from unauthorized hosts,
preventing eavesdropping or theft of network
data

STP Root Guard: protects root bridge from

malicious attack or configuration mistakes

• Detection of malicious attacks: monitors 10

types of network traffic and sends a warning
when an anomaly that potentially can be
caused by malicious attacks is detected

• Port security: allows access only to specified

MAC addresses, which can be learned or
specified by the administrator

• MAC address lockout: prevents configured

particular MAC addresses from connecting to
the network

• Source-port filtering: allows only specified

ports to communicate with each other

• TACACS+: eases switch management security

administration by using a password
authentication server

• Secure Shell (SSHv2): encrypts all transmitted

data for secure, remote command-line
interface (CLI) access over IP networks

• Secure Sockets Layer (SSL): encrypts all HTTP

traffic, allowing secure access to the browser-
based management GUI in the switch

NEW