View
224
Download
2
Embed Size (px)
Aruba
SD-Branch Hardening Guide
Version: 1.0.0
Version Date Modified By Samuel Perez Bunuel
1.0 2019-04-17 Samuel Prez Buuel First official version
Copyright 2019 Hewlett Packard Enterprise Development LP.
GNU GNU /
Hewlett-Packard Company
3 US
$ 10.00
Hewlett-Packard Company Attn: General Counsel 3000 Hanover Street Palo Alto, CA 94304
USA
HPE-Aruba-gplquery@hpe.com
..................................................................................................................................................................... 1
1. : Aruba SD-Branch .................................................................................................................. 4
1-1. ............................................................................................................................................... 4
2. : ........................................................................................................................................... 4
2-1. ........................................................................................................................................ 5
2-1-1. ................................................................................................................................... 5
2-1-2. ................................................................................................................................. 5
3. ........................................................................................................................................................ 5
3-1. .......................................................................................................................................................... 5
3-1-1. HTTPS .................................................................................................................................................. 5
3-1-2. SSH ..................................................................................................................................................... 6
3-2. IPsec ........................................................................................................................................................... 7
3-3. Diffie-Hellman............................................................................................................................................... 7
3-4. NTP ............................................................................................................................................... 8
3-5. SNMP........................................................................................................................................................... 8
3-6. syslog ................................................................................................................................................... 9
3-7. RADIUS .................................................................................................................................. 10
3-8. .................................................................................................................................... 10
4. ................................................................................................................................................. 11
4-1. ........................................................................................................................... 11
4-2. .................................................................................................................................... 12
4-3. ........................................................................................................................................ 12
5. .......................................................................................................................................... 13
5-1. WAN ..................................................................................................................................... 13
5-1-1. WAN ACL...................................................................................................................................... 14
5-1-1-1. WAN ACL .................................................................................................................. 15
5-1-2. .......................................................................................................... 16
5-2. LAN ...................................................................................................................................... 17
5-2-1. ............................................................................................................... 17
5-2-2. ........................................................................................................................... 17
5-2-3. IP ACL ............................................................................................................................. 17
5-3. .............................................................................................................................. 18
5-3-1. ........................................................................................................................... 18
5-3-2. IP ............................................................................................................................... 19
5-3-3. ARP ............................................................................................................................ 19
5-3-4. DHCP ........................................................................................................................................ 19
A. Annex: ........................................................................................................................ 21
A-1. ................................................................................................................................................ 21
A-2. ............................................................................................................................................ 22
1. : Aruba SD-Branch
Aruba SD-Branch
( Aruba )
Aruba SD-Branch
1: SD-Branch
1-1.
Aruba ArubaOS :
: Aruba Central
: Aruba TPM Aruba Central
ASE256 : ~Hub
Aruba : ALG
DPI: 2600 DPI
Web : WebRoot
URL
Aruba SD-Branch ClearPass ( AAA )
VLAN IP
360 secure exchange
100 Aruba Introspect for UEBA
Aruba SD-Branch
Aruba SD-Branch
Palo Alto Global Protect (GPCS)
SD-WAN
()
2. :
Aruba Aruba SD-WAN
2-1.
Aruba
ArubaOS
:
QualysGuard
nCircle
Nessus
Retina
Aruba Threat Labs Aruba
Aruba Threat Labs ()
Aruba Threat Labs
2-1-1.
Aruba http://www.arubanetworks.com/support-services/security-bulletins/
Aruba RSS
http://community.arubanetworks.com/t5/AAA-NAC- Guest-Access-BYOD/Security-
vulnerability-advisories/m-p/176738
2-1-2.
Aruba Aruba
Aruba
BugCrowd http://www.bugcrowd.com
3.
3-1.
ArubaOS HTTPSSSHIPsec IPsec
DES(56bits ) MD5( System > Certificates]
2: TLS1.2
TLS 1.0 1.1 UI
3-1-2. SSH
ArubaOS 8.4.0.0-1.0.5.0 Aruba SD-WAN ssh AES-CTR
Aruba SSH
SSH MAC SSH aes128-cbcaes256-cbc
aes128-ctraes192-ctraes256-ctr SSH MAC hmac-sha1 hmac-sha1-96
[Gateway Management > System > Admin] :
3: SSH
NOTE: HMAC-SHA1-96 AES-CBC
HMAC MAC (RFC 2104 NIST SP 800-
107 )SHA1 HMAC-SHA1 2
(NIST SP 800-107 SP 800-111A )
3-2. IPsec
ArubaOS IPsec IAP-VPN SD-Branch
Aruba IKEv2 112bits
:
3-3. Diffie-Hellman
IPsec TLS Diffie-Hellman 2015 10
1024bits Diffie-Hellman
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf Aruba
1024bits DH
ArubaOS (TPM SD-WAN )
DH 2 IKE (
10000 ) IKE
DH 14
2048bits
HTTPS TLS Diffie-Hellman Apache Web
DH Aruba DH 1024bits
Aruba
Aruba DH
3-4. NTP
NTP
NTP
NTP NTP [Gateway
Management > System > General > Clock]
4: NTP
3-5. SNMP
SD-WAN Aruba Central SNMP
SNMP
SNMP 1 2
Aruba SNMPv3
SNMPv3 SNMP (NOTE: SNMP
Aruba Central Documentation SD-WAN )
5: SNMPv3
3-6. syslog
1
Aruba Branch
Aruba Central
ArubaOS syslog
6: syslog
3-7. RADIUS
RADIUS RADIUS Aruba
Gateway ( Aruba ClearPass) RadSec
RADIUS ArubaOS 63
http://www.random.org
3-8.
ArubaOS ArubaOS CLI show
firewall
Monitor/police CP attacks Enabled 20/30sec
Rate limit CP untrusted ucast traffic Enabled 9765 pps
Rate limit CP untrusted mcast traffic Enabled 3906 pps
Rate limit CP trusted ucast traffic Enabled 65535 pps
Rate limit CP trusted mcast traffic Enabled 3906 pps
Rate limit CP route traffic Enabl
