Aruba SD-Branch Hardening Guide . コンテキスト: Aruba SD-Branchのセキュリティ セキュリティは、Aruba

  • View
    224

  • Download
    2

Embed Size (px)

Text of Aruba SD-Branch Hardening Guide . コンテキスト: Aruba SD-Branchのセキュリティ...

  • Aruba

    SD-Branch Hardening Guide

    Version: 1.0.0

  • Version Date Modified By Samuel Perez Bunuel

    1.0 2019-04-17 Samuel Prez Buuel First official version

    Copyright 2019 Hewlett Packard Enterprise Development LP.

    GNU GNU /

    Hewlett-Packard Company

    3 US

    $ 10.00

    Hewlett-Packard Company Attn: General Counsel 3000 Hanover Street Palo Alto, CA 94304

    USA

    HPE-Aruba-gplquery@hpe.com

    ..................................................................................................................................................................... 1

    1. : Aruba SD-Branch .................................................................................................................. 4

    1-1. ............................................................................................................................................... 4

    2. : ........................................................................................................................................... 4

    2-1. ........................................................................................................................................ 5

    2-1-1. ................................................................................................................................... 5

    2-1-2. ................................................................................................................................. 5

    3. ........................................................................................................................................................ 5

    3-1. .......................................................................................................................................................... 5

    3-1-1. HTTPS .................................................................................................................................................. 5

    3-1-2. SSH ..................................................................................................................................................... 6

    3-2. IPsec ........................................................................................................................................................... 7

    3-3. Diffie-Hellman............................................................................................................................................... 7

    3-4. NTP ............................................................................................................................................... 8

    3-5. SNMP........................................................................................................................................................... 8

    3-6. syslog ................................................................................................................................................... 9

  • 3-7. RADIUS .................................................................................................................................. 10

    3-8. .................................................................................................................................... 10

    4. ................................................................................................................................................. 11

    4-1. ........................................................................................................................... 11

    4-2. .................................................................................................................................... 12

    4-3. ........................................................................................................................................ 12

    5. .......................................................................................................................................... 13

    5-1. WAN ..................................................................................................................................... 13

    5-1-1. WAN ACL...................................................................................................................................... 14

    5-1-1-1. WAN ACL .................................................................................................................. 15

    5-1-2. .......................................................................................................... 16

    5-2. LAN ...................................................................................................................................... 17

    5-2-1. ............................................................................................................... 17

    5-2-2. ........................................................................................................................... 17

    5-2-3. IP ACL ............................................................................................................................. 17

    5-3. .............................................................................................................................. 18

    5-3-1. ........................................................................................................................... 18

    5-3-2. IP ............................................................................................................................... 19

    5-3-3. ARP ............................................................................................................................ 19

    5-3-4. DHCP ........................................................................................................................................ 19

    A. Annex: ........................................................................................................................ 21

    A-1. ................................................................................................................................................ 21

    A-2. ............................................................................................................................................ 22

  • 1. : Aruba SD-Branch

    Aruba SD-Branch

    ( Aruba )

    Aruba SD-Branch

    1: SD-Branch

    1-1.

    Aruba ArubaOS :

    : Aruba Central

    : Aruba TPM Aruba Central

    ASE256 : ~Hub

    Aruba : ALG

    DPI: 2600 DPI

    Web : WebRoot

    URL

    Aruba SD-Branch ClearPass ( AAA )

    VLAN IP

    360 secure exchange

    100 Aruba Introspect for UEBA

    Aruba SD-Branch

    Aruba SD-Branch

    Palo Alto Global Protect (GPCS)

    SD-WAN

    ()

    2. :

    Aruba Aruba SD-WAN

  • 2-1.

    Aruba

    ArubaOS

    :

    QualysGuard

    nCircle

    Nessus

    Retina

    Aruba Threat Labs Aruba

    Aruba Threat Labs ()

    Aruba Threat Labs

    2-1-1.

    Aruba http://www.arubanetworks.com/support-services/security-bulletins/

    Aruba RSS

    http://community.arubanetworks.com/t5/AAA-NAC- Guest-Access-BYOD/Security-

    vulnerability-advisories/m-p/176738

    2-1-2.

    Aruba Aruba

    Aruba

    BugCrowd http://www.bugcrowd.com

    3.

    3-1.

    ArubaOS HTTPSSSHIPsec IPsec

    DES(56bits ) MD5( System > Certificates]

    2: TLS1.2

  • TLS 1.0 1.1 UI

    3-1-2. SSH

    ArubaOS 8.4.0.0-1.0.5.0 Aruba SD-WAN ssh AES-CTR

    Aruba SSH

    SSH MAC SSH aes128-cbcaes256-cbc

    aes128-ctraes192-ctraes256-ctr SSH MAC hmac-sha1 hmac-sha1-96

    [Gateway Management > System > Admin] :

    3: SSH

    NOTE: HMAC-SHA1-96 AES-CBC

    HMAC MAC (RFC 2104 NIST SP 800-

  • 107 )SHA1 HMAC-SHA1 2

    (NIST SP 800-107 SP 800-111A )

    3-2. IPsec

    ArubaOS IPsec IAP-VPN SD-Branch

    Aruba IKEv2 112bits

    :

    3-3. Diffie-Hellman

    IPsec TLS Diffie-Hellman 2015 10

    1024bits Diffie-Hellman

    https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf Aruba

    1024bits DH

    ArubaOS (TPM SD-WAN )

    DH 2 IKE (

    10000 ) IKE

    DH 14

    2048bits

    HTTPS TLS Diffie-Hellman Apache Web

    DH Aruba DH 1024bits

    Aruba

    Aruba DH

  • 3-4. NTP

    NTP

    NTP

    NTP NTP [Gateway

    Management > System > General > Clock]

    4: NTP

    3-5. SNMP

    SD-WAN Aruba Central SNMP

    SNMP

    SNMP 1 2

    Aruba SNMPv3

    SNMPv3 SNMP (NOTE: SNMP

    Aruba Central Documentation SD-WAN )

    5: SNMPv3

  • 3-6. syslog

    1

    Aruba Branch

    Aruba Central

    ArubaOS syslog

    6: syslog

  • 3-7. RADIUS

    RADIUS RADIUS Aruba

    Gateway ( Aruba ClearPass) RadSec

    RADIUS ArubaOS 63

    http://www.random.org

    3-8.

    ArubaOS ArubaOS CLI show

    firewall

    Monitor/police CP attacks Enabled 20/30sec

    Rate limit CP untrusted ucast traffic Enabled 9765 pps

    Rate limit CP untrusted mcast traffic Enabled 3906 pps

    Rate limit CP trusted ucast traffic Enabled 65535 pps

    Rate limit CP trusted mcast traffic Enabled 3906 pps

    Rate limit CP route traffic Enabl