FIPS mode in Comware Devices

FIPS mode is available, in which the device provides only a limited set of its functionality so that the security is then in compliance with NIST FIPS 140-2. After enabling the FIPS mode, at least the following takes place:

• FTP, TFTP, HTTP servers are disabled.

• Remote access via Telnet protocol is disabled.

• SNMPv3 is the only available version of SNMP.

• The SSL server supports only TLS1.0.

• The SSH server does not support SSHv1 clients.

• SSH supports only RSA.

• The generated RSA key pairs must have a modulus length of 2048 bits. The generated DSA key pair must have a modulus of at least 1024 bits.

• SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5.

Why Not Use VLAN 1?

Seperates user and management traffic. 
 
ACL's or security features applied to an interface might not always affect traffic going to the actual device. Therefore, add ACLs to the vty lines in case traffic gets routed to the management interface that should still be blocked unless from authorized IP addresses.

You can't actually stop VLAN 1 sending LLDP/STP/LACP/VRRP/BPDU/CDP/PaGP/VTP/GVRP/etc. Across trunk (802.1Q) links, but what you can do is:

• Create a VLAN, e.g., VLAN 999, to put all ports that are unused into.

• There is no need to create an L3 SVI for VLAN 999 because it is only for unused ports.

• Change the native VLAN from VLAN 1 to another VLAN.

• Again this VLAN does not need an L3 SVI because the native VLAN does not need to be routed. 

• Create a separate VLAN (other than VLAN 1) to manage your switches.

• From the console, shutdown the VLAN 1 interface on each switch and add an L3 SVI for the new VLAN.

• Move user ports in VLAN 1 into different VLANs.

After this, VLAN 1 will only be used for L2 management protocols (LLDP/STP/LACP/VRRP/BPDU,etc.)

ArubaOS-Switch QinQ Solution with the 3810M

Problem

I have a single uplink (LAG) from my core to my QinQ provider Cisco switch. If I don't add QinQ to my replacement 8400 ArubaOS-CX cores, how can I service multiple svlans with a single uplink from to customer vlans on an ArubaOS 3810M ?

Solution

Link ports as shown in Topology with patch cable jumpers and configure the QinQ switch as below

Topology

Enable qinq mixed-vlan mode and let switch reboot

Procurve-QinQ(config)# qinq mixedvlan

 tag-type              Configure qinq tag-type

<cr>

This command will reboot the device. Any prior configuration

on this config file will be erased and the device will boot up

with a default configuration for the new qinq mode.

Do you want to continue? [y/n] y

Disable BPDU Throttling

no spanning-tree bpdu-throttle

Disable gvrp on interfaces added to svlans

interface 1-3,10,12,14

   unknown-vlans disable

  

Add ports to svlan’s 150, 151, 152

svlan 150

   tagged 1

   untagged 10

svlan 151

   tagged 2

   untagged 12

  

svlan 152

   tagged 3

   untagged 14

Add the interfaces to the trunk

trunk 47-48 trk1 lacp

Tell interfaces what type of qinq port they are

interface 1-3,10,12,14

   qinq port-type provider-network

interface 9,11,13,trk1

   qinq port-type customer-network

Add Dot1q VLANs and Ports

vlan 50

   tagged 9,Trk1

   no ip address

  

vlan 51

   tagged 11,Trk1

   no ip address

  

vlan 52

   tagged 13,Trk1

   no ip address

  

I can now ping across the svlan from Host to Core and back again

Hosts to Core

Host1(config)# show ip

  -------------------- + ---------- -------------- --------------

  VLAN50               | Manual     10.0.50.254     255.255.255.0

Host1# ping 10.0.50.1

10.0.50.1 is alive, time = 1 ms

Host2(config)# show ip

  -------------------- + ---------- -------------- --------------

  VLAN51               | Manual     10.0.51.254     255.255.255.0

Host2# ping 10.0.51.1

10.0.51.1 is alive, time = 1 ms

Host3(config)# show ip

  -------------------- + ---------- -------------- --------------

  VLAN52               | Manual     10.0.52.254     255.255.255.0

Host3# ping 10.0.52.1

10.0.52.1 is alive, time = 1 ms

Core to Hosts

Core(config)# ping 10.0.50.254 

10.0.50.254 is alive, time = 1 ms

Core(config)# ping 10.0.51.254

10.0.51.254 is alive, time = 1 ms

Core(config)# ping 10.0.52.254

10.0.52.254 is alive, time = 1 ms

Enable the WebUI on a MSR Comware Router

On a functioning router:

Enable service type for local user

CMW5
local-user admin
  service-type web

CMW7
local-user admin class manage
  service-type web

ip http enable
ip https enable

web https-authorization mode manual

Enable WebUI

webui log enable

Restrict access from WAN facing interface (g3/0/0 here)

Verify listener port:
dis ip http
HTTP port: 80
Operation status : Enabled <-- Bad Practice 😱

dis ip https
HTTPS port: 443
Operation status : Enabled

Create ACL and Apply to the inbound interface
acl advanced name BLOCK-REMOTE
  rule 9 deny tcp destination-port eq 443 logging
  rule 10 deny tcp destination-port eq 80 logging
  ! Poke a hole at your own peril
  rule 12 permit tcp source <ip-of-peril> 0 destination-port eq 443
  rule 13 permit tcp source <ip-of-peril> 0 destination-port eq 80

interface GigabitEthernet3/0/0
  packet-filter name BLOCK-REMOTE inbound

Disable <ip-of-peril> from Attack Defenses (if enabled - optional)
acl basic name WAN
  rule 0 permit source <ip-of-peril> 0

interface GigabitEthernet3/0/0
  attack-defense apply policy Defense-Attack-Policy

attack-defense policy Defense-Attack-Policy
  exempt acl name WAN
  http-flood action logging drop
  http-flood threshold 100