ale-baseline-config

ale-baseline-config.yml

---

# references
# [Switch Management Guide](https://www.al-enterprise.com/-/media/assets/internet/documents/os8-sw-87r3-rev-a.pdf)
# [Security Target for EAL2](https://www.fmv.se/globalassets/csec/alcatel-lucent-enterprise-omniswitch-with-aos-8.6.4.r11/alcatel-lucent-enterprise-omniswitch-with-aos-8.6.r11-security-target-for-eal2.pdf)
# [Security Best Practices in AOS](https://support.alcadis.nl/Support_files/Alcatel-Lucent/OmniSwitch//OS6450/Technotes/Security%20Best%20Practices%20in%20AOS%20v1.7.pdf)
# hier gesammelt in 8. AOS 8 example configuration (seite 68ff)


### ssh session limit
### wert fuer benutzbarkeit


### bad password lockout

user lockout-window 3
user lockout-threshold 5
user lockout-duration 4


### ACL with destination network group Switch
policy network group management <ip_address> mask <mask> <ip_address> mask <mask> <ip_address> mask <mask> ...
policy condition trusted source network group management destination network group Switch 
policy condition untrusted destination network group Switch
policy action accept
policy action drop disposition drop
policy rule trusted precedence 65010 condition trusted action accept
policy rule untrusted precedence 65000 condition untrusted action drop
qos apply

### fips mode
### nicht aktiviert, braucht reboot und bessere radius/etc settings vorab

### console port safety
### nicht disablen, kein OOB netz vorhanden

### audit log aktivieren

command-log enable
#### remote logging
swlog remote command-log enable


snmp station <ip_address> <username> v3 enable
no swlog output
swlog output flash
swlog output flash-file-size 8192
swlog output socket <ip_address>
swlog appid all level info
swlog


### restrict services

### pubkey-auth braucht hinterlegten key in /flash/network/pub

ip service all admin-state disable
ip service ssh admin-state enable
ssh enforce-pubkey-auth enable
ip service snmp admin-state enable
ip ip service http admin-state enable
webview force-ssl enable
snmp security privacy all
### snmp feinsetting

# anpassen, AES und nur read-only

snmp security authentication all
user snmp3 password <key> sha+des read-write all
aaa authentication snmp local
Trap support required additional configuration:
snmp station 1.1.1.1 snmp3 v3 enable

snmp authentication-trap enable

### webview ssl cert austausch
/switch/wv-cert.pem
/switch/wv-key.pem


## storm protection

### multicast control
### siehe handbuch, nicht klar

### dhcp split, cpu priority

### anomaly detection
### siehe doku, kann div. fehlverhalten erkennen, trap senden und port deaktivieren
netsec group untrusted port 1/1-24
netsec group untrusted anomaly arp-flood state enable
log enable trap enable quarantine enable count 1000 period 5

### dhcp snooping (access)
### geschuetzte Ports fuer DHCP Server

dhcp-snooping admin-state enable
dhcp-snooping binding admin-state enable
dhcp-snooping port 1/1/24 trust

### flood

### werte muessen fuer baseline passen

interfaces flood-limit all 
interfaces port 1/1/1 flood-limit bcast rate pps 244
interfaces port 1/1/1 flood-limit uucast rate pps 244
interfaces port 1/1/1 flood-limit uucast rate pps 244
interfaces port 1/1/1 flood-limit uucast action trap
interfaces 1/1/4 flood-limit uucast action shutdown

### dos protection

 ip dos anti-spoofing enable 
 
 
 
### arp spoof
### einschraenken wie viele mac addr auf port
### fuer regulaere ports interessant
port-security port 1/1-2 maximum 1
port-security port 1/1-2 admin-state enable
port-security port 1/1-2 learn-trap-threshold 5


### stp root guard

 spantree vlan port 2/1/1 root-guard enable



### LLDP global (alles ausser IP?)

lldp chassis tlv management port-description enable system-name enable system-description enable
lldp chassis tlv dot1 vlan-name enable port-vlan enable
lldp chassis tlv dot3 mac-phy enable 

### LLDP Port

lldp chassis tlv management port-description enable system-name enable system-description enable
lldp chassis tlv management management-address enable system-capabilities enable
lldp chassis tlv dot1 vlan-name enable port-vlan enable
lldp chassis tlv dot3 mac-phy enable 

bpguguard gegen switches (auch nur auf access ports)
erstmal nicht - wegen unbekannten switches

logbuffer hochstellen

syslog destination

checkliste

laptop, wireshark, ringpuffer, erste 100byte

flood autorecovery

interfaces 1/1/1 flood-limit bcast rate mbps 60 low-threshold 40
interfaces 1/1/4 flood-limit uucast rate mbps 100 low-threshold 40
interfaces 1/1/5 flood-limit mcast rate pps 2000 low-threshold 1000

DDM

(DOM, DDI) - sfp monitoring

interfaces ddm enable
interfaces ddm-trap enable

Industrielles SFP+ Transceiver Modul mit DOM - Alcatel-Lucent iSFP-10G-SR-I

cu und sfp monitoring

EPP

soll nur aktiviert werden, wenn man verbindungsprobleme wahrnimmt

interfaces 1/1/49-52 epp enable

Only certain transceivers support enabling EPP. Additionally, depending on the revision of theOmniSwitch, there are port restrictions due to the power requirements of enabling EPP as shown in thetable below

• CC guide

• Switch management guide

https://dokuwiki.alu4u.com/doku.php?id=omniswitch-6860-konfiguration-datatour-h1-2014

bluetooth! appmon!

bluetooth transmit-power high

just what is "DA-UNP"
issues with auto-fabric configuring it: https://www.alcatelunleashed.com/viewtopic.php?f=410&t=28227

"Durch den Einsatz von vNPs (virtuelle Netzwerkprofile) können virtuelle Maschinen an unter- schiedlichen Switch-Ports im Netzwerk die gleichen Umgebungsvariablen vorfinden (z.B. VLAN, QOS Priorisierung, ACL Sicherheitsrichtlinien)."
virtuelle switchprofile? -> koennte man die policy damit kleiner halten?

OOB via USB NIC
https://dokuwiki.alu4u.com/doku.php?id=emp_out-of-band-management-omniswitch-oob

usb enable

dimension data validated design

https://dokuwiki.alu4u.com/doku.php?id=dimensiondata_dc_vrd