-
-
Save FlorianHeigl/bb821ded03bf6b712e9e2e417ddf7b73 to your computer and use it in GitHub Desktop.
--- | |
# references | |
# [Switch Management Guide](https://www.al-enterprise.com/-/media/assets/internet/documents/os8-sw-87r3-rev-a.pdf) | |
# [Security Target for EAL2](https://www.fmv.se/globalassets/csec/alcatel-lucent-enterprise-omniswitch-with-aos-8.6.4.r11/alcatel-lucent-enterprise-omniswitch-with-aos-8.6.r11-security-target-for-eal2.pdf) | |
# [Security Best Practices in AOS](https://support.alcadis.nl/Support_files/Alcatel-Lucent/OmniSwitch//OS6450/Technotes/Security%20Best%20Practices%20in%20AOS%20v1.7.pdf) | |
# hier gesammelt in 8. AOS 8 example configuration (seite 68ff) | |
### ssh session limit | |
### wert fuer benutzbarkeit | |
### bad password lockout | |
user lockout-window 3 | |
user lockout-threshold 5 | |
user lockout-duration 4 | |
### ACL with destination network group Switch | |
policy network group management <ip_address> mask <mask> <ip_address> mask <mask> <ip_address> mask <mask> ... | |
policy condition trusted source network group management destination network group Switch | |
policy condition untrusted destination network group Switch | |
policy action accept | |
policy action drop disposition drop | |
policy rule trusted precedence 65010 condition trusted action accept | |
policy rule untrusted precedence 65000 condition untrusted action drop | |
qos apply | |
### fips mode | |
### nicht aktiviert, braucht reboot und bessere radius/etc settings vorab | |
### console port safety | |
### nicht disablen, kein OOB netz vorhanden | |
### audit log aktivieren | |
command-log enable | |
#### remote logging | |
swlog remote command-log enable | |
snmp station <ip_address> <username> v3 enable | |
no swlog output | |
swlog output flash | |
swlog output flash-file-size 8192 | |
swlog output socket <ip_address> | |
swlog appid all level info | |
swlog | |
### restrict services | |
### pubkey-auth braucht hinterlegten key in /flash/network/pub | |
ip service all admin-state disable | |
ip service ssh admin-state enable | |
ssh enforce-pubkey-auth enable | |
ip service snmp admin-state enable | |
ip ip service http admin-state enable | |
webview force-ssl enable | |
snmp security privacy all | |
### snmp feinsetting | |
# anpassen, AES und nur read-only | |
snmp security authentication all | |
user snmp3 password <key> sha+des read-write all | |
aaa authentication snmp local | |
Trap support required additional configuration: | |
snmp station 1.1.1.1 snmp3 v3 enable | |
snmp authentication-trap enable | |
### webview ssl cert austausch | |
/switch/wv-cert.pem | |
/switch/wv-key.pem | |
## storm protection | |
### multicast control | |
### siehe handbuch, nicht klar | |
### dhcp split, cpu priority | |
### anomaly detection | |
### siehe doku, kann div. fehlverhalten erkennen, trap senden und port deaktivieren | |
netsec group untrusted port 1/1-24 | |
netsec group untrusted anomaly arp-flood state enable | |
log enable trap enable quarantine enable count 1000 period 5 | |
### dhcp snooping (access) | |
### geschuetzte Ports fuer DHCP Server | |
dhcp-snooping admin-state enable | |
dhcp-snooping binding admin-state enable | |
dhcp-snooping port 1/1/24 trust | |
### flood | |
### werte muessen fuer baseline passen | |
interfaces flood-limit all | |
interfaces port 1/1/1 flood-limit bcast rate pps 244 | |
interfaces port 1/1/1 flood-limit uucast rate pps 244 | |
interfaces port 1/1/1 flood-limit uucast rate pps 244 | |
interfaces port 1/1/1 flood-limit uucast action trap | |
interfaces 1/1/4 flood-limit uucast action shutdown | |
### dos protection | |
ip dos anti-spoofing enable | |
### arp spoof | |
### einschraenken wie viele mac addr auf port | |
### fuer regulaere ports interessant | |
port-security port 1/1-2 maximum 1 | |
port-security port 1/1-2 admin-state enable | |
port-security port 1/1-2 learn-trap-threshold 5 | |
### stp root guard | |
spantree vlan port 2/1/1 root-guard enable | |
### LLDP global (alles ausser IP?) | |
lldp chassis tlv management port-description enable system-name enable system-description enable | |
lldp chassis tlv dot1 vlan-name enable port-vlan enable | |
lldp chassis tlv dot3 mac-phy enable | |
### LLDP Port | |
lldp chassis tlv management port-description enable system-name enable system-description enable | |
lldp chassis tlv management management-address enable system-capabilities enable | |
lldp chassis tlv dot1 vlan-name enable port-vlan enable | |
lldp chassis tlv dot3 mac-phy enable | |
flood autorecovery
interfaces 1/1/1 flood-limit bcast rate mbps 60 low-threshold 40
interfaces 1/1/4 flood-limit uucast rate mbps 100 low-threshold 40
interfaces 1/1/5 flood-limit mcast rate pps 2000 low-threshold 1000
DDM
(DOM, DDI) - sfp monitoring
interfaces ddm enable
interfaces ddm-trap enable
Industrielles SFP+ Transceiver Modul mit DOM - Alcatel-Lucent iSFP-10G-SR-I
cu und sfp monitoring
EPP
soll nur aktiviert werden, wenn man verbindungsprobleme wahrnimmt
interfaces 1/1/49-52 epp enable
Only certain transceivers support enabling EPP. Additionally, depending on the revision of theOmniSwitch, there are port restrictions due to the power requirements of enabling EPP as shown in thetable below
https://dokuwiki.alu4u.com/doku.php?id=omniswitch-6860-konfiguration-datatour-h1-2014
bluetooth! appmon!
bluetooth transmit-power high
just what is "DA-UNP"
issues with auto-fabric configuring it: https://www.alcatelunleashed.com/viewtopic.php?f=410&t=28227
"Durch den Einsatz von vNPs (virtuelle Netzwerkprofile) können virtuelle Maschinen an unter- schiedlichen Switch-Ports im Netzwerk die gleichen Umgebungsvariablen vorfinden (z.B. VLAN, QOS Priorisierung, ACL Sicherheitsrichtlinien)."
virtuelle switchprofile? -> koennte man die policy damit kleiner halten?
OOB via USB NIC
https://dokuwiki.alu4u.com/doku.php?id=emp_out-of-band-management-omniswitch-oob
usb enable
dimension data validated design
bpguguard gegen switches (auch nur auf access ports)
erstmal nicht - wegen unbekannten switches
logbuffer hochstellen
syslog destination
checkliste
laptop, wireshark, ringpuffer, erste 100byte