STIGQter STIGQter: STIG Summary: HP FlexFabric Switch RTR Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 26 Feb 2016: The HP FlexFabric Switch must encrypt all methods of configured authentication for routing protocols.

DISA Rule

SV-80601r1_rule

Vulnerability Number

V-66111

Group Title

SRG-NET-000168-RTR-000077

Rule Version

HFFS-RT-000011

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to authenticate OSPFv3 packets:

[HP]ipsec transform-set jitcipsecprop
[HP-ipsec-transform-set-jitcipsecprop]
[HP-ipsec-transform-set-jitcipsecprop] ipsec transform-set jitcipsecprop
[HP-ipsec-transform-set-jitcipsecprop] encapsulation-mode transport
[HP-ipsec-transform-set-jitcipsecprop] esp encryption-algorithm aes-cbc-256
[HP-ipsec-transform-set-jitcipsecprop] esp authentication-algorithm sha1
[HP-ipsec-transform-set-jitcipsecprop] quit
[HP] ipsec profile jitc manual
[HP-ipsec-profile-manual-jitc]
[HP-ipsec-profile-manual-jitc] ipsec profile jitc manual
[HP-ipsec-profile-manual-jitc] transform-set jitcipsecprop
[HP-ipsec-profile-manual-jitc] sa spi inbound esp 256
[HP-ipsec-profile-manual-jitc] sa string-key inbound esp simple test123
[HP-ipsec-profile-manual-jitc] sa spi outbound esp 256
[HP-ipsec-profile-manual-jitc] sa string-key outbound esp simple test123
[HP-ipsec-profile-manual-jitc] quit
[HP] interface gigabitethernet 0/1
[HP--GigabitEthernet0/1] ospfv3 ipsec-profile jitc

Check Contents

Verify the HP FlexFabric Switch configuration to ensure that it is using a NIST validated FIPS 140-2 cryptography encryption mechanism by implementing OSPFv3 with IPsec.

[HP] display current-configuration interface

interface GigabitEthernet0/0
port link-mode route
description R1 ACTIVE
combo enable copper
ospfv3 200 area 0.0.0.0
ospfv3 ipsec-profile jitc
ipv6 address 2115:B:1::3E/126

If the routing protocol authentication mechanism is not a validated FIPS 140-2 cryptography, this is a finding.

Note: OSPFv3 requires IPsec to enable authentication using either the IPv6 Authentication Header (AH) or the Encapsulating Security Payload (ESP) header.

Vulnerability Number

V-66111

Documentable

False

Rule Version

HFFS-RT-000011

Severity Override Guidance

Verify the HP FlexFabric Switch configuration to ensure that it is using a NIST validated FIPS 140-2 cryptography encryption mechanism by implementing OSPFv3 with IPsec.

[HP] display current-configuration interface

interface GigabitEthernet0/0
port link-mode route
description R1 ACTIVE
combo enable copper
ospfv3 200 area 0.0.0.0
ospfv3 ipsec-profile jitc
ipv6 address 2115:B:1::3E/126

If the routing protocol authentication mechanism is not a validated FIPS 140-2 cryptography, this is a finding.

Note: OSPFv3 requires IPsec to enable authentication using either the IPv6 Authentication Header (AH) or the Encapsulating Security Payload (ESP) header.

Check Content Reference

M

Target Key

2979

Comments