STIGQter: STIG Summary: HP FlexFabric Switch NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

DISA Rule

SV-80749r1_rule

Vulnerability Number

V-66259

Group Title

SRG-APP-000411-NDM-000330

Rule Version

HFFS-ND-000116

Severity

CAT II

CCI(s)

• CCI-002890 - The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

Generate local RSA key pairs on the SSH server:
[HP] public-key local create rsa Enable the SSH server function:

[HP] ssh server enable
Enable the SFTP server function:
[HP] sftp server enable

Configure the user interfaces for SSH clients:

[HP] user-interface vty 0 63
[HP-ui-vty0-63] authentication-mode scheme

Configure a local device management user, assign password and enable service-type SSH:

[HP] local-user admin
[HP-luser-admin] password simple xxxxxxxx
[HP-luser-admin] service-type ssh

Check Contents

Determine if the HP FlexFabric Switch implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

[HP]display ssh server status

SSH server: Enable
SSH version : 2.0
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH authentication retries : 3 time(s)
SFTP server: Enable
SFTP Server Idle-Timeout: 10 minute(s)
Netconf server: Disable

[HP] display current | i sftp
sftp server enable

If SSH and SFTP protocols are not configured for nonlocal device maintenance , this is a finding.

Vulnerability Number

V-66259

Documentable

False

Rule Version

HFFS-ND-000116

Severity Override Guidance

Determine if the HP FlexFabric Switch implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

[HP]display ssh server status

SSH server: Enable
SSH version : 2.0
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH authentication retries : 3 time(s)
SFTP server: Enable
SFTP Server Idle-Timeout: 10 minute(s)
Netconf server: Disable

[HP] display current | i sftp
sftp server enable

If SSH and SFTP protocols are not configured for nonlocal device maintenance , this is a finding.

Check Content Reference

M

Target Key

2971

Comments