STIGQter STIGQter: STIG Summary: HP FlexFabric Switch NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

Applications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

DISA Rule

SV-80751r1_rule

Vulnerability Number

V-66261

Group Title

SRG-APP-000412-NDM-000331

Rule Version

HFFS-ND-000117

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

Generate local RSA key pairs on the SSH server:

[HP] public-key local create rsa
Enable the SSH server function:
[HP] ssh server enable

Enable the SFTP server function:

[HP] sftp server enable

Configure the user interfaces for SSH clients:

[HP] user-interface vty 0 63
[HP-ui-vty0-63] authentication-mode scheme

Configure a local device management user, assign password and enable service-type SSH:

[HP] local-user admin
[HP-luser-admin] password simple xxxxxx
[HP-luser-admin] service-type ssh

Check Contents

Determine if the HP FlexFabric Switch implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

[HP] display ssh server status

SSH server: Enable
SSH version : 2.0
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH authentication retries : 3 time(s)
SFTP server: Enable
SFTP Server Idle-Timeout: 10 minute(s)
Netconf server: Disable

[HP] display current | i sftp
sftp server enable

If SSH and SFTP protocols are not configured for nonlocal device maintenance , this is a finding.

Vulnerability Number

V-66261

Documentable

False

Rule Version

HFFS-ND-000117

Severity Override Guidance

Determine if the HP FlexFabric Switch implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

[HP] display ssh server status

SSH server: Enable
SSH version : 2.0
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH authentication retries : 3 time(s)
SFTP server: Enable
SFTP Server Idle-Timeout: 10 minute(s)
Netconf server: Disable

[HP] display current | i sftp
sftp server enable

If SSH and SFTP protocols are not configured for nonlocal device maintenance , this is a finding.

Check Content Reference

M

Target Key

2971

Comments