WeOSEnhanced Hardening
AAA (Authentication, Authorization, Accounting)
The three individual terms refer to who is allowed to access what device (Authentication), if access is granted what are the limitations of their available actions (authorization), and to recount what actions they performed (accounting).
Remote Authentication
For the remote user authentication, different types are supported, see
Remote Server Settings -
type.
In this case, a Radius server will be used. The login context tells
the switch to use server 1 as primary authentication method, however
it will fallback to built-in accounts for users that are not present
on the server. Fallback is also present if the radius server is not
available. Specify encryption-type to encrypt traffic. If not
specified, traffic will be un-encrypted which leaves it susceptible to
attacks like packet sniffing, which can compromise credentials or
allow for forged requests.
example:/config/aaa/#> remote-server 1 Creating new remote server 1 example:/config/aaa/remote-server-1/#> password RADiuSseCret example:/config/aaa/remote-server-1/#> address 192.168.1.1 example:/config/aaa/remote-server-1/#> type radius example:/config/aaa/remote-server-1/#> encryption-type peap-mschapv2 example:/config/aaa/remote-server-1/#> ca-cert servercertlabel example:/config/aaa/remote-server-1/#> auth-port 1812 example:/config/aaa/remote-server-1/#> show Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
System requirements: Remote authentication server.
Reference:
AAA
| AAA - HowTo Centralized Authentication
Apply principle of least privilege
Least privilege is a security concept that authorizes access to a person or entity at the lowest privilege level necessary to perform authorized tasks. Many tasks do not require privileged level access, such as viewing status of network interfaces or reviewing routing tables.
To implement least privilege, administrators should assign a
suitable role to authorized users. An administrator’s role is critical
to securing the device and network from potential security issues.
Users should be carefully evaluated before being assigned the role
administrator on the device.
to securing the device and network from potential security issues.
Users should be carefully evaluated before being assigned the role
administrator on the device.
| Role | Privileges | Examples of permission |
|---|---|---|
| Administrator | Very high | Full access to audit logs and configuration, including security features |
| Engineer | High | Read access to audit logs, write access to most configuration, excluding security features |
| Operator | Medium | Read access to audit logs and configuration |
| Auditor | Low | Read access to audit logs and device status |
| Viewer | Very low | Access to device status |
| Guest | Very low | (Deprecated, replaced by Viewer) Access to device status |
example:/config/aaa/#> user alice example:/config/aaa/user-alice/#> role viewer example:/config/aaa/user-alice/#> show Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
Reference: AAA - Authorization-Levels | AAA - Restricted Users
Force password expiration
When a new user is added, it is recommended to change the password at
first login. This can be enforced when the initial password is set
with the expire flag. Consider enforcing password change at first
login or prior to login on the remote authentication server.
example:/config/aaa/#> user alice example:/config/aaa/user-alice/#> password expire alg sha512 secret TemporaryPassword example:/config/aaa/user-alice/#> show Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
Reference: AAA
Accounting
Accounting keeps records of relevant resources accessed or actions performed - who did what, when, and how. The detailed information creates a chain of events, which is the sequence of these logged activities over time. From a security perspective, this information is key for responding to a security incident. Auditable Events help to provide this information (see Auditable Events for detailed information and support).
By default audit logging is enabled and can be displayed with:
example:/audit/#> show
Reference: Auditable Events
Remote logging and monitoring
Time management
Network Time Protocol (NTP) is used to synchronize device clocks globally, ensuring that log message timestamps are accurate. Accurate timestamps are essential for investigating a security incident and correlating logs across multiple devices or timezones. Apart of being important for logging purposes, another example of where accurate time is required is for validating certificates. To maintain reliable timekeeping, each device should connect to at least two trusted time sources to ensure accuracy and availability of the provided information. Internal time servers should be used as the primary source for all devices, which should synchronize with trusted external sources. This will reduce the number of external requests and ensure that local timestamps are being synchronized in the event an external time server is unreachable.
example:/config/ntp/#> peer 10.5.8.1 example:/config/ntp/#> peer 10.5.8.2 example:/config/ntp/#> show Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
System requirements: Time server.
Reference:
Network Time Protocol - NTP
Centralized remote logging
Once auditable events has been generated, it must be processed and stored for further analysis. Remote sinks should be used to transfer (audit) logs for centralized archiving and analysis. It is vital to transfer auditable events as soon as possible, and at least two different external sinks to ensure availability. Centralized storage provides a new set of possibilities, where there are more storage and processing power available. If actively monitored and evaluated, it provides the opportunity to detect unusual activities, which can be responded to before leading to a serious security incident. For setting up remote sinks for Auditable Events, see Logging to Remote Machines HowTo and Transmitting Auditable Events to Remote Machines HowTo. As destination transport protocol, use TLS. If TLS is not used, data between the client and server will not be encrypted, making it vulnerable to interception.
example:/config/logging/destination-example/#> transport tls
System requirements: Logging server
Reference:
Auditable Events
| Auditable Events - HowTo Transmitting to Remote Machines
Monitoring via SNMP
SNMP is used for network management and network monitoring. It enables proactive monitoring of network device health and performance, helping to detect anomalies, prevent security breaches, and ensure the availability of critical systems.
SNMPv2 read-write community strings are sent in clear text, making it vulnerable to interception. If SNMPv2 write is configured, the intercepted information can be used by an adversary to gain control of the device. It is recommended to remove all SNMP read-write community strings and upgrade to SNMPv3 with encryption and authentication. If SNMPv2 read-write community strings is required for remote administration and cannot be removed, implement unique and strong community strings to make it harder to guess from intercepted information.
Disable SNMPv2.
example:/config/management/snmp/#> no rocommunity example:/config/management/snmp/#> no rwcommunity
Create a read only SNMPv3 user, verify and save to startup configuration.
example:/config/management/snmp/#> rouser USER auth sha512 AUTHPASSWORD crypto aes256 CRYPTOPASSWORD 1 example:/config/management/snmp/#> show Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
System requirements: SNMP manager
Reference:
SNMP
Port Network Access Control
802.1X
To gain internal network access, an adversary must either find a way through the external perimeter or by gaining access from inside of the network. Port Network Access Control (PNAC) helps block unauthorized devices from connecting physically to the network.
Protection of unauthorized devices connecting to the internal network can be mitigated with multiple protections, which helps to create a strong defense-in-depth. This could include:
- Where possible, disable unused ports, it should be the first choice
- Implement physical access protections (see Product Security Guide for further information)
- For connected devices and dynamic scenarios such as a road-warrior scenario, 802.1X can be used where it is applicable
- Monitor auditable events for link up and link down
Not all devices are 802.1X capable, to mitigate this, the device supports both 802.1X and MAC Authentication. For legacy devices which are not 802.1X capable, MAC Authentication can be used. However 802.1X is preferred over MAC Authentication, since MAC Authentication can be bypassed with MAC spoofing. Note that a MAC address is commonly printed on most devices.
Note that WeOS requires an external RADIUS server to authenticate the 802.1X supplicant. See Remote Authentication
example:/config/port-access/#> port eth1..eth4 example:/config/port-access/#> dot1x example:/config/port-access/dot1x/#> authentication-server 1 example:/#> show port-access Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
System requirements: Remote authentication server
Reference:
Port Access Control
Port monitoring
Port monitoring is typically used for connecting an NIDS, diagnosing a problem, or using a network analyzer to monitor the network.
An adversary connected to the destination port will be able to collect network traffic sent through all the source ports. Therefore, environmental risks related to a permanent solution for example NIDS should be considered. Port monitoring should only be enabled for those ports where it is necessary, and all instances should be disabled once they are no longer needed.
example:/config/monitor-1/#> source port eth1 example:/config/monitor-1/#> destination eth3 example:/#> show monitor Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
Reference: Port Monitor
VPN and Tunnels
Not all network protocols provide built-in features for integrity, authentication, and confidentiality. While this may be acceptable within a local conduit, it becomes critical when data is transmitted between conduits.
To ensure secure communication across different sites or when accessing remote areas via the internet, it is essential to use VPNs or secure tunnels. These technologies offer network-to-network protection and should always be strongly considered when:
- Communicating between geographically separated sites
- Transmitting data over public networks such as the internet
- Accessing hard-to-reach remote locations
By using VPNs and tunnels, organizations can maintain the confidentiality and integrity of their data across distributed environments.
For OpenVPN consider the following options: tls-version-min should
use TLS 1.3 or as lowest TLS 1.2. Versions lower than TLS 1.2 are
considered weak and should be avoided. data-ciphers-fallback should
be disabled since it includes known weak ciphers.
For further read and configuration examples, see OpenVPN and IPsec
System requirements: Supported Server/Client.
Reference:
OpenVPN
| IPsec
Public Key Infrastructure
Simple Certificate Enrollment Protocol (SCEP) and Certificate Revocation Lists (CRL) are designed for simplifying and automating the process of certificate issuance and management within a Public Key Infrastructure (PKI) environment. If SCEP is not applicable for the use-case, certificates can be uploaded to the device manually.
Revocation Policy support varies between services that is being
integrated to work with SCEP (see configuration guide for exact
support). Revocation Policies has been implemented to give the option
to balance security and availability based on operational needs.
relaxed is a good option for balancing both availability and
security, for example it allows a VPN tunnel to remain up even if the
CRL could not be downloaded in time, which could be useful in
hard-to-reach-remote-areas. However the associated risk with the
option should carefully be considered and selected for each use-case.
Selectable Revocation Policies:
disabled- Revocation check is disabled (default)relaxed- Revocation check is enabled, reject if certificate is revokedstrict- Revocation check is enabled, reject if CRL is not present, revoked, outdated or fail signature check
Certificates have defined start and end dates (“valid from” and “expires on”). If the time of the device is incorrect, it might see a valid certificate as expired or not yet valid, which may lead to disruption in the related service. It is therefore important to have a accurate time, see Time management.
For enrollment, it is recommended that the challengePassword is a
unique one-time authenticator to limit the ability of an attacker who
can capture the authenticator from the client or CA and reuse it to
request further certificates. For further read see:
RFC8894.
System requirements: Certificate Authority (RA/CA) server.
Reference:
SCEP
| Revocation