Extreme Networks offers universal hardware with dual boot. The switches can either boot in Fabric Engine mode (ex VOSS from Avaya era) or Switch Engine mode (ex EXOS). The following commands were validated with Fabric Engine 9.1.0.0 and Switch Engine 33.1.1.31
1. RSA key size
Key size is (unfortunately) limited to 2048 on both OS.
2. Host-key algorithms
On Fabric Engine (VOSS), you are limited to ssh-rsa.
On Switch Engine (EXOS), you can use rsa-sha2-512 for your host key with the following command
configure ssh2 key algorithm rsa-sha2-512
3. KEX algorithms
On Fabric Engine
no ssh key-exchange-method diffie-hellman-group14-sha1
On Switch Engine
configure ssh2 dh-group minimum 16
4. Ciphers
4.1 Fabric Engine
no ssh encryption-type 3des-cbc
no ssh encryption-type rijndael128-cbc
no ssh encryption-type rijndael192-cbc
no ssh encryption-type blowfish-cbc
no ssh encryption-type 3des-cbc
no ssh encryption-type aes128-cbc
no ssh encryption-type aes192-cbc
no ssh encryption-type aes256-cbc
4.2 Switch Engine
The following command removes unwanted algorithms (chacha20-poly1305@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com)
configure ssh2 secure-mode on
To remove a specific algorithm, use
configure ssh2 disable cipher <cipher>
5. MAC algorithms
On Fabric Engine
no ssh authentication-type hmac-sha1
On Switch Engine
configure ssh2 disable mac hmac-sha1
6. Common Criteria
Based on CC document for this specific vendor, the following recommendations also apply for Fabric Engine
no ssh encryption-type AES192-CTR
no ssh authentication-type aead-aes-128-gcm-ssh
no ssh authentication-type aead-aes-256-gcm-ssh
no ssh key-exchange-method diffie-hellman-group-exchange-sha256
no ssh key-exchange-method diffie-hellman-group14-sha256
no ssh key-exchange-method diffie-hellman-group16-sha512
no ssh key-exchange-method diffie-hellman-group18-sha512
---> This is in contradiction with the script as no more KEX algorithms would be available. You will have to chose between vendor-specific CC (outdated ?) recommendations and the script recommendations.
7. Rekey
As an extra step towards security you could configure rekey (Below for 1GB and 1 hour, whichever comes first) For Fabric Engine
no ssh
ssh rekey data-limit 1
ssh rekey time-interval 1
ssh
ssh rekey enable
For Switch Engine
configure ssh2 rekey data-limit 1024
configure ssh2 rekey time-interval 60
8. Dummy copy-pasting
For Fabric Engine, following ssh-audit and Common Criteria recommendations at most
no ssh
no ssh authentication-type hmac-sha1
no ssh encryption-type 3des-cbc
no ssh encryption-type rijndael128-cbc
no ssh encryption-type rijndael192-cbc
no ssh encryption-type blowfish-cbc
no ssh encryption-type 3des-cbc
no ssh encryption-type aes128-cbc
no ssh encryption-type aes192-cbc
no ssh encryption-type aes256-cbc
no ssh key-exchange-method diffie-hellman-group14-sha1
no ssh dsa-auth
no ssh encryption-type AES192-CTR
no ssh authentication-type aead-aes-128-gcm-ssh
no ssh authentication-type aead-aes-256-gcm-ssh
no ssh key-exchange-method diffie-hellman-group-exchange-sha256
no ssh key-exchange-method diffie-hellman-group14-sha256
no ssh key-exchange-method diffie-hellman-group16-sha512
ssh rekey data-limit 1
ssh rekey time-interval 1
ssh
ssh rekey enable
save configuration
For Switch Engine
configure ssh2 dh-group minimum 16
configure ssh2 secure-mode on
configure ssh2 disable mac hmac-sha1
configure ssh2 disable pk-alg ssh-dss
configure ssh2 rekey data-limit 1024
configure ssh2 rekey time-interval 60
save configuration
footer2