From ecc123444b6108e6cf6ef381276f17e25d1c8e49 Mon Sep 17 00:00:00 2001 From: yjosier Date: Wed, 9 Apr 2025 21:19:25 +0200 Subject: [PATCH] Adding how-to for Extreme Networks switches --- ...works-(Fabric-Engine-and-Switch-Engine).md | 115 ++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 Extreme-Networks-(Fabric-Engine-and-Switch-Engine).md diff --git a/Extreme-Networks-(Fabric-Engine-and-Switch-Engine).md b/Extreme-Networks-(Fabric-Engine-and-Switch-Engine).md new file mode 100644 index 0000000..fb29da3 --- /dev/null +++ b/Extreme-Networks-(Fabric-Engine-and-Switch-Engine).md @@ -0,0 +1,115 @@ +Extreme Networks offers universal hardware with dual boot. The switches can either boot in Fabric Engine mode (ex VOSS from Avaya era) or Switch Engine mode (ex EXOS). +The following commands were validated with Fabric Engine 9.1.0.0 and Switch Engine 33.1.1.31 + +# 1. RSA key size +Key size is (unfortunately) limited to 2048 on both OS. + +# 2. Host-key algorithms +On Fabric Engine (VOSS), you are limited to ssh-rsa. + +On Switch Engine (EXOS), you can use rsa-sha2-512 for your host key with the following command + + configure ssh2 key algorithm rsa-sha2-512 + +# 3. KEX algorithms +On Fabric Engine + + no ssh key-exchange-method diffie-hellman-group14-sha1 + +On Switch Engine + + configure ssh2 dh-group minimum 16 + +# 4. Ciphers +## 4.1 Fabric Engine + no ssh encryption-type 3des-cbc + no ssh encryption-type rijndael128-cbc + no ssh encryption-type rijndael192-cbc + no ssh encryption-type blowfish-cbc + no ssh encryption-type 3des-cbc + no ssh encryption-type aes128-cbc + no ssh encryption-type aes192-cbc + no ssh encryption-type aes256-cbc + +## 4.2 Switch Engine +The following command removes unwanted algorithms (chacha20-poly1305@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com) + + configure ssh2 secure-mode on + +To remove a specific algorithm, use + + configure ssh2 disable cipher + +# 5. MAC algorithms +On Fabric Engine + + no ssh authentication-type hmac-sha1 + +On Switch Engine + + configure ssh2 disable mac hmac-sha1 + +# 6. Common Criteria +Based on CC document for this specific vendor, the following recommendations also apply for Fabric Engine + + no ssh encryption-type AES192-CTR + no ssh authentication-type aead-aes-128-gcm-ssh + no ssh authentication-type aead-aes-256-gcm-ssh + no ssh key-exchange-method diffie-hellman-group-exchange-sha256 + no ssh key-exchange-method diffie-hellman-group14-sha256 + no ssh key-exchange-method diffie-hellman-group16-sha512 + no ssh key-exchange-method diffie-hellman-group18-sha512 + +---> This is in contradiction with the script as no more KEX algorithms would be available. You will have to chose between vendor-specific CC (outdated ?) recommendations and the script recommendations. + +# 7. Rekey +As an extra step towards security you could configure rekey (Below for 1GB and 1 hour, whichever comes first) +For Fabric Engine + + no ssh + ssh rekey data-limit 1 + ssh rekey time-interval 1 + ssh + ssh rekey enable + +For Switch Engine + + configure ssh2 rekey data-limit 1024 + configure ssh2 rekey time-interval 60 + +# 8. Dummy copy-pasting +For Fabric Engine, following ssh-audit and Common Criteria recommendations at most + + no ssh + no ssh authentication-type hmac-sha1 + no ssh encryption-type 3des-cbc + no ssh encryption-type rijndael128-cbc + no ssh encryption-type rijndael192-cbc + no ssh encryption-type blowfish-cbc + no ssh encryption-type 3des-cbc + no ssh encryption-type aes128-cbc + no ssh encryption-type aes192-cbc + no ssh encryption-type aes256-cbc + no ssh key-exchange-method diffie-hellman-group14-sha1 + no ssh dsa-auth + no ssh encryption-type AES192-CTR + no ssh authentication-type aead-aes-128-gcm-ssh + no ssh authentication-type aead-aes-256-gcm-ssh + no ssh key-exchange-method diffie-hellman-group-exchange-sha256 + no ssh key-exchange-method diffie-hellman-group14-sha256 + no ssh key-exchange-method diffie-hellman-group16-sha512 + ssh rekey data-limit 1 + ssh rekey time-interval 1 + ssh + ssh rekey enable + save configuration + +For Switch Engine + + configure ssh2 dh-group minimum 16 + configure ssh2 secure-mode on + configure ssh2 disable mac hmac-sha1 + configure ssh2 disable pk-alg ssh-dss + configure ssh2 rekey data-limit 1024 + configure ssh2 rekey time-interval 60 + save configuration \ No newline at end of file