Adding how-to for Extreme Networks switches

Extreme-Networks-(Fabric-Engine-and-Switch-Engine).md

@@ -0,0 +1,115 @@
+Extreme Networks offers universal hardware with dual boot. The switches can either boot in Fabric Engine mode (ex VOSS from Avaya era) or Switch Engine mode (ex EXOS).
+The following commands were validated with Fabric Engine 9.1.0.0 and Switch Engine 33.1.1.31
+
+# 1. RSA key size
+Key size is (unfortunately) limited to 2048 on both OS.
+
+# 2. Host-key algorithms
+On Fabric Engine (VOSS), you are limited to ssh-rsa.
+
+On Switch Engine (EXOS), you can use rsa-sha2-512 for your host key with the following command
+
+    configure ssh2 key algorithm rsa-sha2-512
+
+# 3. KEX algorithms
+On Fabric Engine
+
+    no ssh key-exchange-method diffie-hellman-group14-sha1
+
+On Switch Engine
+
+    configure ssh2 dh-group minimum 16
+
+# 4. Ciphers
+## 4.1 Fabric Engine
+    no ssh encryption-type 3des-cbc
+    no ssh encryption-type rijndael128-cbc
+    no ssh encryption-type rijndael192-cbc
+    no ssh encryption-type blowfish-cbc
+    no ssh encryption-type 3des-cbc
+    no ssh encryption-type aes128-cbc
+    no ssh encryption-type aes192-cbc
+    no ssh encryption-type aes256-cbc
+
+## 4.2 Switch Engine 
+The following command removes unwanted algorithms (chacha20-poly1305@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com)
+
+    configure ssh2 secure-mode on
+
+To remove a specific algorithm, use
+
+    configure ssh2 disable cipher <cipher>
+
+# 5. MAC algorithms
+On Fabric Engine
+
+    no ssh authentication-type hmac-sha1
+
+On Switch Engine
+
+    configure ssh2 disable mac hmac-sha1
+
+# 6. Common Criteria
+Based on CC document for this specific vendor, the following recommendations also apply for Fabric Engine
+
+    no ssh encryption-type AES192-CTR
+    no ssh authentication-type aead-aes-128-gcm-ssh
+    no ssh authentication-type aead-aes-256-gcm-ssh
+    no ssh key-exchange-method diffie-hellman-group-exchange-sha256
+    no ssh key-exchange-method diffie-hellman-group14-sha256
+    no ssh key-exchange-method diffie-hellman-group16-sha512
+    no ssh key-exchange-method diffie-hellman-group18-sha512
+
+---> This is in contradiction with the script as no more KEX algorithms would be available. You will have to chose between vendor-specific CC (outdated ?) recommendations and the script recommendations.
+
+# 7. Rekey
+As an extra step towards security you could configure rekey (Below for 1GB and 1 hour, whichever comes first)
+For Fabric Engine
+
+    no ssh
+    ssh rekey data-limit 1
+    ssh rekey time-interval 1
+    ssh
+    ssh rekey enable
+
+For Switch Engine
+
+    configure ssh2 rekey data-limit 1024
+    configure ssh2 rekey time-interval 60
+
+# 8. Dummy copy-pasting
+For Fabric Engine, following ssh-audit and Common Criteria recommendations at most
+
+    no ssh
+    no ssh authentication-type hmac-sha1
+    no ssh encryption-type 3des-cbc
+    no ssh encryption-type rijndael128-cbc
+    no ssh encryption-type rijndael192-cbc
+    no ssh encryption-type blowfish-cbc
+    no ssh encryption-type 3des-cbc
+    no ssh encryption-type aes128-cbc
+    no ssh encryption-type aes192-cbc
+    no ssh encryption-type aes256-cbc
+    no ssh key-exchange-method diffie-hellman-group14-sha1
+    no ssh dsa-auth
+    no ssh encryption-type AES192-CTR
+    no ssh authentication-type aead-aes-128-gcm-ssh
+    no ssh authentication-type aead-aes-256-gcm-ssh
+    no ssh key-exchange-method diffie-hellman-group-exchange-sha256
+    no ssh key-exchange-method diffie-hellman-group14-sha256
+    no ssh key-exchange-method diffie-hellman-group16-sha512
+    ssh rekey data-limit 1
+    ssh rekey time-interval 1
+    ssh
+    ssh rekey enable
+    save configuration
+
+For Switch Engine
+
+    configure ssh2 dh-group minimum 16
+    configure ssh2 secure-mode on
+    configure ssh2 disable mac hmac-sha1
+    configure ssh2 disable pk-alg ssh-dss
+    configure ssh2 rekey data-limit 1024
+    configure ssh2 rekey time-interval 60
+    save configuration