image image image image image

On This Page

Our switch systems, by default, work with NIST SP 800-131A, as described in the table below. 

This appendix describes how to enhance the security of a system in order to comply with the NIST SP 800-131A standard. This standard is a document which defines cryptographically “acceptable” technologies. This document explains how to protect against possible cryptographic vulnerabilities in the system by using secure methods. Because of compatibility issues, this security state is not the default of the system and it should be manually set.

Some protocols, however, cannot be operated in a manner that complies with the NIST SP 800-131A standard.

HTTPHTTP disabledno web http enable
HTTPSHTTPS enabledno web https enable
SSL ciphers = TLS1.2web https ssl ciphers all
SSL renegotiation disabledweb https ssl renegotiation enable
SSHSSH version = 2ssh server min-version 1
SSH ciphers = aes256-ctr, aes192-ctr, aes128-ctr,,
no ssh server security strict

Code Signing

Code signing is used to verify that the data in the image is not modified by any third-party. The operating system supports signing the image files with SHA256, RSA2048 using GnuPG. 


The SSH server on the gateway by default uses secure ciphers only, message authentication code (MAC), key exchange methods, and public key algorithm. When configuring SSH server to strict mode, the aforementioned security methods only use approved algorithms as detailed in the NIST 800-181A specification and the user can connect to the gateway via SSH in strict mode only.

To enable strict security mode, run the following: 

gateway (config) # ssh server security strict

The following ciphers are disabled for SSH when strict security is enabled:

  • 3des-cbc
  • aes256-cbc
  • aes192-cbc
  • aes128-cbc

The no form of the command disables strict security mode.

Make sure to configure the SSH server to work with minimum version 2 since 1 is vulnerable to security breaches.

To configure min-version to strict mode, run: 

gateway (config) # ssh server min-version 2

Once this is done, the user cannot revert back to minimum version 1.


By default, the gateways support LDAP encryption SSL version 3 or TLS1.0 up to TLS1.2. The only banned algorithm is MD5 which is not allowed per NIST 800-131a. In strict mode, the switch supports encryption with TLS1.2 only with the following supported ciphers:

  • DHE-DSS-AES128-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-DSS-AES256-SHA256
  • DHE-RSA-AES256-SHA256
  • ECDH-RSA-AES128-SHA256
  • ECDH-RSA-AES256-SHA384
  • AES128-SHA256
  • AES128-GCM-SHA256
  • AES256-SHA256
  • AES256-GCM-SHA384

To enable LDAP strict mode, run the following: 

gateway (config) # ldap ssl mode {start-tls | ssl}

Both modes operate using SSL. The different lies in the connection initialization and the port used.