Appendix: Enhancing System Security According to NIST SP 800-131A

On This Page

Our switch systems, by default, work with NIST SP 800-131A, as described in the table below.

This appendix describes how to enhance the security of a system in order to comply with the NIST SP 800-131A standard. This standard is a document which defines cryptographically “acceptable” technologies. This document explains how to protect against possible cryptographic vulnerabilities in the system by using secure methods. Because of compatibility issues, this security state is not the default of the system and it should be manually set.

Warning

Some protocols, however, cannot be operated in a manner that complies with the NIST SP 800-131A standard.

Component

Configuration

Command

HTTP

HTTP disabled

no web http enable

HTTPS

HTTPS enabled

no web https enable

SSL ciphers = TLS1.2

web https ssl ciphers all

SSL renegotiation disabled

web https ssl renegotiation enable

SSH

SSH version = 2

ssh server min-version 1

SSH ciphers = aes256-ctr, aes192-ctr, aes128-ctr,
aes128-gcm@openssh.com, aes256-gcm@openssh.com

no ssh server security strict

Code signing is used to verify that the data in the image is not modified by any third-party. The operating system supports signing the image files with SHA256, RSA2048 using GnuPG.

The SSH server on the gateway by default uses secure ciphers only, message authentication code (MAC), key exchange methods, and public key algorithm. When configuring SSH server to strict mode, the aforementioned security methods only use approved algorithms as detailed in the NIST 800-181A specification and the user can connect to the gateway via SSH in strict mode only.

To enable strict security mode, run the following:

Copy
Copied!
            

gateway (config) # ssh server security strict

Warning

The following ciphers are disabled for SSH when strict security is enabled:

  • 3des-cbc

  • aes256-cbc

  • aes192-cbc

  • aes128-cbc

  • rijndael-cbc@lysator.liu.se

The no form of the command disables strict security mode.

Make sure to configure the SSH server to work with minimum version 2 since 1 is vulnerable to security breaches.

To configure min-version to strict mode, run:

Copy
Copied!
            

gateway (config) # ssh server min-version 2

Warning

Once this is done, the user cannot revert back to minimum version 1.

By default, the gateways support LDAP encryption SSL version 3 or TLS1.0 up to TLS1.2. The only banned algorithm is MD5 which is not allowed per NIST 800-131a. In strict mode, the switch supports encryption with TLS1.2 only with the following supported ciphers:

  • DHE-DSS-AES128-SHA256

  • DHE-RSA-AES128-SHA256

  • DHE-DSS-AES128-GCM-SHA256

  • DHE-RSA-AES128-GCM-SHA256

  • DHE-DSS-AES256-SHA256

  • DHE-RSA-AES256-SHA256

  • DHE-DSS-AES256-GCM-SHA384

  • DHE-RSA-AES256-GCM-SHA384

  • ECDH-ECDSA-AES128-SHA256

  • ECDH-RSA-AES128-SHA256

  • ECDH-ECDSA-AES128-GCM-SHA256

  • ECDH-RSA-AES128-GCM-SHA256

  • ECDH-ECDSA-AES256-SHA384

  • ECDH-RSA-AES256-SHA384

  • ECDH-ECDSA-AES256-GCM-SHA384

  • ECDH-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • AES128-SHA256

  • AES128-GCM-SHA256

  • AES256-SHA256

  • AES256-GCM-SHA384

To enable LDAP strict mode, run the following:

Copy
Copied!
            

gateway (config) # ldap ssl mode {start-tls | ssl}

Warning

Both modes operate using SSL. The different lies in the connection initialization and the port used.

© Copyright 2023, NVIDIA. Last updated on Sep 9, 2023.