Scribd
Upload
569 views11 pages

Aruba NetEdit Hardening Guide

This document provides guidance on hardening the Aruba NetEdit application. It discusses locking down services and user access on the NetEdit OVA to reduce vulnerabilities. The document also describes Aruba's vulnerability management process, internal security testing, and typical vulnerability scan results including common false positives. Customers are advised to follow security best practices and update the OS according to their policies.

Uploaded by

raktomalala andri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
569 views11 pages

Aruba NetEdit Hardening Guide

This document provides guidance on hardening the Aruba NetEdit application. It discusses locking down services and user access on the NetEdit OVA to reduce vulnerabilities. The document also describes Aruba's vulnerability management process, internal security testing, and typical vulnerability scan results including common false positives. Customers are advised to follow security best practices and update the OS according to their policies.

Uploaded by

raktomalala andri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Technical Whitepaper

ARUBA NETEDIT
HARDENING GUIDE
ARUBA CX SWITCHING
Technical Whitepaper
Aruba NetEdit Hardening Guide

Table of Contents
Introduction ..................................................................................................................................................... 3
NetEdit OVA .................................................................................................................................................... 3
Internal Security Testing ................................................................................................................................ 3
Vulnerability Management Process ............................................................................................................... 3
Typical Vulnerability Scan Results ................................................................................................................ 4
Locking Down Services .................................................................................................................................. 5
Locking Down User Access ........................................................................................................................... 8
Monitoring ....................................................................................................................................................... 9
Open Source Code........................................................................................................................................ 10

2
Technical Whitepaper
Aruba NetEdit Hardening Guide

Introduction

This document has been produced to assist Aruba customers and partners in configuring Aruba NetEdit in the most secure
manner. It should be noted that security recommendations often involve tradeoffs; not every recommendation in this
document will be appropriate for every situation. In general, however, recommendations in this document represent security
best practices and should be followed wherever network security is a priority.
NetEdit OVA

The NetEdit product is a browser-based client/server application. The “NetEdit server” is provided as an Open Virtual
Appliance (OVA). The OVA includes the Debian 9.11 OS with the NetEdit application with a set of security hardening applied.
The SANS SCORE Hardening the Linux System checklist was followed with the exceptions of ‘Install AppArmor’, ‘Configure
and Use SELinux’, ‘Install Bastille’ and any items that did nor pertain to the Debian Linux version. The document can be
found https://www.sans.org/score/checklists/linux.

Aruba recommends that the customer perform additional hardening of the OVA using the CIS Debian Linux 9 Benchmark as a
guide https://www.cisecurity.org/. Hardening should be done according to the site’s security policies. The customer is
responsible for updating the OS with security updates. Aruba will provide security updates for the NetEdit application.
Internal Security Testing

Each NetEdit major and minor release goes through extensive quality assurance testing. As part of the testing process,
several commercial vulnerability scanners are used. These include:

• WebInspect
• Burp Suite
• Nessus
• Zap
Any findings returned by these scanners are examined to determine if they are genuine vulnerabilities or false positives.
Actual vulnerabilities will cause a bug to be opened.

In addition to quality assurance testing, an internal group known as Aruba Threat Labs provides advanced vulnerability
research against The NetEdit Web UI application and the OVA. Aruba Threat Labs conducts penetration testing through both
black-box and white-box testing, also including source code analysis. This is done for every NetEdit major and minor release.
Vulnerability Management Process

NetEdit’s security model is dependent on the open source packets it leverages. In addition to open-source packages,
vulnerabilities may occur within the NetEdit source code. When a vulnerability is discovered that impacts NetEdit directly
between releases, an off-cycle NetEdit update patch will be created to address the vulnerability. A security bulletin is
released to notify the customer of the security issue and where to get the new update patch.

Aruba publishes a vulnerability response policy at http://www.arubanetworks.com/support-services/security-bulletins/. This


location also hosts security advisories published by Aruba. An RSS feed is available from this page as well.

A NetEdit compressed file will be created to fix vulnerabilities to NetEdit’s sources as well as any packages that are included
with NetEdit. Customers can access the NetEdit OVAs and compressed files on the Aruba Support Portal (ASP)
https://asp.arubanetworks.com/. New vulnerability upgrade patches will be uploaded to ASP.

NetEdit follows the semantic versioning scheme (a.b.c) with patches rolling the last number(c), minor changes roll the middle
(b) and a new version roll the major (a). A vulnerability update patch will roll the last number (c).

3
Technical Whitepaper
Aruba NetEdit Hardening Guide

For the Debian OS specific packages, the customer will need to update using the Debian repository. The NetEdit Install
Guide describes how to update the OS base packages using Debian’s public repositories. It is recommended that the
customer monitor Debian security advisories by subscribing to the debian-security-announce mailing list. In addition, it is
recommended that customer periodically use apt to easily get the latest security updates.

For more information on the NetEdit upgrade process see the NetEdit User Guide available in the Aruba Support Portal.
Typical Vulnerability Scan Results

Nowadays it is common for customers to run their own vulnerability scans against vendor network products. This section
documents common results and answers frequently asked questions.
Open Ports
The following table lists all ports that are used by NetEdit. The table includes notes on what the port is used for, and whether
or not it may be blocked using firewall rules.
Table 1: List of ports used by Aruba’s NetEdit software
Port Number Explanation Notes
22/TCP SSH. Used for administrative access to the command line It is recommended to enable access to
of the OVA OS that NetEdit runs on. this port only from trusted subnets.

80/TCP HTTP. Accepts connections for NetEdit WebUI May be blocked if not needed.
administrative management. Redirects to other ports
using HTTPS.

443/TCP HTTPS. Used for NetEdit WebUI administrative Required to access the NetEdit Web
management. interface.

Common False Positives


The most common type of false-positive seen by vulnerability scanners occurs when the scanner looks only at a version
number presented as part of a protocol handshake. For example, a scan against the NetEdit OVA’s SSH service may indicate
that the SSH server is OpenSSH version 7.4p1. If the scanning tool’s database finds known vulnerabilities for OpenSSH
7.4p1, it will report that the NetEdit OVA is vulnerable. Most vulnerability scanners do not actually attempt to exploit
vulnerabilities, so the resulting report should be viewed as a list of possible, rather than actual, vulnerabilities. NetEdit
incorporates a number of open-source packages, such as PostgreSQL and OpenSSH. In the interest of software stability,
Aruba will update open source packages when deemed necessary but may instead choose to fix the flaw to reduce risk.

The following table includes a number of common false positives for NetEdit:

4
Technical Whitepaper
Aruba NetEdit Hardening Guide

Table 2: List of Common False Positives with Aruba’s NetEdit software

Service CVE Notes

PostgreSQL CVE-2018-15518 Affects PostgreSQL pgAdmin which is not used by NetEdit.

CVE-2018-19869

CVE-2018-19870

CVE-2018-19871

CVE-2018-19873

Dom4j CVE-2020-10683 NetEdit does not use dom4j for manipulation of xml tress (schema) in

CVE-2020-10683 the db.

CVE-2020-10683

TLS/SSL Certificate Warnings such as the following may be reported:

• Untrusted TLS/SSL server X.509 certificate

• X.509 Certificate Subject CN Does Not Match the Entity Name

• SHA-1 based Signature in TLS/SSL Server X.509 Certificate

• TLS Server Certificate Modulus less than 2048 bits

• SSL Certificate Name Mismatch

NetEdit creates a default X.509 certificate during initial setup. This


certificate should not be used in production networks. Typically,
warning messages produced by vulnerability scanners are related to
this certificate. Administrator should properly install a unique X.509
certificate, as described in the NetEdit User Guide, to eliminate these
warnings. These warnings are NOT false positives, but action from
the administrator is required to correct the problem.

Locking Down Services


Cryptography
NetEdit employs cryptography as a part of several services, such as HTTPS, SSH and SNMP.

HTTPS

By default, only TLS 1.2 is supported. TLS 1.2 should be enabled whenever possible; this may require browser configuration
to ensure that TLS 1.2 is enabled.

The following ciphersuites are enabled by default:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

5
Technical Whitepaper
Aruba NetEdit Hardening Guide

Additional ciphers and protocol values can be added with the “server.ssl.ciphers” and “server.ssl.enabled-protocols” settings
in the application.properties file. The application.properties file is located at /opt/netedit/config/application.properties within
the OVA. The NetEdit service will need to be restarted for changes to take effect.

Ensure that ciphers protocols used are in compliance with site policy.

SSH

Client
The NetEdit change validation service includes queries to external resources (routers, DNS servers, etc.) and Aruba CX
switches using SSH. This validation allows admins to capture the overall network state before and after a configuration
change in order to validate the network integrity. The change validation service runs when a user deploys a configuration to
an Aruba CX Switch. It uses SSH to connect to such switches and/or other resources, runs SSH commands and stores a
report.
Table 3: NetEdit default SSH client MAC algorithms, Key Exchange algorithms, Ciphers and Server Host Keys

ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521,


KEX diffie-hellman-group14-sha1, diffie-hellman-group-exchange-
sha256

Server Host ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-


Key nistp521, ssh-rsa

Ciphers aes128-ctr, aes128-cbc, aes192-ctr, aes256-ctr, aes256-cbc

MAC hmac-sha, hmac-sha2-256, hmac-sha1-96

The SSH client encryption algorithms and ciphers can be configured in the application.properties file with the following
properties “netedit.ssh.kex”, “netedit.ssh.server.host.key”, “netedit.ssh.cipher” and “netedit.ssh.mac”.

Server
By default, the DebianOS that NetEdit runs on has SSH server enabled.
Table 4: Default SSH server Encryption Algorithms and Ciphers.

curve25519-sha256, [email protected], ecdh-


sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521,
KEX diffie-hellman-group-exchange-sha256, diffie-hellman-group16-
sha512, diffie-hellman-group18-sha512,diffie-hellman-
group14-sha256, diffie-hellman-group14-sha1

[email protected], aes128-ctr, aes192-ctr,


Ciphers aes256-ctr, [email protected], aes256-
[email protected]

[email protected], [email protected],
[email protected], hmac-sha2-512-
MAC [email protected], [email protected], umac-
[email protected], [email protected], hmac-sha2-256,
hmac-sha2-512, hmac-sha1

6
Technical Whitepaper
Aruba NetEdit Hardening Guide

Aruba recommends using only strong Ciphers, MACs and Key Exchange algorithms. Edit the /etc/ssh/sshd_config file and
add/modify the MACs line to contain a comma separated list of the site approved Ciphers, MACs and Key Exchange
Algorithms. The table below lists examples.
Table 5: SSH Cipher, MAC, and Key Exchange examples

curve25519-sha256, [email protected], diffie-


hellman-group14-sha256, diffie-hellman-group16-sha512,
KEX diffie-hellman-group18-sha512, ecdh-sha2-nistp521,ecdh-
sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-
exchange-sha256

[email protected], aes128-ctr, aes192-ctr,


Ciphers aes256-ctr, [email protected], aes256-
[email protected]

[email protected], hmac-sha2-256-
MAC
[email protected], hmac-sha2-512, hmac-sha2-256

The only FIPS 140-2 compliant Ciphers, MACs and Key Exchange algorithms include:
Table 6: FIPS 140-2 compliant ciphers, MAC, and Key Exchange algorithms

KEX aes256-ctr, aes192-ctr, aes128-ctr

[email protected], aes128-ctr, aes192-ctr,


Ciphers aes256-ctr, [email protected], aes256-
[email protected]

Mac hmac-sha2-256 and hmac-sha2-512

Some organizations may have stricter requirements for approved Ciphers, MACs. Ensure that ciphers used are in compliance
with site policy.

Aruba recommends additional hardening of the SSH server using the CIS Debian Linux 9 Benchmark as a guide
https://www.cisecurity.org/.
SNMP
The Simple Network Management Protocol is commonly used by network management systems to poll devices for information
such as port configuration, status, and interface counters. SNMP versions 1 and 2 provide very little security beyond the
community string. If an attacker has network access to a device and can guess or snoop the community string, it may lead to
disclosure of sensitive information. Aruba strongly recommends the use of SNMPv3, which includes much stronger security
through authentication and encryption.

NetEdit uses an SNMP client to gather information from network devices. The SNMPv3 standard includes encryption
algorithms that are unsecure, but are needed from communication with older network devices. The unsecure algorithms are
DES and 3DES; the secure algorithms are AES-128, AES-192, and AES-256. Enabling “unsecure” algorithms is required to
communicate with older network devices that do not support the stronger encryption algorithms. The administrator may
modify the NetEdit application.properties file to enable the use of “unsecure” SNMPv3 encryption algorithms when NetEdit
communicates with devices. Aruba recommends the “unsecure” protocols be disabled. Starting with NetEdit 2.0.09, the
SNMP “unsecure” flag is set to true. Aruba recommends setting this flag to false. This can be set in the application.properties

7
Technical Whitepaper
Aruba NetEdit Hardening Guide

file for the netedit.snmp.v3.unsecure property. Setting this flag to false will prevent NetEdit from obtaining configuration data
from older devices that only support the weaker algorithms.

The Debian OS includes an SNMP service. In the NetEdit OVA, this SNMP service is disabled. Aruba recommends to
keeping the SNMP services on the Debian OS disabled.

Locking Down User Access


User Roles
Aruba recommends deployment of role-based access control for NetEdit users. Rather than granting one-size-fits-all access
to the network once users have authenticated, only grant access appropriate for that user’s role in the organization. There is
no single approach that works for all organizations; administrators will need to evaluate their own needs and requirements.
NetEdit Server OVA
The host OS is secured with root access with a default neadmin user. The neadmin user password does not have an initial
password and will be set at first login. The password complexity is controlled by pam_cracklib.so with the following
arguments: “enforce_for_root minlen=8 retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0”

The neadmin user is part of the netedit-service group.

Aruba recommends additional hardening of the PAM service using the CIS Debian Linux 9 Benchmark document as a guide
https://www.cisecurity.org/.
NetEdit Application WebUI
The NetEdit application web UI credentials are separate from the NetEdit server OVA credentials.

NetEdit application web UI provides two roles for user management, ADMIN and TECHNICIAN roles. By default, NetEdit has
an “admin” user with ADMIN role built-in. A password will have to be set on the first login for the admin user. The password
complexity and requirements follow the NIST recommendations in the NIST Special Publication 800-63B. The password
must contain 1-64 printable characters and by default have a minimum length of 8. The minimum length of the password can
be configured in the application.properties file. By default the maximum allowed age of a user’s password is disabled but can
be configured in the application.properties file. When a user is created with the ADMIN role, a temporary password will be
provided in order to login; on the first login the user will be prompted to change the password. A user with an ADMIN role can
create new users with ADMIN or TECHNICIAN roles, delete users, reset the password for other users and view user
management details in the web UI Users page.

In order to facilitate the workflows from the CX Mobile Android/IOS Application, NetEdit provides a role of TECHNICIAN for a
user with limited access compared to the ADMIN role. A user with the TECHNICIAN role has only access to the web UI Users
page and a limited subset of REST endpoints. By default, there is no user with a role of TECHNICIAN built-in. The NetEdit
web UI supports a drop-down selection box of ADMIN or TECHNICIAN in the Users page when adding a new user. Like the
creation of an ADMIN user, the TECHNICIAN user is given a temporary password and will have to provide a new password on
the first successful login. A TECHNICIAN user is able to only change their password in the Users Web UI page. For an
example of adding a user see the NetEdit User Guide available on the Aruba Support Portal.

8
Technical Whitepaper
Aruba NetEdit Hardening Guide

Monitoring

Session Timeouts
NetEdit employs monitoring screens on the Web UI with auto-refresh enabled by default. If there is constant activity on these
screens the UI session will never time out, so administrators should be careful leaving the browser open on these screens or
enable idle screen lock on the client.

Excessive Failed Login Attempts


One of the most common attack vectors is password guessing. The attacker attempts to gain access to Administrator and
privileged accounts by first trying the default admin password then trying the most commonly used passwords and finally
using a brute force tool that tries large numbers of potential passwords from an attack dictionary. The indicator of this type of
attack is a large number of failed authentications in a short period of time to the same account. NetEdit implements a rate
limiting failed login attempts mechanism that will lock out the user for thirty minutes (default) after three (default) failed login
attempts based on source IP of the request. The values can be changed in the application.properties file or the feature can
be disabled.

Logging & Audit Logging


The NetEdit application contains many open source libraries that provide different levels of logging. Most of these packages
are available via the REST support logs API. The logs are located at /opt/netedit/logs. Log rotation and clean-up is handled
by logrotate.d. The three logs (postgresql.log, netedit.log, and access.log) are checked on an hourly basis. If any of the log
files are over fifty MB, it will get compressed and time-stamped. There is a maximum of ten compressed logs for each of the
three log files. After that, rotation will occur. For information on how to export the logs see the NetEdit User Guide document
available in the ASP portal https://asp.arubanetworks.com. For more information on the logrotate see the Debian System
Administrator’s Manual entry https://manpages.debian.org/stretch/logrotate/logrotate.8.en.html.
NetEdit Audit/Event
NetEdit provides a LogEntity API to log events and configuration changes. The logs are kept in the PostgreSQL database
and in a file called event.log that is located in /opt/netedit/logs. Anytime we are writing out a log entry to the table Log in the
Database an entry will also be written out to this file in human readable log entry format, with the newest entries appended at
the end of the file. Log rotation will be applied to this file, so once per day the log rotation services will check to see if the file
events.log exceeds 100MB; if so, it will write out an events-timestamp.gz file (up to 10). The table Log in the Database will be
monitored every 60 minutes and if it exceeds 10 million lines, will be trimmed back by 10%.

Spring Boot
The Spring Boot framework and the NetEdit application use the logback-core library. The logs are kept on file system and
rolled daily with a 30-day history capped at 3GB total size. These logs are not currently available via WebUI. These logs are
available to be exported via the NetEdit support log REST API.

Embedded Tomcat
The Embedded Tomcat webserver has access logs enabled. Log rotation is enabled and a new file is created every 24 hours.
The maximum number of days the logs is configured. Tomcat itself does not do any housekeeping on the old files, the general
principle on a Unix system is to have a cron job set up on the system to archive older files into a backup directory and/or
delete them. This is not currently implemented in the NetEdit OVA. The log files are available via a NetEdit support log REST
API.

9
Technical Whitepaper
Aruba NetEdit Hardening Guide

PostgreSQL Database
The version of PostgreSQL used is 10.10. This version of PostgreSQL is built by EDB and was downloaded from
https://www.enterprisedb.com/download-postgresql-binaries. The PostgresSQL log file is available at /opt/netedit/logs. These
logs are available via a NetEdit support log REST API. The log file is part of the log rotation. Besides the log file location, no
changes have been made to the PostgreSQL default configurations for logging.
Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code subject to the
GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open
Source Code used can be found at this site:

http://www.arubanetworks.com/open_source

10
Document type
Headline text

www.arubanetworks.com
3333 Scott Blvd. Santa Clara, CA 95054
1.844.472.2782 | T: 1.408.227.4500 | FAX: 1.408.227.4550 | [email protected]

You might also like