HPE7-A02 Device Hardening

Device Hardening Detailed Explanation

Goal: Make an Aruba switch, gateway, or controller difficult to break into or knock offline by locking down every plane of operation: management, control, data, and firmware.
As you read, imagine peeling an onion—each layer adds protection so an attacker must pass multiple hurdles, not just one.

1. Management Plane Protection

This is the “cockpit” of your network devices. If an attacker gets here, they can change everything. So we:

Secure Administrative Access

1. Eliminate clear‑text protocols

   • Telnet sends commands in plain text; anyone sniffing the wire can read passwords.

   • Action: On an AOS‑CX switch:

     (config)# no telnet-server
     

2. Enable encrypted remote shell

   • SSH v2 uses strong ciphers. Generate a key pair on the switch, then force public‑key (not password) login:

     (config)# crypto key generate ssh rsa 4096
     (config)# ssh server vrf mgmt
     (config)# aaa authentication ssh login tacacs local
     (config)# ssh public-key user admin key "ssh-rsa AAAA..."
     

3. Lock down the web/API interface

   • Aruba switches, gateways, and Central expose an HTTPS or REST API for automation.

   • Restrict reachability: Place the management IP in a dedicated VRF and apply an ACL that allows only your admin subnet:

     (config)# vrf mgmt
     (vrf‑cfg)# ip access-group MGMT‑ACL in
     

   • Use valid certificates: Replace factory self‑signed certs with one from an internal or public CA so browsers won’t throw warnings and so TLS is properly authenticated.

AAA & MFA (Authentication, Authorization, Accounting)

Function	Why it matters	Aruba best practice
Authentication	Verify who is logging in	Use TACACS+ or RADIUS servers (e.g., ClearPass) so accounts live centrally, not on each device
Authorization	Control what commands they may run	Command-level roles in TACACS+ (e.g., “help‑desk can only show config”)
Accounting	Record when & what they did	TACACS+ command accounting, syslog to SIEM

Multi‑Factor Auth (MFA)
Even if a TACACS password leaks, an attacker still needs a Time‑based One‑Time Password (TOTP) from your phone. Aruba Central and ClearPass both integrate with MFA providers (Azure MFA, Duo).

2. Control Plane Resilience

The control plane runs routing, spanning tree, LLDP—think of it as the “traffic control tower.” We must stop floods or spoofed messages from overwhelming it.

Control‑Plane Policing (CoPP)

CoPP puts a speed limit on certain packet types before they reach the CPU.
Example AOS‑CX snippet limiting BGP and ICMP:

(config)# copp profile secure-profile
(config-copp)# match protocol bgp action police 200 pps
(config-copp)# match protocol icmp action police 500 pps
(config)# control-plane application copp-profile secure-profile

Bidirectional Forwarding Detection (BFD) with Authentication

• BFD spots a dead link in ~50 ms (faster than OSPF/BGP timers).

• Why authentication? Without it, an attacker could spoof a BFD Down and flap your routes.

• Config idea:

  (config)# bfd authentication sha-256 key-id 10 key "MySecret"
  

3. Data Plane Safeguards

The data plane handles actual traffic—packets sent by users, devices, and applications. If unprotected, attackers could spoof devices, hijack sessions, or flood your switches.

Port Access Control Lists (PACLs)

A Port ACL is a set of rules applied to a specific switch interface. It can allow or deny traffic based on IP, protocol, or port.

• Best practice: Apply a default deny rule to untrusted ports, allowing only known traffic.

• Example: Allow only DHCP and DNS traffic on a guest port:

(config)# ip access-list GUEST-ACL
(config-acl)# permit udp any any eq 67
(config-acl)# permit udp any any eq 53
(config-acl)# deny ip any any
(config)# interface 1/1/10
(int)# access-list GUEST-ACL in

DHCP Snooping

Problem it solves: Attackers can set up a fake DHCP server and give out malicious IP info (like a bad gateway).

• DHCP Snooping marks trusted ports (where real DHCP servers are) and blocks DHCP replies from untrusted ports.

• Aruba AOS-CX configuration:

(config)# dhcp-snooping
(config)# vlan 10
(config)# dhcp-snooping vlan 10
(config)# interface 1/1/1
(config-if)# dhcp-snooping trust

Dynamic ARP Inspection (DAI)

Problem it solves: Attackers can spoof ARP replies and intercept traffic (Man-in-the-Middle).

• DAI checks ARP packets against DHCP Snooping bindings (IP–MAC mappings).

• Blocks any ARP that doesn't match known devices.

(config)# arp inspection vlan 10
(config)# interface 1/1/2
(config-if)# arp inspection trust

IP Source Guard

Problem it solves: Prevents IP spoofing on a per-port basis.

• Works with DHCP Snooping to verify that a device can only use the IP it was assigned.

• Helps stop a rogue device from claiming another IP.

(config)# interface 1/1/3
(config-if)# ip verify source

Disable Unused Ports

Every unused switch port is a potential backdoor.

• Recommendation:

  • Shutdown unused ports (shutdown)

  • Assign them to an isolated VLAN

  • Optionally log any unauthorized use

(config)# interface 1/1/20
(config-if)# shutdown
(config-if)# description UNUSED
(config-if)# vlan access 999

Sticky MAC & Port Security

Sticky MAC allows only known MAC addresses to connect to a port.

• Learns and "locks" the first MAC address.

• If another device plugs in, it’s blocked (or logged, depending on config).

(config)# interface 1/1/4
(config-if)# port-security
(config-if)# port-security mac-address sticky
(config-if)# port-security max-mac-count 1

BPDU Guard

BPDU packets are used by Spanning Tree Protocol (STP). If an attacker sends fake BPDUs, they can disrupt the network topology.

• BPDU Guard shuts down a port if BPDUs are received—perfect for access ports (not trunk ports).

(config)# spanning-tree bpdu-guard
(config)# interface 1/1/5
(config-if)# spanning-tree bpdu-guard enable

4. Firmware & File System Integrity

Protecting the system software is your last line of defense. If someone tampers with firmware, they could insert a hidden backdoor.

Secure Boot

• Ensures that only signed and trusted firmware images can run.

• Prevents attackers from uploading a malicious version of ArubaOS or AOS-CX.

• Enabled by default in modern Aruba hardware platforms.

Dual Image and ISSU (In-Service Software Upgrade)

• Aruba switches can store two firmware images: one active, one backup.

• You can test a new image and revert if it fails.

• With VSX (Virtual Switching Extension), you can do ISSU—upgrade without taking down the entire network.

Off-Box Configuration Backups

• Don’t store your only copy of configs on the switch.

• Regularly back up to a secure SCP or TFTP server.

• Recommended command (AOS-CX):

(config)# copy running-config scp://[email protected]/config-backups/switch1.cfg

5. Recap of Device Hardening Strategies

Plane	Key Protections
Management	Disable Telnet, use SSH + certs, restrict API access, enable MFA
Control	CoPP to limit floods, BFD with auth
Data	ACLs, DHCP Snooping, DAI, IP Source Guard, disable unused ports, STP protection
Firmware	Secure Boot, dual image, remote backups

Device Hardening (Additional Content)

1. Login Banner Configuration

What is a login banner?

A login banner is a pre-authentication message that appears when someone attempts to access a network device (via CLI, web, or API). It typically contains a security or legal warning about unauthorized access.

Why it matters

• Acts as a legal deterrent and may fulfill compliance requirements.

• Informs users that monitoring is in place and access is restricted.

Aruba Example (AOS-CX)

(config)# banner login
Enter TEXT message. End with the character '^'.
Unauthorized access is prohibited. This system is monitored.
^

• Shown during SSH or console login

• Often used to support legal enforcement in incident response

2. SNMP Security Controls

Why secure SNMP?

SNMPv2c is unsecured—using community strings (like passwords) in cleartext. In contrast, SNMPv3 supports:

• Authentication: Verifies the identity of the SNMP manager

• Encryption: Protects SNMP traffic (e.g., AES-128)

• Role-based access: Restricts which SNMP commands are allowed

Best Practices

• Disable SNMPv1/v2c entirely

• Enable SNMPv3 with strong user credentials

• Use ACLs to limit SNMP access to trusted management IPs

Aruba Example (AOS-CX)

(config)# snmpv3 user admin auth sha myPassword priv aes mySecret
(config)# snmp-server group AdminGroup v3 auth read all write all
(config)# ip access-list MGMT
(config-acl)# permit ip 10.0.0.0 0.0.0.255 any
(config)# snmp-server community public restricted
(config)# snmp-server host 10.0.0.10 version 3 priv admin

• Combine ACLs + SNMPv3 for maximum security

3. Configuration Integrity and Audit

Why it matters

Changes to the network device configuration should be tracked, validated, and auditable. This helps maintain security and operational integrity.

Techniques

1. Config Diffs

   • Automatically compare current vs. previous configurations.

   • Identify unauthorized or accidental changes.

2. Versioned Backups

   • Store copies of running/startup configs with timestamps.

   • Backup to a secure SCP/SFTP location.

3. Policy Audits

   • Periodic reviews to ensure CLI, web GUI, and API settings follow company policy.

   • Enforce password policies, RBAC, TLS settings, and API key expiration.

Aruba Recommendations

• Use Aruba Central or NetEdit to:

  • View change history

  • Track config diffs across devices

  • Approve or revert changes through version control

CLI Example (manual diff)

show config diff startup-config running-config

Summary

Topic	Purpose	Aruba Practice
Login Banners	Display legal warnings during login attempts	banner login command in CLI
SNMP Security	Prevent exposure of sensitive data and allow authenticated access only	Use SNMPv3 + ACLs, disable v1/v2c
Config Audit & Diff	Track changes and validate against security policies	Use show config diff, NetEdit, or Central