InformationArubaOS-Switch devices are capable of operating in one of two secure modes: standard and enhanced. Instandard secure mode, passwords and security keys may be entered directly in plaintext from the configurationconsole (though they are, by default, stored separately from the switch configuration), and show commandsgenerally do not hide or obscure configuration parameters. In enhanced secure mode, there are a number of operating differences in software feature support, how commands are executed, and the way configuration parameters are displayed. Some significant changes include:
- SSH drops support for less-secure ciphers, including 3des-cbc and [email protected]
- HTTPS supports only TLS 1.0 or later.
- Passwords and authentication keys must be entered interactively, and can no longer be set as part of acommand; password/key characters are displayed as asterisks.
- Authentication must be completed any time a user transitions from one access level to another (for example, operator to manager or vice versa).
- The switch ROM console is password-protected.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
SolutionEntering enhanced secure mode results in the following sequence of events:
- The switch is rebooted.
- The management module file system is zeroized, then firmware images are restored.
switch(config)# secure-mode enhanced
Validating software and configurations, this may take a minute...
The system will be rebooted and all management module files except software images will be erased and zeroized. This will take up to 60 minutes and the switch will not be usable during that time. A power-cycle will then be required to complete the transition. Continue (y/n)? y
The switch will reboot at this point.
Zeroizing the file system ... 100%
Verifying cleanness of the file system... 100%
Restoring firmware image and other system files...
Zeroization of file system completed
The current switch operating mode can be displayed using the show secure-mode command:
switch(config)# show secure-mode
For more details, refer to the chapter titled "Secure mode (FIPS)" in the ArubaOS-Switch Access Security Guide.