HX Data Platform Security Hardening Guide - Cisco
Cisco HX Data Platform Security HardeningGuideVersion 4.5.1a rev 4March 2021Cisco HX Platform Hardening GuidePage 1
Document InformationDocument SummaryCisco HXv.4.02b rev 4Last Modified16 March 2021Previous Version4.02a rev 3Prepared forPrepared byFieldAaron KapacinskasChanges in this version:Added CSR Process for 4.5.1aUpdated port information for preinstall and port appendixUpdated Intersight Device Connector URLs in AppendixIntended Use and AudienceThis document contains confidential material that is proprietary to Cisco Corporation. The materials, ideas and conceptscontained herein are to be used exclusively to assist in the configuration of Cisco corporation’s software solutions.Legal NoticesAll information in this document is provided in confidence and shall not be published or disclosed, wholly or in part to anyother party without Cisco’s written permission.Cisco HX Platform Hardening GuidePage 2
ContentsDocument Information . 2Intended Use and Audience . 2Legal Notices . 2Prerequisites . 8Introduction . 8Secure Product and Development Components . 8Development Milestones . 8CSDL Philosophy . 8CSDL Product Adherence Methodologies . 9Vulnerability Handling . 10Tenable IO Scanning . 10CERT Advisory . 11VMware ESX Patching. 11HXDP Patching . 11Additional Vulnerability Testing Measures . 12Secure Platform “Modules” . 12Control Plane . 12Data Security . 12Management Security . 12Certification Process . 12ACVP . 12Current Certifications . 13FIPS . 13Common Criteria . 14Other Certifications and Procedural Guidelines . 15ISO 27001 . 15FISMA . 15FedRAMP. 15IAVA . 15HIPAA . 15Cisco HX Platform Hardening GuidePage 3
NERC CIP . 15CNSA . 16DISA APL . 17Targeted Certifications . 17HX Components and Environment . 17Solution Components . 17Cisco UCS . 18Cisco UCS Fabric Interconnects (FIs) . 19HX Nodes . 19Management Interfaces: HX Connect and the VMware vCenter Plug-in . 21VMware vCenter . 21VMware ESX . 21VMs . 21Client Machines . 22HX Secure Network Environment and Component Requirements . 22Port Requirements for Communication . 23Scans Showing Undocumented Ports . 23Port Requirements and Logical Traffic Flow for Replication . 24Intersight Connectivity Requirements . 25Unicast and Multicast Requirements . 26Datastore Access . 26Auto Support and Smart Call Home (SCH) . 27Installation and ESX Best Practices and Security Considerations . 28Cisco HX Installer (HX Installer) . 28Default Passwords . 28VLANs and vSwitches . 28FI Traffic and Architecture . 31UCSM Requirements . 31VNICs . 31East-West Traffic . 31North-South Traffic . 31Upstream Switch . 31VLANs . 31Cisco HX Platform Hardening GuidePage 4
Disjoint L2 Networks . 32Cisco HyperFlex Edge (HX Edge) . 32HX Data Security . 32Encryption Services . 32SEDs . 33Key Management . 34Certificate Signing Requests (CSRs) . 35Networking Considerations . 36Encryption Partners . 36VM Level Encryption . 36Secure Communications . 37Usage of NFS in HXDP. 37HX Management . 38Management Interfaces . 38HX Connect . 38vCenter Plug-in . 40STCLI and HXCLI . 41Secure Admin Shell Access (HXDP 4.5.1(a) and above) . 43REST APIs . 45AAA Domains . 46vCenter. 46AD Integration . 46User Management . 46Cisco HyperFlex User Overview. 47Local Users . 48UI Users . 49CLI Users . 51Auditing, Logging, Support Bundles . 51Setting Up Remote Logging for HX Prior to HXDP 4.0.1.a . 53Setting Up Remote Logging for HXDP 4.0.1.a and Later . 53Password Requirements . 55Password Guidelines . 56Session Timeouts . 57Cisco HX Platform Hardening GuidePage 5
HX Platform Hardening . 59US Federal STIG (Secure Technical Implementation Guide) Settings . 59SSL Certificate Replacement . 60Secure Boot . 60SSL Certificate Thumbprint (Hash) and Signatures . 64Dynamic Self-Signed Certificates in HX . 64UCSM Certificate Management . 64HX and Perfect Forward Secrecy (PFS) . 65TLS Weak Protocol Disable. 66TLS Weak Cipher Disable . 67SSH (ESX) Lockdown Mode and Root Logins . 67Tech Support Mode . 68Third Party Software Execution on FIs and HXDP . 68Whitelisting and other STCLI Security Commands . 68HX Data Platform Firewalling: IP Tables . 69Replication . 71Specific ESX Env
ISO 27034 standard provides an internationally-recognized standard for application security. Details for ISO 27034 can be found here. The ISO 9000 family of quality management systems standards is designed to help organizations ensure that they meet the needs of customers and other stakeholders while meeting statutory and regulatory requirements related to a product or service. ISO 9000 .
Case Study: Laser Hardening By Markus A. Ruetering The hardening of materials by laser is a specialized and fast-growing field, as it offers improved wear resistance, . the industry — e.g., oven hardening, flame hardening, and induction hardening — mill - ing, shaping, and grinding are necessary after hardening. Hence, the necessary material
this study is IPv6-only hardening. Any other type of hardening (e.g. DC hardening, web server hardening, database hardening, etc.) are beyond the scope of this study. The services provided by the IPv6-capable servers do not rely on any IPv6 Extension header, or on any multicast traffic.
Thermal Methods of Hardening by Comparison FLAME HARDENING METHOD ADVANTAGES DISADVANTAGES 0,4% C 0,7% (Steel casting) Large parts Wall thickness 15 mm Localized hardening of functional surfaces Low technical complexity Poor reproducibility; Ledeburite hardening at high carbon content INDUCTIVE HARDENING LASER HARDENING Focus on Steel .
FLAME- /INDUCTION HARDENING. Temperature: 850-870 C (1560-1600 F). Cooling: freely in air. Surface hardness: 54-56 HRC. Hardening depth: 41 HRC at a depth of 3.5- 4 mm (0.14-0.16 inch) when flame hardening. Can be increased when induction hardening depend - ing on the coil and the power input. Flame or induction hardening can be done
The three important surface hardening methods from left to right are case hardening, nitriding, and induction-flame-hardening respectively . 4 13FTM22 Surface hardening is carried out at treating temperatures 50 C - 100 C above the material-specific hardening temperature. The heating can be done by flame, induction, laser- or electron beam.
Operating system hardening for a Linux operating system can be automated and needs to be performed in high security environments. Automated hardening is needed in virtual environments with lots of instances. Also, for identical system environments deployment automation is essential. Automatic system hardening is a well-established administration procedure. The purpose of this work was to .
Section 2: Intermediate Server-Hardening Techniques 58 SSH Key Authentication 58 AppArmor 63 Remote Logging 66 Section 3: Advanced Server-Hardening Techniques 68 Server Disk Encryption 68 Secure NTP Alternatives 70 Two-Factor Authentication with SSH 72 Summary 74 4 Network 75 Section 1: Essential Network Hardening 76 Network Security .
Active Directory Security Hardening As the foundation of an organization's cyber security, Active Directory is an extremely high-value organizational and business asset, worthy of the highest protection, and paramount to business. The Active Directory Security Hardening service from Paramount Defenses empowers organizations
