Transcription
Cisco HX Data Platform Security HardeningGuideVersion 4.5.2a rev 2June 2021Cisco HX Platform Hardening GuidePage 1
Document InformationDocument SummaryCisco HXv.4.5.2a rev 2Last Modified23 June 2021Previous Version4.5.2a rev1 and4.5.1a rev 4Prepared forPrepared byFieldAaron KapacinskasChanges in this version:Clarified security scanning and patching policyAdded clarification on VUM supportAdded information on using API via command line for STIG implementation in 4.5.xUpdated SED to KMS connectivity informationAdded procedure for NGINX certificate generation for 4.5.1x/4.5.2x in Appendix FAdded additional information on multiple entries/wildcards for X509 CSRs in Appendix FUpdated section on Intersight connectivity requirementsTightened up support of local users in RBAC sectionUpdated External URLs in Appendix AFixed STIG links to Federal DISA siteIntended Use and AudienceThis document contains confidential material that is proprietary to Cisco Corporation. The materials, ideas and conceptscontained herein are to be used exclusively to assist in the configuration of Cisco corporation’s software solutions.Legal NoticesAll information in this document is provided in confidence and shall not be published or disclosed, wholly or in part to anyother party without Cisco’s written permission.Cisco HX Platform Hardening GuidePage 2
ContentsDocument Information . 2Intended Use and Audience . 2Legal Notices . 2Prerequisites . 8Introduction . 8Secure Product and Development Components . 8Development Milestones . 8CSDL Philosophy . 8CSDL Product Adherence Methodologies . 9Vulnerability Handling . 10Tenable IO Scanning . 10CERT Advisory . 11VMware ESX Patching. 11HXDP Patching . 12Additional Vulnerability Testing Measures . 13Secure Platform “Modules” . 13Control Plane . 13Data Security . 13Management Security . 13Certification Process . 13ACVP . 13Current Certifications . 14FIPS . 14Common Criteria . 15Other Certifications and Procedural Guidelines . 16ISO 27001 . 16FISMA . 16FedRAMP. 16IAVA . 16HIPAA . 16Cisco HX Platform Hardening GuidePage 3
NERC CIP . 16CNSA . 17DISA APL . 18Targeted Certifications . 18HX Components and Environment . 18Solution Components . 18Cisco UCS . 19Cisco UCS Fabric Interconnects (FIs) . 20HX Nodes . 20Management Interfaces: HX Connect and the VMware vCenter Plug-in . 22VMware vCenter . 22VMware ESX . 22VMs . 22Client Machines . 23HX Secure Network Environment and Component Requirements . 23Port Requirements for Communication . 24Scans Showing Undocumented Ports . 24Port Requirements and Logical Traffic Flow for Replication . 25Intersight Connectivity Requirements . 26Unicast and Multicast Requirements . 28Datastore Access . 28Auto Support and Smart Call Home (SCH) . 28Installation and ESX Best Practices and Security Considerations . 29Cisco HX Installer (HX Installer) . 29Default Passwords . 30VLANs and vSwitches . 30FI Traffic and Architecture . 32UCSM Requirements . 32VNICs . 33East-West Traffic . 33North-South Traffic . 33Upstream Switch . 33VLANs . 33Cisco HX Platform Hardening GuidePage 4
Disjoint L2 Networks . 33Cisco HyperFlex Edge (HX Edge) . 34HX Data Security . 34Encryption Services . 34SEDs . 35Key Management . 36Certificate Signing Requests (CSRs) . 37Networking Considerations . 38Encryption Partners . 38VM Level Encryption . 38Secure Communications . 39Usage of NFS in HXDP. 39HX Management . 40Management Interfaces . 40HX Connect . 40vCenter Plug-in . 42STCLI and HXCLI . 43Secure Admin Shell Access (HXDP 4.5.1(a) and above) . 45REST APIs . 47AAA Domains . 48vCenter. 48AD Integration . 48User Management . 48Cisco HyperFlex User Overview. 49Local Users . 49UI Users . 49CLI Users . 51Auditing, Logging, Support Bundles . 51Setting Up Remote Logging for HX Prior to HXDP 4.0.1.a . 53Setting Up Remote Logging for HXDP 4.0.1.a and Later . 53Password Requirements . 55Password Guidelines . 56Session Timeouts . 57Cisco HX Platform Hardening GuidePage 5
HX Platform Hardening . 60US Federal STIG (Secure Technical Implementation Guide) Settings . 60SSL Certificate Replacement . 61Secure Boot . 61SSL Certificate Thumbprint (Hash) and Signatures . 65Dynamic Self-Signed Certificates in HX . 65UCSM Certificate Management . 65HX and Perfect Forward Secrecy (PFS) . 66TLS Weak Protocol Disable . 67TLS Weak Cipher Disable . 68SSH (ESX) Lockdown Mode and Root Logins . 68Tech Support Mode . 69Third Party Software Execution on FIs and HXDP . 69Whitelisting and other STCLI Security Commands .
Mar 16, 2021 · A typical Nessus scan configuration summary might look like this: HX 3.0(1b) Compliance checks: o DISA RHEL 5 o CIS L2 Ubuntu 16.04 LTS o CIS Apache 2.2 Plug-ins: o All plug-ins enabled, same day update Sample Report: o Output is color co
