Saturday, February 13, 2021

SAN Switch - Disabling the Telnet service on Brocade SAN switches - STIG finding

 

SAN Switch - Disabling the Telnet service on Brocade SAN switches

Disabling the Telnet protocol on Brocade SAN switches

By default, telnet is enabled on Brocade SAN switches. As part of security hardening of the devices it need to be disabled. In order to implement the change, you have to modify IP Filter policy to disable inbound connectivity to tcp port.

1. Login to your SAN switch
2. By default, IP filter policy can not be changed, so first clone the default policy.
> ipfilter --show
                2              any         tcp          23           permit

> ipfilter --clone Block_Telnet_ipv4 -from default_ipv4
> ipfilter --clone Block_Telnet_ipv6 -from default_ipv6
> ipfilter --show

3. Now, you have to remove the existing rule to permit connectivity on tcp service port 23.
   Run ipfilter-show to find out the current rile number which permits the connectivity.

> ipfilter --delrule Block_Telnet_ipv4 -rule 2
> ipfilter --delrule Block_Telnet_ipv6 -rule 2

4. Now, add rule to deny inbound connectivity to the fabric switch on tcp service port 23
> ipfilter --addrule Block_Telnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny
> ipfilter --addrule Block_Telnet_ipv6 -tule 2 -sip any -dp 23 -proto tecp -act deny

5. Now, save and apply the policy
> ipfilter --save Block_Telnet_ipv4
> ipfilter --save Block_Telnet_ipv6
> ipfilter --activate Block_Telnet_ipv4
> ipfilter --activate Block_Telnet_ipv6
> ipfilter --show

you should see
2              any         tcp          23           deny

So, in summary
> ipfilter --show
> ipfilter -clone Block_telnet_23 -from default_ipv4

> ipfilter -delrule Block_telnet_23 -rule 2
> ipfilter -delrule Block_telnet_23 -rule 2 -sip any -dp 23 -protp tcp -act deny

> ipfilter -save Block_telnet_23
> ipfilter -activate Block_telnet_23

> ipfilter --show

No comments:

Post a Comment