Add an initial guide on hardening Aruba AOS-S 16.11

ArubaOS-Switch-(AOS-S)-16.11.md

@@ -0,0 +1,54 @@
+# ArubaOS Switch (AOS-S) 16.11
+
+ArubaOS Switch or short **AOS-S** is an network operating system (NOS) used on various switches from Aruba Networks, a subsidiary of HPE. It as formerly known as HP ProVision. Depending on the version of AOS-S not all command may be available.
+
+SSH into a switch running AOS-S switch, or use a local serial connection in order to apply options.
+
+## 1. Re-generate the RSA keys
+
+```
+configure
+crypto key generate ssh rsa bits 3072
+exit
+```
+If the size is omitted, a 2048 Bit RSA key will be generated, 3072 is the largest size supported so far.
+
+## 2. Restrict supported key exchange, cipher and MAC algorithms
+
+```
+configure
+
+no ip ssh cipher aes128-cbc
+no ip ssh cipher 3des-cbc
+no ip ssh cipher aes192-cbc
+no ip ssh cipher aes256-cbc
+no ip ssh cipher rijndael-cbc@lysator.liu.se
+
+no ip ssh mac hmac-md5
+no ip ssh mac hmac-sha1
+no ip ssh mac hmac-sha1-96
+no ip ssh mac hmac-md5-96
+
+no ip ssh kex ecdh-sha2-nistp256
+no ip ssh kex ecdh-sha2-nistp384
+no ip ssh kex ecdh-sha2-nistp521
+no ip ssh kex diffie-hellman-group14-sha1
+
+exit
+```
+
+## 3. Save the running configuration of the switch to flash
+
+```
+write memory
+```
+
+## Limitations
+
+AOS-S 16.11 doesn't allow you reaching a perfect score, here are some reasons:
+
+* Host-key algorithms: 
+  * There is no (known) way of getting rid of ```ssh-rsa```
+  * AOS-S supports either RSA (up to 3072 Bit) or DSA (up to 1024 Bit) host keys, that's it so far.
+* MACs: ```hmac-sha2-256``` cannot be disabled, as it is the only remaining after disabling all other 
+insecure MACs. Otherwise no remaining MACs would remain enabled.