Concept Guide
Dell EMC Networking OS Security Hardening
The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security
features, security also lies with the integrity of the device. If the software itself is compromised, all of the aforementioned methods become
ineective.
The Dell EMC Networking OS is enhanced verify whether the startup conguration le is altered before loading. This section explains how
to congure OS image and startup conguration verication.
Startup Conguration Verication
Dell EMC Networking OS comes with startup conguration verication feature. When enabled, it checks the integrity of the startup
conguration that the system uses while the system reboots and loads only if it is intact.
Important Points to Remember
• The startup conguration verication feature is disabled by default on the Dell EMC Networking OS.
• The feature is supported for startup conguration les stored in the local system only.
• The feature is not supported when the fastboot or the warmboot features are enabled on the system.
• If the startup conguration verication fails after a reload, the system does not load your startup conguration.
• After enabling the startup conguration verication feature, use the verified boot hash command to verify and store the hash
value. If you don’t store the hash value, you cannot reboot the device until you verify the image hash.
Dell EMC Networking OS Behavior after System Power-Cycle
If the system reboots due reasons such as power-cycle, the current startup conguration may be dierent than the one you veried the
hash using the verified boot hash command. When the system comes up, the system may use the last-veried startup
conguration.
Dell EMC Networking recommends backing up the startup conguration to a safe location after you use the verified boot hash
command. When the startup conguration verication fails, you can restore it from the backup.
The system continues to display a message stating that startup conguration verication failed. You can disable the startup conguration
feature either by disabling startup conguration verication or save the running conguration to the startup conguration and update the
hash for the startup conguration.
Enabling and Conguring Startup Conguration Hash Verication
To enable and congure startup conguration hash verication, follow these steps:
1 Enable the startup conguration hash verication feature.
CONFIGURATION mode
verified startup-config
2 Generate the hash checksum for your startup conguration le.
EXEC Privilege
generate hash {md5 | sha1 | sha256} {flash://filename | startup-config}
3 Verify the hash checksum of the current startup conguration on the local le system.
EXEC Privilege
Security
955