Dell EMC SmartFabric OS10 Security Best Practices Guide September 2020 09 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: OS10 security best practices........................................................................................ 4 On first boot..........................................................................................................................................................................4 Password rules.....................................................................................................................................................................
1 OS10 security best practices This document provides a set of recommendations for securing switches that run Dell EMC SmartFabric OS10. For detailed configuration, see the Dell EMC SmartFabric OS10 User Guide. You can find Dell EMC documentation at https://www.dell.com/support/. Applicability The recommendations that are provided in this document apply up to Dell EMC SmartFabric OS10.5.1.x. On first boot When you boot the switch for the first time, the system performs Zero-touch deployment (ZTD).
Rationale: If you do not want your users to access the Linux shell, disable the linuxadmin account. Configuration: OS10(config)# system-user linuxadmin disable OS10(config)# exit OS10# write memory Disable access to Linux commands Rationale: Even if you disable the linuxadmin user, users can access Linux commands using the system command. To disable access to Linux commands completely, use the system-cli command.
Check if strong password check is enabled By default, strong password check is enabled on the system and the no service simple-password command is implicit in the running configuration. To verify if strong password check is enabled, use the following command: OS10(config)# do show running-configuration | grep simple service simple-password Enforce stronger passwords Rationale: By default, the password you configure must be at least nine alphanumeric and special characters.
Check if FIPS is enabled Use the following command to verify if FIPS is enabled on the system: OS10# show fips status FIPS mode: Disabled Enable and configure secure boot OS10 secure boot provides a mechanism to verify the authenticity and integrity of the OS10 image. Secure Boot protects a system from malicious code being loaded and run during the boot process. Use the secure boot feature to validate the OS10 image during installation and on demand at any time.
Configuration: OS10# image secure-install image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath public-key key-file} NOTE: When secure boot is enabled, you can only upgrade OS10 using the image secure-install command. Validate OS10 image before ONIE OS manual installation Rationale: When secure boot is enabled and you manually install an OS10 image using ONIE, you can validate the image using PKI or SHA256.
○ username username—Enter a text string; 32 alphanumeric characters maximum; one character minimum. ○ password password—Enter a text string; 32 alphanumeric characters maximum, nine characters minimum. ○ role role—Enter a user role: ■ sysadmin—Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles.
Port security Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement. Port security is a package of the following sub features that provide added security to the system: 1. MAC address learning limit (MLL) 2. Sticky MAC 3.
● To shut down an interface on a MAC address learning limit violation, use the shutdown option.
Rationale: If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces. Configuration: ● To display which MAC address causes a violation, use the log option.
Configuration: OS10(config)# aaa authentication login {console | default} local OS10(config)# exit OS10# write memory ● console—Configure authentication methods for console logins. ● default—Configure authentication methods for SSH and Telnet logins. ● local—Use the local username, password, and role entries configured with the username password role command.
● ● ● ● stop-only—Send only a stop notice when a process ends. none—No accounting notices are sent. logging—Logs all accounting notices in syslog. group tacacs+—Logs all accounting notices on the first reachable TACACS+ server. The authentication methods in the method list work in the order they are configured.
● ● ● ● ● hostname—Enter the hostname of the RADIUS server. ip-address—Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. 0 authentication-key—Enter an authentication key in plain text. A maximum of 42 characters. 9 authentication-key—Enter an authentication key in encrypted format. A maximum of 128 characters. authentication-key—Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter 0 before the key.
Configure EXEC session timeout Rationale: By default, there is no EXEC timeout configured. To prevent unauthorized access to the EXEC mode, configure a timeout interval. Configuration: OS10(config)# exec-timeout timeout-value OS10(config)# exit OS10# write memory timeout-value—Specify the number of seconds of inactivity on the system before disconnecting the current session (0 to 3600).
OS10(config)# exit OS10# write memory Enable login banner Rationale: The login banner is displayed after the user logs in to the system. Configuration: OS10(config)# banner motd % DellEMC S4148U-ON login Enter your username and password % OS10(config)# exit OS10# write memory SNMP rules Restricted Simple Network Management Protocol (SNMP) access improves device security when SNMP is used.
● Configure SNMP views. OS10(config)# snmp-server view view-name oid-tree [included | excluded] ○ view-name—Enter the name of a read-only, read/write, or notify view. A maximum of 32 characters. ○ oid-tree—Enter the SNMP object ID at which the view starts in 12-octet dotted-decimal format. ○ included—(Optional) Include the MIB family in the view. ○ excluded—(Optional) Exclude the MIB family from the view. ● Configure SNMP groups.
Control plane The control plane includes monitoring, route table updates, and the dynamic operation of the system. System clock rules These system clock rules enforce device time and timestamp settings. Set the timezone to Coordinated Universal Time (UTC) Rationale: By default, the system time zone is set to UTC. If the default time zone is changed, set it to UTC. Setting the system time zone to UTC eliminates difficulty troubleshooting issues across different time zones.
Enable audit logging Rationale: To monitor user activity and configuration changes on the switch, enable the audit log. Only the sysadmin and secadmin roles can enable, view, and clear the audit log. Configuration: ● Configure audit logging. OS10(config)# logging audit enable OS10(config)# exit OS10# write memory ● View audit log. show logging audit [reverse] [number] ○ reverse —Display entries starting with the most recent events.
● sha1—Set to SHA1 encryption. ● sha2-256—Set to sha2-256 encryption. View what NTP authentication is used Use the following to view what NTP authentication is configured on the system: OS10# show running-configuration ntp ! ntp authenticate ntp authentication-key 345 md5 0 5A60910FED211F02 ntp server 1.1.1.1 key 345 ntp trusted-key 345 ntp master 7 ...
OS10(config-control-plane)# end OS10# write memory NOTE: Define necessary ACL rules before applying to the control plane. Data plane rules The data plane is part of the network that carries user traffic. Data plane rules include services and settings that affect user data. Apply these rules on border-filtering devices that connect internal networks to external networks, such as the Internet.
! neighbor 1.1.1.1 password 9 9ee88a6225a049667a2e5294d8b0808c2ac2141a2930c06e431bf40cfcf685b1 .... Configure OSPF authentication if OSPF is used Rationale: Configure OSPF, and secure the session with a password on both OSPF peers.
○ key-file {key-path | private}—Enter the local path where the downloaded or locally generated private key is stored. If the key was downloaded to a remote server, enter the server path using a secure method, such as HTTPS, SCP, or SFTP. Enter private to store the key in a local hidden location. ○ country 2-letter-code—(OPTIONAL) Enter the two-letter code that identifies the country. ○ state state—Enter the name of the state. ○ locality city—Enter the name of the city.
The following output displays the installed certificates, the validity period, and details about the CA. OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates | -------------------------------------Dell_host1_CA1.pem -------------------------------------| Installed FIPS certificates | -------------------------------------OS10# show crypto cert Dell_host1_CA1.
1. Create a self-signed certificate in EXEC mode. Store the device.key file in a secure, persistent location, such as NVRAM.
OS10# show crypto cert DellHost.pem ------------ Non FIPS certificate ----------------Certificate: Data: Version: 3 (0x2) Serial Number: 245 (0xf5) Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress = admin@dell.com Validity Not Before: Feb 11 20:10:12 2019 GMT Not After : Feb 11 20:10:12 2020 GMT Subject: emailAddress = admin@dell.
Example: Configure CDP OS10# crypto cdp add cert1_cdp http://crl.chambersign.org/chambersignroot.crl Successfully added CDP OS10# show crypto cdp -------------------------------------| Manually installed CDPs | -------------------------------------cert1_cdp.crl_url -------------------------------------| Automatically installed CDPs | -------------------------------------Example: Install CRL OS10# crypto crl install home://pki-regression/Network_Solutions_Certificate_ Authority.0.crl.pem Processing file ...
For example, you can maintain different security profiles for RADIUS over TLS authentication and SmartFabric services. Assign a security profile to an application when you configure the profile. When you install a certificate-key pair, both take the name of the certificate. For example, if you install a certificate using: OS10# crypto cert install cert-file home://Dell_host1.pem key-file home://abcd.key The certificate-key pair is installed as Dell_host1.pem and Dell_host1.key.
The following shows if a security profile is enabled. OS10# show running-configuration radius-server radius-server host radius-server-2.test.com tls security-profile radius-prof key 9 2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9 Smart card authentication for SSH OS10 allows you to use Common Access Card (CAC) and Personal Identity Verification (PIV) smart cards for authenticating users when connecting to the device with SSH.
10. If peer-name-checking is enabled in the security profile, the OS10 SSH server matches the common name or principal name fields from the user certificate against the username. 11. If there is no match, the OS10 SSH server attempts to match the user certificate fields against any configured certificate for that local username. 12. If there is no match, the authentication fails. 13. The OS10 SSH server prompts you for a password. 14.
● If you enable the key-usage-check in the security profile but the user certificates use a different name syntax than the user login names, configure the user certificate details to allow the SSH server to match the user certificate to the account.