API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
Use the following to view what OSPF neighbor authentication is enabled on the system:
OS10# show running-configuration ospf
!
ip ospf 100 area 0.0.0.0
ip ospf message-digest-key 2 md5 sample12345
...
Disable proxy ARP
Rationale: Proxy ARP is a technique that network devices use to acquire the MAC address of a device which is not present in
the network on behalf of other devices. DoS attacks are possible with misconfigured network devices.
Configuration:
OS10(config)# interface interface-name
OS10(conf-if-eth1/1/1)# no ip proxy-arp
OS10(conf-if-eth1/1/1)# end
OS10# write memory
X.509v3 certificates
OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server. Both
the switch and the server exchange a public key in a signed X.509v3 certificate issued by a certificate authority (CA) to
authenticate each other. The certificate authority uses its private key to sign host certificates.
Generate a certificate signing request and private key
Rationale: To use X.509v3 certificates for secure communication and user authentication on OS10 switches in a network,
a public key infrastructure (PKI) with a certificate authority (CA) is required. The CA signs certificates that prove the
trustworthiness of network devices.
Configuration:
● Create a private key and a CSR in EXEC mode. Store the CSR file in the home directory or flash: so that you can later copy
it to a CA server. Specify a keypath to store the device.key file in a secure persistent location, such as the home directory,
or use the private option to store the key file in a private hidden location in the internal file system that is not visible to
users.
OS10# crypto cert generate request cert-file cert-path key-file {private | keypath}
country 2-letter code state state locality city organization organization-name
orgunit unit-name cname common-name email email-address validity days length length
altname alt-name]
○ request—Create a certificate signing request to copy to a CA.
○ cert-file cert-path—(Optional) Enter the local path where the self-signed certificate or CSR is stored. You
can enter a full path or a relative path; for example, flash://certs/s4810-001-request.csr or usb://
s4810-001.crt. If you do not enter the cert-file option, the system interactively prompts you to enter the
remaining fields of the certificate signing request. Export the CSR to a CA using the copy command.
○ key-file {key-path | private}—Enter the local path where the downloaded or locally generated private key
is stored. If the key was downloaded to a remote server, enter the server path using a secure method, such as HTTPS,
SCP, or SFTP. Enter private to store the key in a local hidden location.
○ country 2-letter-code—(OPTIONAL) Enter the two-letter code that identifies the country.
○ state state—Enter the name of the state.
○ locality city—Enter the name of the city.
○ organization organization-name—Enter the name of the organization.
○ orgunit unit-name—Enter name of the unit.
○ cname common-name—Enter the common name assigned to the certificate. Common name is the main identity
presented to connecting devices. By default, the hostname of the switch is the common name. You can configure a
OS10 security best practices
23