Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021 05 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 -2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: OS10 security best practices........................................................................................ 4 On first boot......................................................................................................................................................................... 4 Password rules.....................................................................................................................................................................
1 OS10 security best practices This document provides a set of recommendations for securing switches that run Dell EMC SmartFabric OS10. For detailed configuration, see the Dell EMC SmartFabric OS10 User Guide. You can find Dell EMC documentation at https://www.dell.com/support/. Applicability The recommendations that are provided in this document apply up to Dell EMC SmartFabric OS10.5.x.x. On first boot When you boot the switch for the first time, the system performs Zero-touch deployment (ZTD).
Rationale: If you do not want your users to access the Linux shell, disable the linuxadmin account. Configuration: OS10(config)# system-user linuxadmin disable OS10(config)# exit OS10# write memory Disable access to Linux commands Rationale: Even if you disable the linuxadmin user, users can access Linux commands using the system command. To disable access to Linux commands completely, use the system-cli command.
Check if strong password check is enabled By default, strong password check is enabled on the system and the no service simple-password command is implicit in the running configuration. To verify if strong password check is enabled, use the following command: OS10(config)# do show running-configuration | grep simple service simple-password Enforce stronger passwords Rationale: By default, the password you configure must be at least nine alphanumeric and special characters.
Check if FIPS is enabled Use the following command to verify if FIPS is enabled on the system: OS10# show fips status FIPS mode: Disabled Enable and configure secure boot OS10 secure boot provides a mechanism to verify the authenticity and integrity of the OS10 image. Secure Boot protects a system from malicious code being loaded and run during the boot process. Use the secure boot feature to validate the OS10 image during installation and on demand at any time.
Configuration: OS10# image secure-install image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath public-key key-file} NOTE: When secure boot is enabled, you can only upgrade OS10 using the image secure-install command. Validate OS10 image before ONIE OS manual installation Rationale: When secure boot is enabled and you manually install an OS10 image using ONIE, you can validate the image using PKI or SHA256.
○ username username—Enter a text string; 32 alphanumeric characters maximum; one character minimum. ○ password password—Enter a text string; 32 alphanumeric characters maximum, nine characters minimum. ○ role role—Enter a user role: ■ sysadmin—Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles.
Port security Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement. Port security is a package of the following sub features that provide added security to the system: 1. MAC address learning limit (MLL) 2. Sticky MAC 3.
● To shut down an interface on a MAC address learning limit violation, use the shutdown option.
Rationale: If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces. Configuration: ● To display which MAC address causes a violation, use the log option.
Configuration: OS10(config)# aaa authentication login {console | default} local OS10(config)# exit OS10# write memory ● console—Configure authentication methods for console logins. ● default—Configure authentication methods for SSH and Telnet logins. ● local—Use the local username, password, and role entries configured with the username password role command.
● ● ● ● stop-only—Send only a stop notice when a process ends. none—No accounting notices are sent. logging—Logs all accounting notices in syslog. group tacacs+—Logs all accounting notices on the first reachable TACACS+ server. The authentication methods in the method list work in the order they are configured.
● ● ● ● ● hostname—Enter the hostname of the RADIUS server. ip-address—Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. 0 authentication-key—Enter an authentication key in plain text. A maximum of 42 characters. 9 authentication-key—Enter an authentication key in encrypted format. A maximum of 128 characters. authentication-key—Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter 0 before the key.
Configure EXEC session timeout Rationale: By default, there is no EXEC timeout configured. To prevent unauthorized access to the EXEC mode, configure a timeout interval. Configuration: OS10(config)# exec-timeout timeout-value OS10(config)# exit OS10# write memory timeout-value—Specify the number of seconds of inactivity on the system before disconnecting the current session (0 to 3600).
OS10(config)# exit OS10# write memory Enable login banner Rationale: The login banner is displayed after the user logs in to the system. Configuration: OS10(config)# banner motd % DellEMC S4148U-ON login Enter your username and password % OS10(config)# exit OS10# write memory SNMP rules Restricted Simple Network Management Protocol (SNMP) access improves device security when SNMP is used.
○ view-name—Enter the name of a read-only, read/write, or notify view. A maximum of 32 characters. ○ oid-tree—Enter the SNMP object ID at which the view starts in 12-octet dotted-decimal format. ○ included—(Optional) Include the MIB family in the view. ○ excluded—(Optional) Exclude the MIB family from the view. ● Configure SNMP groups. OS10(config)# snmp-server group group-name v3 security-level [read view-name] [write view-name] [notify view-name] ○ group-name—Enter the name of the group.
Configuration: OS10(config)# clock timezone standard-timezone UTC OS10(config)# exit OS10# write memory Logging rules Logging can be used to for error and information notification, security auditing, and network forensics. Enable logging on the console Rationale: Enable logging to the console and restrict the severity to critical so that log messages do not affect system performance.
○ reverse —Display entries starting with the most recent events. ○ number—Display the specified number of audit log entries users, from 1 to 65535. View what logging rules are enabed OS10# show running-configuration logging ! logging audit enable NTP rules Network Time Protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients and coordinates time distribution in a large, diverse network. NTP clients synchronize with NTP servers that provide accurate time measurement.
Loopback rules Lookback interfaces are virtual interfaces and unlike physical interfaces, loopback interfaces do not go down unless they are manually removed. This property provides security and consistency for device identification and stability. Configure a loopback interface Rationale: Configure a loopback interface which can be used for system multiple services.
originating from the Internet is mostly an attack. Configure ACL rules to deny any traffic from the external network that has a source address that should reside on the internal network, and apply them on the interface that connect to an external network. CAUTION: Verify that multicast is not in use before blocking an address range.
Use the following to view what OSPF neighbor authentication is enabled on the system: OS10# show running-configuration ospf ! ip ospf 100 area 0.0.0.0 ip ospf message-digest-key 2 md5 sample12345 ... Disable proxy ARP Rationale: Proxy ARP is a technique that network devices use to acquire the MAC address of a device which is not present in the network on behalf of other devices. DoS attacks are possible with misconfigured network devices.
different common name for the switch; for example, an IP address. If the common-name value does not match the identity of the device, a signed certificate does not validate. ○ email email-address—Enter a valid email address used to communicate with the organization. ○ validity days—Enter the number of days that the certificate is valid. For a CSR, validity has no effect. For a self-signed certificate, the default is 3650 days or 10 years. ○ length bit-length—Enter a bit value for the keyword length.
Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = California, O = Dell EMC, OU = Networking, CN = Dell_interCA1 Validity Not Before: Jul 25 19:11:19 2018 GMT Not After : Jul 22 19:11:19 2028 GMT Subject: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN = Dell_host1_CA1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e7:81:4b:4a:12:8d:ce:88:e6:73:3f:da:19:03: c6:56:01:19:b2
If you enter the cert-file option, you must enter all the required parameters, including the local path where the certificate and private key are stored. If you do specify the cert-file option, you are prompted to enter the other parameter values for the certificate interactively; for example: You are about to be asked to enter information that will be incorporated in your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
Validity Not Before: Feb 11 20:10:12 2019 GMT Not After : Feb 11 20:10:12 2020 GMT Subject: emailAddress = admin@dell.
| Manually installed CDPs | -------------------------------------cert1_cdp.crl_url -------------------------------------| Automatically installed CDPs | -------------------------------------Example: Install CRL OS10# crypto crl install home://pki-regression/Network_Solutions_Certificate_ Authority.0.crl.pem Processing file ... issuer=C=US,O=Network Solutions L.L.C.,CN=Network Solutions Certificate Authority.0.crl.
When you install a certificate-key pair, both take the name of the certificate. For example, if you install a certificate using: OS10# crypto cert install cert-file home://Dell_host1.pem key-file home://abcd.key The certificate-key pair is installed as Dell_host1.pem and Dell_host1.key. In configuration commands, enter the pair as Dell_host1. When you configure a security profile, you enter Dell_host1 in the certificate certificate-name command.
Smart card authentication for SSH OS10 allows you to use Common Access Card (CAC) and Personal Identity Verification (PIV) smart cards for authenticating users when connecting to the device with SSH. CAC and PIV smart cards contain Public Key Infrastructure (PKI) X.509v3 certificates that are issued by certificate authorities. This feature allows the OS10 software to verify user authentication and email signing and encryption. To use smart card authentication, use an SSH client that supports X.
13. The OS10 SSH server prompts you for a password. 14. The OS10 SSH server performs standard local user authentication using the username and returned password. 15. On successful authentication, the SSH session continues. Local user authentication without a password When you configure OS10 SSH server for X.509v3 SSH local authentication, and when connecting using SSH, the following sequence occurs: 1. Insert a CAC or PIV smart card into the card reader slot in your computer or keyboard. 2.
Configure local user authentication without a password To support password-less local user authentication using a smart card and password, configure the following: ● Enable password-less X.509v3 authentication in the SSH server. ip ssh server x509v3-authentication security-profile profile-name password-less ● Leave plain password authentication enabled for users that do not have a configured certificate.
2. Verify if the system is in full switch mode. Switch-A: Switch-A# show switch-operating-mode 8713-ToR-2# Switch-Operating-Mode : Full Switch Mode Switch-B: Switch-B# show switch-operating-mode 8713-ToR-2# Switch-Operating-Mode : Full Switch Mode 3. Verify if VLT is converged. Switch-A: Switch-A# show vlt 255 Domain ID : 255 Unit ID : 1 Role : primary Version : 2.
● orgunit unit-name — Enter name of the unit. ● cname common-name — Enter the common name assigned to the certificate. Common name is the main identity that is presented to connecting devices. By default, the host name of the switch is the common name. You can configure a different common name for the switch; for example, an IP address. If the common-name value does not match the device’s presented identity, a signed certificate does not validate.
Switch-A: Switch-A(config)# crypto security-profile DELL123 Switch-B: Switch-B(config)# crypto security-profile DELL123 11. Assign the certificate and private key pair to the security profile. Enter the certificate name without the file extension. Switch-A: Switch-A(config-sec-profile)# certificate dell Switch-B: Switch-B(config-sec-profile)# certificate dell 12. Create a security profile for the cluster.
---------------------------------------------------------------------------------2 20:04:0f:21:9a:00 up fda5:74c8:b79e:1::2 2.3 Switch-B: Switch-B# show vlt 255 Domain ID : 255 Unit ID : 2 Role : secondary Version : 2.