Dell PowerSwitch S4048T-ON SmartFabric OS10 Security Best Practices Guide July
Dell PowerSwitch S4048T-ON Manual
View all Dell PowerSwitch S4048T-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Dell PowerSwitch S4048T-ON manual content summary:
- Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 1
SmartFabric OS10 Security Best Practices Guide July 2020 07 2020 Rev. A02 - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 2
of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 3
Contents Chapter 1: OS10 security best practices 4 On first boot...4 Password rules...5 Federal Information Processing Standards (FIPS)...6 Enable and configure secure boot...6 Users, roles, and privilege levels...7 Port security...9 Management plane...11 Role-based access control...11 Access rules - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 4
Dell EMC SmartFabric OS10. For detailed configuration, see the Dell EMC SmartFabric OS10 User Guide. You can find Dell EMC documentation at https://www.dell.com/support linuxadmin password Rationale: You use the Linux shell for troubleshooting and diagnostic purposes. After the first OS10 login, - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 5
at least characters with alphanumeric and special characters. If strong password check is disabled, enable it. Configuration: OS10(config)# no service simple-password OS10(config)# exit OS10# write memory Enforce stronger passwords Rationale: By default, the password you configure must be at - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 6
When choosing your password, Dell EMC Networking recommends that you use multiple and easy-to- show command outputs so that text characters do not display. Configuration: OS10(config)# service obscure-password OS10(config)# exit OS10# write memory OS10# show running-configuration users username - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 7
. Validate OS10 image before ONIE OS manual installation Rationale: When secure boot is enabled and you manually install an OS10 image using ONIE, you Accesses class-map, DHCP, logging, monitor, openFlow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 8
for each privilege level in CONFIGURATION mode. Use the enable password command to switch between privilege levels and access the commands that are supported at each level. OS10(config)# enable password encryption-type password-string priv-lvl privilege-level OS10(config)# exit OS10# write memory - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 9
keyword, the range is from 0 to 3072. To enable the interface to learn the maximum number of MAC addresses that the hardware supports, use the no-limit keyword. MAC address learning limit example OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 10
MAC address learning limit violation actions configuration example OS10# configure terminal OS10(config)# interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# mac-learn - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 11
-both option. OS10(config-if-port-sec)#mac-move violation shutdown-both Management plane These settings are applicable to services, settings, and configuration services of OS10. Role-based access control Role-based access control (RBAC) provides control for access and authorization. Users are - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 12
| none} [logging] [group tacacs+] OS10(config)# exit OS10# write memory • commands all-Record all user-entered commands. RADIUS accounting does not support this option. • console-Record all user authentication and logins or all user-entered commands in OS10 sessions on console connections. • default - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 13
• hostname-Enter the hostname of the RADIUS server. • ip-address-Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. • tls security-profile profile-name-Enter the security profile to use the X.509v3 certificate on the switch to use for TLS authentication with a RADIUS server. - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 14
Rationale: By default, in OS10, SSH is the only protocol that is enabled for remote system access. As the Telnet protocol is not secure, Dell EMC recommends that you do not enable the Telnet server. NOTE: If you have disabled the SSH server, reenable it and disable the Telnet server. Always - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 15
Rationale: Enable login statistics to view user login information, including the number of successful and failed logins, role changes, and the last time a user logged in, displays after a successful login. After enabling login statistics, you can use the show login statistics {all | user} command to - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 16
OS10(config)# exit OS10# write memory Configure SNMP v3 Rationale: SNMP v2 does not support encryption or authentication. Dell EMC Networking strongly recommends that you use SNMP v3 which supports secure access to SNMP resources. Configuration: • Configure SNMP engine ID.snmp-server engineID [local - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 17
set it to UTC. Setting the system time zone to UTC eliminates difficulty troubleshooting issues across different time zones. Configuration: OS10(config)# clock timezone standard- configuring X.509v3 PKI certificates, see the Dell EMC SmartFabric OS10 User Guide. OS10 security best practices 17 - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 18
Enable audit logging Rationale: To monitor user activity and configuration changes on the switch, enable the audit log. Only the sysadmin and secadmin roles can enable, view, and clear the audit log. Configuration: • Configure audit logging. OS10(config)# logging audit enable OS10(config)# exit OS10 - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 19
loopback interfaces do not go down unless they are manually removed. This property provides security and consistency for device plane is part of the network that carries user traffic. Data plane rules include services and settings that affect user data. Apply these rules on border-filtering devices - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 20
Internet is mostly an attack. Configure ACL rules to deny any traffic from the external network that has a source address that should reside on the internal network, and apply them on the interface that connect to an external network. CAUTION: Verify that multicast is not in use before blocking an - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 21
X.509v3 certificates OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server. Both the switch and the server exchange a public key in a signed X. - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 22
Not Before: Jul 25 19:11:19 2018 GMT Not After : Jul 22 19:11:19 2028 GMT Subject: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN = Dell_host1_CA1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e7:81:4b:4a:12:8d:ce: - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 23
SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 4A:20:AA:E1:69:BF:BE:C5:66:2E:22:71:70:B4:7E:32:6F:E0:05:28 X509v3 Authority Key Identifier: keyid:A3:39:CB:C7:76:86:3B:05:44:34:C2:6F:90:73:1F:5F:64:55:5C:76 X509v3 Key Usage: critical Generate - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 24
Not After : Feb 11 20:10:12 2020 GMT Subject: emailAddress = [email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 :95:60:18:90:AF:D8:07:09 X509v3 Subject Alternative Name: DNS:dell.domain.com Signature Algorithm: sha256WithRSAEncryption b8:83:ae:34:bb:84:e6:b4 - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 25
in EXEC mode. OS10# show crypto crl [crl-filename] To delete a manually installed CRL that was configured with the crypto crl install command, use the different security profiles for RADIUS over TLS authentication and SmartFabric services. Assign a security profile to an application when you - Dell PowerSwitch S4048T-ON | SmartFabric OS10 Security Best Practices Guide July - Page 26
the peer device, such as a remote server name. OS10(config-sec-profile)#peer-name-check • Use the security profile to configure X.509v3-based service; for example, to configure RADIUS over TLS authentication using an X.509v3 certificate, enter the radius-server host tls command: OS10(config)# radius
SmartFabric OS10 Security Best Practices
Guide
July 2020
07 2020
Rev. A02