Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 17

Control plane, System clock rules, Logging rules

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 17 highlights

▪ priv-password-Enter the encrypted string. ○ localized-Generate an SNMPv3 authentication and/or privacy key in localized key format. Control plane The control plane includes monitoring, route table updates, and the dynamic operation of the system. System clock rules These system clock rules enforce device time and timestamp settings. Set the timezone to Coordinated Universal Time (UTC) Rationale: By default, the system time zone is set to UTC. If the default time zone is changed, set it to UTC. Setting the system time zone to UTC eliminates difficulty troubleshooting issues across different time zones. Configuration: OS10(config)# clock timezone standard-timezone UTC OS10(config)# exit OS10# write memory Logging rules Logging can be used to for error and information notification, security auditing, and network forensics. Enable logging on the console Rationale: Enable logging to the console and restrict the severity to critical so that log messages do not affect system performance. Configuration: OS10(config)# logging console enable OS10(config)# logging console severity log-crit OS10(config)# exit OS10# write memory Enable logging to a syslog server over TLS Rationale: Enable logging to a syslog server, and secure the connection using TLS. Configuration: OS10(config)# logging server {hostname | ipv4-address | ipv6-address} tls [port-number] [severity severity-level] [vrf {management | vrf-name] OS10(config)# exit OS10# write memory • ipv4-address | ipv6-address-(Optional) Enter the IPv4 or IPv6 address of the logging server. • tls port-number-(Optional) Send syslog messages using TCP, UDP, or TLS transport to a specified port on a remote logging server, from 1 to 65535. • severity-level-(Optional) Set the logging threshold severity: ○ log-emerg-System is unusable. ○ log-alert-Immediate action is needed. ○ log-crit-Critical conditions ○ log-err-Error conditions ○ log-warning-Warning conditions ○ log-notice-Normal, but significant conditions (default) ○ log-info-Informational messages ○ log-debug-Debug messages • vrf {management | vrf-name}-(Optional) Configure the logging server for the management or a specified VRF instance. For more information about configuring X.509v3 PKI certificates, see the Dell EMC SmartFabric OS10 User Guide. OS10 security best practices 17

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
priv-password
—Enter the encrypted string.
localized
—Generate an SNMPv3 authentication and/or privacy key in localized key format.
Control plane
The control plane includes monitoring, route table updates, and the dynamic operation of the system.
System clock rules
These system clock rules enforce device time and timestamp settings.
Set the timezone to Coordinated Universal Time (UTC)
Rationale
: By default, the system time zone is set to UTC. If the default time zone is changed, set it to UTC. Setting the system time
zone to UTC eliminates difficulty troubleshooting issues across different time zones.
Configuration
:
OS10(config)# clock timezone standard-timezone UTC
OS10(config)# exit
OS10# write memory
Logging rules
Logging can be used to for error and information notification, security auditing, and network forensics.
Enable logging on the console
Rationale
: Enable logging to the console and restrict the severity to critical so that log messages do not affect system performance.
Configuration
:
OS10(config)# logging console enable
OS10(config)# logging console severity log-crit
OS10(config)# exit
OS10# write memory
Enable logging to a syslog server over TLS
Rationale
: Enable logging to a syslog server, and secure the connection using TLS.
Configuration
:
OS10(config)# logging server {hostname |
ipv4–address
|
ipv6–address
} tls [
port-number
]
[severity
severity-level
] [vrf {management |
vrf-name
]
OS10(config)# exit
OS10# write memory
ipv4–address | ipv6–address
—(Optional) Enter the IPv4 or IPv6 address of the logging server.
tls
port-number
—(Optional) Send syslog messages using TCP, UDP, or TLS transport to a specified port on a remote logging
server, from 1 to 65535.
severity-level
—(Optional) Set the logging threshold severity:
log-emerg
—System is unusable.
log-alert
—Immediate action is needed.
log-crit
—Critical conditions
log-err
—Error conditions
log-warning
—Warning conditions
log-notice
—Normal, but significant conditions (default)
log-info
—Informational messages
log-debug
—Debug messages
vrf {management |
vrf-name
}
—(Optional) Configure the logging server for the management or a specified VRF instance.
For more information about configuring X.509v3 PKI certificates, see the
Dell EMC SmartFabric OS10 User Guide
.
OS10 security best practices
17