Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 20

Neighbor authentication

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 20 highlights

Internet is mostly an attack. Configure ACL rules to deny any traffic from the external network that has a source address that should reside on the internal network, and apply them on the interface that connect to an external network. CAUTION: Verify that multicast is not in use before blocking an address range. Configuration: OS10(config)# ip access-list deny-private-external OS10(config-ipv4-acl)# deny ip source-ip-address mask any log OS10(config-ipv4-acl)# end OS10# write memory Forbid external source addresses on outbound traffic Rationale: Ensure that the outbound traffic carries only valid internal addresses of the IP address range of your organization. Configuration: OS10(config)# ip access-list deny-source-external OS10(config-ipv4-acl)# permit ip internal-ip-address mask any OS10(config-ipv4-acl)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip access-group deny-source-external in OS10(conf-if-eth1/1/1)# end OS10# write memory Neighbor authentication Using authentication for routing protocols prevents unauthorized users from corrupting your routing table. Configure BGP authentication if BGP is used Rationale: Configure BGP, and secure the session with a password on both BGP peers. When you configure MD5 authentication between two BGP peers, each segment of the TCP connection is verified and the MD5 digest is checked on every segment that is sent on the TCP connection. Configuration: OS10(conf-router-neighbor)# password {9 encrypted-password-string | password-string} OS10(conf-router-neighbor)# end OS10# write memory • 9 encrypted-password-string-Enter 9 then the encrypted password. • password-string-Enter a password for authentication. A maximum of 128 characters. Configure OSPF authentication if OSPF is used Rationale: Configure OSPF, and secure the session with a password on both OSPF peers. Configuration: OS10(conf-if-eth1/1/1)# ip ospf message-digest-key 2 md5 password OS10(conf-if-eth1/1/1)# end OS10# write memory Disable proxy ARP Rationale: Proxy ARP is a technique that network devices use to acquire the MAC address of a device which is not present in the network on behalf of other devices. DoS attacks are possible with misconfigured network devices. Configuration: OS10(config)# interface interface-name OS10(conf-if-eth1/1/1)# no ip proxy-arp OS10(conf-if-eth1/1/1)# end OS10# write memory 20 OS10 security best practices

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
Internet is mostly an attack. Configure ACL rules to deny any traffic from the external network that has a source address that should
reside on the internal network, and apply them on the interface that connect to an external network.
CAUTION:
Verify that multicast is not in use before blocking an address range.
Configuration
:
OS10(config)# ip access-list deny-private-external
OS10(config-ipv4-acl)# deny ip
source-ip-address mask
any log
OS10(config-ipv4-acl)# end
OS10# write memory
Forbid external source addresses on outbound traffic
Rationale
: Ensure that the outbound traffic carries only valid internal addresses of the IP address range of your organization.
Configuration
:
OS10(config)# ip access-list deny-source-external
OS10(config-ipv4-acl)# permit ip
internal-ip-address mask
any
OS10(config-ipv4-acl)# exit
OS10(config)# interface ethernet 1/1/1
OS10(conf-if-eth1/1/1)# ip access-group deny-source-external in
OS10(conf-if-eth1/1/1)# end
OS10# write memory
Neighbor authentication
Using authentication for routing protocols prevents unauthorized users from corrupting your routing table.
Configure BGP authentication if BGP is used
Rationale
: Configure BGP, and secure the session with a password on both BGP peers. When you configure MD5 authentication
between two BGP peers, each segment of the TCP connection is verified and the MD5 digest is checked on every segment that is sent
on the TCP connection.
Configuration
:
OS10(conf-router-neighbor)# password {9
encrypted-password-string
|
password-string
}
OS10(conf-router-neighbor)# end
OS10# write memory
9
encrypted-password-string
—Enter 9 then the encrypted password.
password-string
—Enter a password for authentication. A maximum of 128 characters.
Configure OSPF authentication if OSPF is used
Rationale
: Configure OSPF, and secure the session with a password on both OSPF peers.
Configuration
:
OS10(conf-if-eth1/1/1)# ip ospf message-digest-key 2 md5
password
OS10(conf-if-eth1/1/1)# end
OS10# write memory
Disable proxy ARP
Rationale
: Proxy ARP is a technique that network devices use to acquire the MAC address of a device which is not present in the
network on behalf of other devices. DoS attacks are possible with misconfigured network devices.
Configuration
:
OS10(config)# interface
interface-name
OS10(conf-if-eth1/1/1)# no ip proxy-arp
OS10(conf-if-eth1/1/1)# end
OS10# write memory
20
OS10 security best practices