Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 20
Neighbor authentication
View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 20 highlights
Internet is mostly an attack. Configure ACL rules to deny any traffic from the external network that has a source address that should reside on the internal network, and apply them on the interface that connect to an external network. CAUTION: Verify that multicast is not in use before blocking an address range. Configuration: OS10(config)# ip access-list deny-private-external OS10(config-ipv4-acl)# deny ip source-ip-address mask any log OS10(config-ipv4-acl)# end OS10# write memory Forbid external source addresses on outbound traffic Rationale: Ensure that the outbound traffic carries only valid internal addresses of the IP address range of your organization. Configuration: OS10(config)# ip access-list deny-source-external OS10(config-ipv4-acl)# permit ip internal-ip-address mask any OS10(config-ipv4-acl)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip access-group deny-source-external in OS10(conf-if-eth1/1/1)# end OS10# write memory Neighbor authentication Using authentication for routing protocols prevents unauthorized users from corrupting your routing table. Configure BGP authentication if BGP is used Rationale: Configure BGP, and secure the session with a password on both BGP peers. When you configure MD5 authentication between two BGP peers, each segment of the TCP connection is verified and the MD5 digest is checked on every segment that is sent on the TCP connection. Configuration: OS10(conf-router-neighbor)# password {9 encrypted-password-string | password-string} OS10(conf-router-neighbor)# end OS10# write memory • 9 encrypted-password-string-Enter 9 then the encrypted password. • password-string-Enter a password for authentication. A maximum of 128 characters. Configure OSPF authentication if OSPF is used Rationale: Configure OSPF, and secure the session with a password on both OSPF peers. Configuration: OS10(conf-if-eth1/1/1)# ip ospf message-digest-key 2 md5 password OS10(conf-if-eth1/1/1)# end OS10# write memory Disable proxy ARP Rationale: Proxy ARP is a technique that network devices use to acquire the MAC address of a device which is not present in the network on behalf of other devices. DoS attacks are possible with misconfigured network devices. Configuration: OS10(config)# interface interface-name OS10(conf-if-eth1/1/1)# no ip proxy-arp OS10(conf-if-eth1/1/1)# end OS10# write memory 20 OS10 security best practices