Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 6

Federal Information Processing Standards (FIPS), Enable and con secure boot

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 6 highlights

When choosing your password, Dell EMC Networking recommends that you use multiple and easy-to-remember common words in your password instead of using complex passwords which you may not remember. Combine multiple words that you can remember and modify the passphrase using special characters and numbers to get a final password. For example, instead of correcthorsebatterystaple, you can use C0rr3c+h0r5e8atTerystapl3. NOTE: To recover a lost or forgotten OS10 username password, including the admin password, see Recover OS10 user name password. Obscure passwords Rationale: When the user views the running configuration, the password in an encrypted form is displayed. Obscure passwords in show command outputs so that text characters do not display. Configuration: OS10(config)# service obscure-password OS10(config)# exit OS10# write memory OS10# show running-configuration users username admin password **** role sysadmin priv-lvl 15 username desk1 password **** role sysadmin priv-lvl 15 Federal Information Processing Standards (FIPS) FIPS is a set of government standards that define how certain things are used in the government encryption algorithms. Enable FIPS you require FIPS in your environment Rationale: If you enable FIPS, it installs the certificate-key pair as FIPS-compliant which is used by a FIPS-aware application, such as RADIUS over TLS. Configuration: OS10# crypto fips enable OS10# write memory Enable and configure secure boot OS10 secure boot provides a mechanism to verify the authenticity and integrity of the OS10 image. Secure Boot protects a system from malicious code being loaded and run during the boot process. Use the secure boot feature to validate the OS10 image during installation and on demand at any time. Enable secure boot Rationale: Enabling the secure boot feature prevents a compromised kernel and system binaries from loading during the boot operation. Configuration: OS10(config)# secure-boot enable OS10(config)# exit OS10# write memory Protect the startup configuration file Rationale: Protecting the startup configuration file saves a protected copy of the current startup config file internally. During switch boot up, the protected version of the startup configuration is loaded. Protecting the startup configuration file ensures that a compromised configuration file is not loaded when the system boots. Configuration: OS10(config)# secure-boot protect startup-config OS10(config)# exit OS10# write memory Validate OS10 image file on demand 6 OS10 security best practices

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
When choosing your password, Dell EMC Networking recommends that you use multiple and easy-to-remember common words in your
password instead of using complex passwords which you may not remember. Combine multiple words that you can remember and modify
the passphrase using special characters and numbers to get a final password. For example, instead of
correcthorsebatterystaple
, you
can use
C0rr3c+h0r5e8atTerystapl3
.
NOTE:
To recover a lost or forgotten OS10 username password, including the admin password, see
Recover OS10 user
name password
.
Obscure passwords
Rationale
: When the user views the running configuration, the password in an encrypted form is displayed. Obscure passwords in
show
command outputs so that text characters do not display.
Configuration
:
OS10(config)# service obscure-password
OS10(config)# exit
OS10# write memory
OS10# show running-configuration users
username admin password **** role sysadmin priv-lvl 15
username desk1 password **** role sysadmin priv-lvl 15
Federal Information Processing Standards (FIPS)
FIPS is a set of government standards that define how certain things are used in the government encryption algorithms.
Enable FIPS you require FIPS in your environment
Rationale
: If you enable FIPS, it installs the certificate-key pair as FIPS-compliant which is used by a FIPS-aware application, such as
RADIUS over TLS.
Configuration
:
OS10# crypto fips enable
OS10# write memory
Enable and configure secure boot
OS10 secure boot provides a mechanism to verify the authenticity and integrity of the OS10 image. Secure Boot protects a system from
malicious code being loaded and run during the boot process. Use the secure boot feature to validate the OS10 image during installation
and on demand at any time.
Enable secure boot
Rationale
: Enabling the secure boot feature prevents a compromised kernel and system binaries from loading during the boot operation.
Configuration
:
OS10(config)# secure-boot enable
OS10(config)# exit
OS10# write memory
Protect the startup configuration file
Rationale
: Protecting the startup configuration file saves a protected copy of the current startup config file internally. During switch boot
up, the protected version of the startup configuration is loaded. Protecting the startup configuration file ensures that a compromised
configuration file is not loaded when the system boots.
Configuration
:
OS10(config)# secure-boot protect startup-config
OS10(config)# exit
OS10# write memory
Validate OS10 image file on demand
6
OS10 security best practices