Dell PowerSwitch S4128F-ON SmartFabric OS10 Security Best Practices Guide July - Page 7

Users, roles, and privilege levels

Get Dell PowerSwitch S4128F-ON PDF manuals and user guides View all Dell PowerSwitch S4128F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 7 highlights

Rationale: Validate an OS10 image file anytime to verify the signature of the image files to ensure that the OS10 image is not compromised. Configuration: OS10# image verify image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath public-key key-file} Validate OS10 kernel, system binaries, and startup configuration file Rationale: Validate the OS10 kernel binary image, system binary files, and startup configuration file at system startup. Validating these files at startup ensures that the system does not load a compromised file. Configuration: OS10# secure-boot verify {kernel | file-system-integrity | startup-config} Validate OS10 upgrade image files Rationale: Validate the digital signature in the image files before installing an OS10 upgrade. You can use the following command to validate an OS10 image before installing. Configuration: OS10# image secure-install image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath public-key key-file} NOTE: When secure boot is enabled, you can only upgrade OS10 using the image secure-install command. Validate OS10 image before ONIE OS manual installation Rationale: When secure boot is enabled and you manually install an OS10 image using ONIE, you can validate the image using PKI or SHA256. Configuration: OS10# onie-nos-install image_url pki signature_filepath certificate_filepath Or OS10# onie-nos-install image_url sha256 signature_filepath Users, roles, and privilege levels Using a password controls terminal access to a switch. But you can increase security by limiting user access to a subset of commands using privilege levels. Create users, assign roles, and privilege levels Rationale: Controlling terminal access to a switch is one method of securing the device and network. To increase security, you can limit user access to a subset of commands using privilege levels. Configuration: • Create privilege levels in CONFIGURATION mode. OS10(config)# privilege mode priv-lvl privilege-level command-string ○ mode-Enter the privilege mode used to access CLI modes: ▪ exec-Accesses EXEC mode. ▪ configure-Accesses class-map, DHCP, logging, monitor, openFlow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. OS10 security best practices 7

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
Rationale
: Validate an OS10 image file anytime to verify the signature of the image files to ensure that the OS10 image is not
compromised.
Configuration
:
OS10# image verify
image-filepath
{sha256 signature
signature-filepath
| gpg signature
signature-filepath
| pki signature
signature-filepath
public-key
key-file
}
Validate OS10 kernel, system binaries, and startup configuration file
Rationale
: Validate the OS10 kernel binary image, system binary files, and startup configuration file at system startup. Validating these
files at startup ensures that the system does not load a compromised file.
Configuration
:
OS10# secure-boot verify {kernel | file-system-integrity | startup-config}
Validate OS10 upgrade image files
Rationale
: Validate the digital signature in the image files before installing an OS10 upgrade. You can use the following command to
validate an OS10 image before installing.
Configuration
:
OS10# image secure-install
image-filepath
{sha256 signature
signature-filepath
| gpg
signature
signature-filepath
| pki signature
signature-filepath
public-key
key-file
}
NOTE:
When secure boot is enabled, you can only upgrade OS10 using the
image secure-install
command.
Validate OS10 image before ONIE OS manual installation
Rationale
: When secure boot is enabled and you manually install an OS10 image using ONIE, you can validate the image using PKI or
SHA256.
Configuration
:
OS10# onie-nos-install
image_url
pki
signature_filepath
certificate_filepath
Or
OS10# onie-nos-install
image_url
sha256
signature_filepath
Users, roles, and privilege levels
Using a password controls terminal access to a switch. But you can increase security by limiting user access to a subset of commands
using privilege levels.
Create users, assign roles, and privilege levels
Rationale
: Controlling terminal access to a switch is one method of securing the device and network. To increase security, you can limit
user access to a subset of commands using privilege levels.
Configuration
:
Create privilege levels in CONFIGURATION mode.
OS10(config)# privilege
mode
priv-lvl
privilege-level
command-string
mode
—Enter the privilege mode used to access CLI modes:
exec
—Accesses EXEC mode.
configure
—Accesses class-map, DHCP, logging, monitor, openFlow, policy-map, QOS, support-assist, telemetry, CoS,
Tmap, UFD, VLT, VN, VRF, WRED, and alias modes.
OS10 security best practices
7