API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
originating from the Internet is mostly an attack. Configure ACL rules to deny any traffic from the external network that has a
source address that should reside on the internal network, and apply them on the interface that connect to an external network.
CAUTION: Verify that multicast is not in use before blocking an address range.
Configuration:
OS10(config)# ip access-list deny-private-external
OS10(config-ipv4-acl)# deny ip source-ip-address mask any log
OS10(config-ipv4-acl)# end
OS10# write memory
Forbid external source addresses on outbound traffic
Rationale: Ensure that the outbound traffic carries only valid internal addresses of the IP address range of your organization.
Configuration:
OS10(config)# ip access-list deny-source-external
OS10(config-ipv4-acl)# permit ip internal-ip-address mask any
OS10(config-ipv4-acl)# exit
OS10(config)# interface ethernet 1/1/1
OS10(conf-if-eth1/1/1)# ip access-group deny-source-external in
OS10(conf-if-eth1/1/1)# end
OS10# write memory
Neighbor authentication
Using authentication for routing protocols prevents unauthorized users from corrupting your routing table.
Configure BGP authentication if BGP is used
Rationale: Configure BGP, and secure the session with a password on both BGP peers. When you configure MD5
authentication between two BGP peers, each segment of the TCP connection is verified and the MD5 digest is checked on
every segment that is sent on the TCP connection.
Configuration:
OS10(conf-router-neighbor)# password {9 encrypted-password-string | password-string}
OS10(conf-router-neighbor)# end
OS10# write memory
● 9 encrypted-password-string—Enter 9 then the encrypted password.
● password-string—Enter a password for authentication. A maximum of 128 characters.
View what BGP neighbor authentication is enabled
Use the following to view what BGP neighbor authentication is enabled on the system:
OS10# show running-configuration bgp
!
router bgp 100
!
neighbor 1.1.1.1
password 9 9ee88a6225a049667a2e5294d8b0808c2ac2141a2930c06e431bf40cfcf685b1
....
Configure OSPF authentication if OSPF is used
Rationale: Configure OSPF, and secure the session with a password on both OSPF peers.
Configuration:
OS10(conf-if-eth1/1/1)# ip ospf message-digest-key 2 md5 password
OS10(conf-if-eth1/1/1)# end
OS10# write memory
View what OSPF neighbor authentication is enabled
22
OS10 security best practices