Administrator Guide
Dell EMC Networking OS Security Hardening
The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security
features, security also lies with the integrity of the device. If the software itself is compromised, all of the aforementioned methods
become ineffective.
The Dell EMC Networking OS is enhanced verify whether the OS image and the startup configuration file are altered before loading. This
section explains how to configure OS image and startup configuration verification.
Dell EMC Networking OS Image Verification
Dell EMC Networking OS comes with the OS image verification and the startup configuration verification features. When enabled, these
features check the integrity of The OS image and the startup configuration that the system uses while the system reboots and loads only
if they are intact.
Important Points to Remember
• The OS image verification feature is disabled by default on the Dell EMC Networking OS.
• The OS image verification feature is supported for images stored in the local system only.
• The OS image verification feature is not supported when the fastboot or the warmboot features are enabled on the system.
• If OS image verification fails after a reload, the system does not load the startup configuration. The System displays an appropriate
error message until the
no verified boot command is used on the system.
• After you enable The OS image verification feature, the system prompts you to enter The OS image hash when you upgrade the Dell
EMC Networking OS to a later version. The system checks if your hash matches with The OS image hash only after reloading.
• After enabling The OS image verification feature, use the verified boot hash command to verify and store the hash value. If
you don’t store the hash value, you cannot reboot the device until you verify The OS image hash.
Enabling and Configuring OS Image Hash Verification
To enable and configure Dell EMC Networking OS image hash verification, follow these steps:
1. Enable the OS image hash verification feature.
CONFIGURATION mode
verified boot
2. Verify the hash checksum of the current OS image file on the local file system.
EXEC Privilege
verified boot hash system-image {A: | B:} hash-value
You can get the hash value for your hashing algorithm from the Dell EMC iSupport page. You can use the MD5, SHA1, or SHA256
hash and the Dell EMC Networking OS automatically detects the type of hash.
NOTE: The verified boot hash command is only applicable for OS images in the local file system.
3. Save the configuration.
EXEC Privilege
copy running-configuration startup-configuration
After enabling and configuring OS image hash verification, the device verifies the hash checksum of the OS boot image during every
reload.
DellEMC# verified boot hash system-image A: 619A8C1B7A2BC9692A221E2151B9DA9E
Image Verification for Subsequent OS Upgrades
After enabling OS image hash verification, for subsequent Dell EMC Networking OS upgrades, you must enter the hash checksum of the
new OS image file. To enter the hash checksum during upgrade, follow these steps:
• Use the following command to upgrade the Dell EMC Networking OS and enter the hash value when prompted.
EXEC Privilege
788
Security