Dell SmartFabric OS10 and SmartFabric Services Security Configuration Guide June 2023

Configure BGP authentication if BGP is used

Configure BGP, and secure the session with a password on both BGP peers. When you configure MD5 authentication between two BGP peers, each segment of the TCP connection is verified and the MD5 digest is checked on every segment that is sent on the TCP connection.

OS10(conf-router-neighbor)# password {9 encrypted-password-string | password-string}
OS10(conf-router-neighbor)# end
OS10# write memory

• 9 encrypted-password-string—Enter 9 and then the encrypted password.
• password-string—Enter a password for authentication. A maximum of 128 characters are supported.

View what BGP neighbor authentication is enabled

Use the following to view what BGP neighbor authentication is enabled on the system:

OS10# show running-configuration bgp
!
router bgp 100
 !
 neighbor 1.1.1.1
  password 9 9ee88a6225a049667a2e5294d8b0808c2ac2141a2930c06e431bf40cfcf685b1
....

Configure OSPF authentication if OSPF is used

Configure OSPF, and secure the session with a password on both OSPF peers.

OS10(conf-if-eth1/1/1)# ip ospf message-digest-key 2 md5 password
OS10(conf-if-eth1/1/1)# end
OS10# write memory

View what OSPF neighbor authentication is enabled

Use the following to view what OSPF neighbor authentication is enabled on the system:

OS10# show running-configuration ospf
!
ip ospf 100 area 0.0.0.0
ip ospf message-digest-key 2 md5 sample12345
...

Disable proxy ARP

Proxy ARP is a technique that network devices use to acquire the MAC address of a device which is not present in the network on behalf of other devices. DoS attacks are possible with misconfigured network devices.

OS10(config)# interface interface-name
OS10(conf-if-eth1/1/1)# no ip proxy-arp
OS10(conf-if-eth1/1/1)# end
OS10# write memory

NTP rules

Network Time Protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients and coordinates time distribution in a large, diverse network. NTP clients synchronize with NTP servers that provide accurate time measurement.

Configure trusted NTP server

Configure the system to synchronize time from a trusted NTP server.

OS10(config)# ntp server ntp1-server-ip-address
OS10(config)# exit
OS10# write memory

ntp1-server-ip-address—Enter the IPv4 address in A.B.C.D format or IPv6 address in A::B format of the NTP server.

Configure trusted secondary NTP server

Configure the system to synchronize time from a trusted secondary NTP server.

OS10(config)# ntp server ntp2-server-ip-address
OS10(config)# exit
OS10# write memory

ntp1-server-ip-address—Enter the IPv4 address in A.B.C.D format or IPv6 address in A::B format of the NTP server.

Configure NTP authentication

NTP authentication and the corresponding trusted key provide a reliable exchange of NTP packets with trusted time sources. NTP authentication uses the message digest 5 (MD5) algorithm. The key is embedded in the synchronization packet that is sent to an NTP time source.

OS10(config)# ntp authentication-key number {sha1 | sha2-256} key
OS10(config)# ntp master {2–10}
OS10(config)# exit
OS10# write memory

• number—Enter the authentication key number, from 1 to 4294967295.
• sha1—Set to SHA1 encryption.
• sha2-256—Set to sha2-256 encryption.

View what NTP authentication is used

Use the following to view what NTP authentication is configured on the system:

OS10# show running-configuration ntp
!
ntp authenticate
ntp authentication-key 345 md5 0 5A60910FED211F02
ntp server 1.1.1.1 key 345
ntp trusted-key 345
ntp master 7
...