Dell SmartFabric OS10 and SmartFabric Services Security Configuration Guide June 2023
STIG compliance
This section contains configuration and maintenance standards that the US Department of Defense (DoD) Information Assurance (IA) program requires.
These guidelines are designed to enhance security settings and configuration options before the systems are connected to a network. For more information about the various STIGs, see the Security Technical Implementation Guides (STIGs) section on DoD Cyber Exchange.
Severity Category Codes (CAT) describe the vulnerabilities that are used to assess a facility or system security posture. CAT I Severity Code describes security protections that can be bypassed, allowing immediate access by unauthorized personnel or unauthorized use of superuser privileges. CAT I weaknesses must be corrected before an Authorization to Operate (ATO) is granted.
SmartFabric OS10 compliance with CAT I Security Requirements is described in this section:
NOTE:For detailed configuration steps, see the
Dell SmartFabric OS10 User Guide.
| STIG vulnerability ID | Rule title | Category | User configuration | Comments |
|---|---|---|---|---|
| V-206647 | The Layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection. | CAT I | Configure RADIUS for 802.1x authentication:
OS10(config)# radius-server host server-address> key shared-secret OS10(config)# radius-server retransmit 10 OS10(config)# radius-server timeout 10Enable 802.1x on the specific interfaces: OS10(config)# dot1x system-auth-control OS10(config)# interface range ethernet 1/1/1-1/1/48 OS10(conf-range-eth1/1/1-1/1/48)# dot1x port-control auto OS10(conf-range-eth1/1/1-1/1/48)# dot1x re-authentication |
Controlling LAN access using 802.1x authentication can help in preventing a malicious user from connecting an unauthorized personal computer to a switch port to inject or receive data from the network without detection. For a description of the 802.1x configuration, see the 802.1x chapter in the Dell SmartFabric OS10 User Guide. |
| V-202017 | The network device must be configured to assign appropriate user roles or access levels to authenticated users. | CAT I | For local users assign the user role when creating the user:
OS10(config)# username string password ****** role netadminFor remote authentication, role is assigned by AAA server using vendor-specific attributes: |
Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. |
| V-202049 | The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. | CAT I | In OS10, in nonapproved protocols are disabled by default. Also, control-plane ACLs can be added to block specific ports and protocols, or to restrict protocols to a limited set of addresses or subnets:
ip access-list permit-cli seq 10 permit ip 192.168.16.0 255.255.255.0 192.168.16.0 255.255.255.0 seq 20 permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 seq 30 deny ip any any ! line vty ip access-class permit-cli ! ip access-list ipv4-cp-acl seq 5 deny tcp host 192.168.16.34 any log seq 60 permit ip any any ! ipv6 access-list ipv6-cp-acl seq 20 deny tcp any any eq 443 seq 60 deny tcp any any eq 54320 seq 70 deny tcp any any eq 54321 seq 80 permit ipv6 any any ! control-plane ipv6 access-group ipv6-cp-acl in ip access-group ipv4-cp-acl in |
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (embedding of datatype within datatype), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. |
| V-202064 | The network device must only store cryptographic representations of passwords. | CAT I | Passwords are stored with a securely hashed and salted. Prevent display of password hashes in the
show running-configuration output:
OS10(config)# service obscure-password |
Passwords must be protected always, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (clear text) and easily compromised. |
| V-202065 | The network device must transmit only encrypted representations of passwords. | CAT I |
On OS10, passwords are never transmitted unencrypted. |
Passwords must be protected always, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (clear text) and easily compromised. |
| V-202071 | The network device must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | CAT I |
On OS10, passwords are not displayed when entered during authentication. |
To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the network device must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. |
| V-202072 | The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module. | CAT I | Remote authentication over FIPS 140-2 validated cryptography is supported when using RADIUS over TLS. For detailed configuration, see the Dell SmartFabric OS10 User Guide. | Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. |
| V-202074 | The network device must terminate all network connections that are associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | CAT I | Configure inactivity timeout:
OS10(config)# exec-timeout 600 |
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session that is enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources that are committed by the managed network element. |
| V-202078 | The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive). | CAT I | Viewing and modification of files in OS10 are fully controlled by the Role-Based Access Control that is applied to each user. Also, no user shell access is available when the system CLI command is disabled. Disable access to Linux shell:
OS10(config)# system-cli disable |
This requirement is intended to address the confidentiality and integrity of system information at rest (example, network device rule sets) when it is located on a storage device within the network device or as a component of the network device. This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device. |
| V-202093 | The network device must prevent nonprivileged users from performing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | CAT I | OS10 always applies RBAC, and nonprivileged users are prohibited from running privileged functions. | Preventing nonprivileged users from performing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. |
| V-202117 | The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications. | CAT I | To enable FIPS 140-2 compliant mode use the following CLI command:
OS10(config)# crypto fips enableDell Technologies recommends enabling FIPS mode early in the configuration process, as some cryptographic settings are then limited to only allow FIPS-compliant algorithm choices. |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. |
| V-202118 | The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions. | CAT I | To enable FIPS 140-2 compliant mode use the following CLI command:
OS10(config)# crypto fips enableDell Technologies recommends enabling FIPS mode early in the configuration process, as some cryptographic settings are then limited to only allow FIPS-compliant algorithm choices. |
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions are susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions. |
| V-202132 | The network device must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access. | CAT I | OS10 supports remote authentication using TACACS+ and RADIUS over UDP, TCP, or TLS. The only one that meets the FIPS-140.2 requirements of rule is RADIUS over TLS. For configuration of RADIUS over TLS see the RADIUS over TLS authentication section in the Dell EMC SmartFabric OS10 user Guide. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. |
| V-213467 | The network device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO. | CAT I | Configure a remote syslog server to provide robust and compliant logging functionality:
OS10(config)# logging server {hostname | ip–address} [udp|tcp|tls]
|
The aggregation of log data that is kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. |
| V-213468 | The network device must be running an operating system release that is currently supported by the vendor. | CAT I | The latest OS10 releases are available on Dell Digital Locker. Install the latest versions using the following command:
OS10# image secure-install file-url pki signature signature-file-path public-key key-file |
Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. |
| V-237779 | The network device must be configured to use DoD PKI as multifactor authentication (MFA) for interactive logins. | CAT I | Configure necessary PKI certificates, security profiles, RADIUS over TLS, and X.509 SSH authentication. For detailed configuration steps, see the X.509v3 certificates chapter in the Dell SmartFabric OS10 User Guide. | The DoD public key infrastructure (PKI) is the only prescribed method that is approved for DoD organizations to implement MFA. For authentication purposes, centralized DoD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. |
| V-237780 | The network device must be configured to use DoD-approved OCSP responders or CRLs to validate certificates used for PKI-based authentication. | CAT I | Configure the appropriate certificate revocation checking in the security profile that is used for SSH X.509 authentication:
OS10(config)# crypto security-profile profile-nameIf certificate revocation checking by certificate revocation list is wanted, enable revocation checking in the security profile. OS10(config-sec-profile)# revocation-checkIf certificate revocation checking by OCSP is wanted, enable OCSP checking in the security profile. If a proxy OCSP responder is in use, configure its address in the command: OS10(config-sec-profile)# ocsp-check ocsp-responder-url |
PKI user certificates that are presented as part of the identification and authentication criteria (for example, DoD PKI as multifactor authentication [MFA]) must be checked for validity by network devices. For example, valid PKI certificates are digitally signed by a trusted DoD certificate authority (CA). Also, valid PKI certificates are not expired, and valid certificates have not been revoked by a DoD CA. |
| V-237781 | The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts. | CAT I | OS10 fully supports using remote AAA authentication to map PKI-based authentication to unique user accounts. Also, if wanted, the administrator can configure certificate matching information for locally defined users as well with the following commands: OS10(config)# username string certificate {principal-name | fingerprint | subject | certificate}. For more information about smartcard authentication, see the Smart card authentication for SSH section. | Without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or the status of their non-repudiation is considerably impacted during forensic analysis. A strength of using PKI as MFA is that it can help ensure that only the assigned individual is using their associated user account. This can only be accomplished if the network device is configured to enforce the relationship which binds PKI certificates to unique user accounts. |
| V-251367 | The organization must implement a deep packet inspection solution when protecting perimeter boundaries. | CAT I | OS10 switches should be deployed on networks that are protected at the perimeter by compliant firewall and deep packet protection devices. | Deep packet inspection (DPI) examines the packet beyond the Layer 4 header by examining the payload to identify the application or service. DPI searches for illegal statements, predefined criteria, malformed packets, and malicious code, thereby enabling the IA appliances to make a more informed decision on whether to allow or not allow the packet through. |
| V-251368 | A deny-by-default security posture must be implemented for traffic entering and leaving the enclave. | CAT I | OS10 switches should be deployed on networks that are protected at the perimeter by compliant firewall devices. | To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. |
| V-207113 | The perimeter router must be configured to protect an enclave that is connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the site address space. | CAT I | Configure appropriate ACL rules for each interface. For a description of ACL configuration in OS10, see the Access Control List chapter in the Dell SmartFabric OS10 User Guide. | Enclaves with alternate gateway connections must take additional steps to ensure there is no compromise on the enclave network or NIPRNet. Without verifying the destination address of traffic coming from the site's alternate gateway, the perimeter router could be routing transit data from the Internet into the NIPRNet. This could also make the perimeter router vulnerable to a denial-of-service (DoS) attack and provide a back door into the NIPRNet. The DoD enclave must ensure the ingress filter that is applied to external interfaces on a perimeter router connecting to an Approved Gateway is secure through filters permitting packets with a destination address belonging to the DoD enclave's address block. |
| V-207114 | The perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider. | CAT I | For more information about configuring BGP, see the Border Gateway Protocol section of the Dell SmartFabric OS10 User Guide. | ISPs use BGP to share route information with other autonomous systems (other ISPs and corporate networks). If the perimeter router is configured to BGP-peer with an ISP, NIPRnet routes could be advertised to the ISP; thereby creating a backdoor connection from the Internet to the NIPRnet. |
| V-207132 | The perimeter router must be configured to deny network traffic by default and allow network traffic by exception. | CAT I | Configure appropriate ACL rules for each interface. For a description of ACL configuration in OS10, see the Access Control List chapter in the Dell EMC SmartFabric OS10 User Guide. | A deny-all, permit-by-exception network communications traffic policy ensures that only connections that are essential and approved are allowed. |
| V-207133 | The router must be configured to restrict traffic that is destined to itself. | CAT I | See the Control-plane ACLs and Configure control plane policing chapters in the Dell SmartFabric OS10 User Guide. | The route processor handles traffic that is destined to the router—the key component that is used to build forwarding paths and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the route processor can result in mission-critical network outages. |
| V-216979 | The perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF). | CAT I | Configure appropriate ACL rules for each interface. For a description of ACL configuration in OS10, see the Access Control List chapter in the Dell EMC SmartFabric OS10 User Guide. | DDoS attacks frequently leverage IP source address spoofing to send packets to multiple hosts that in turn will then send return traffic to the hosts with the IP addresses that were forged. This can generate significant amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet; thereby mitigating IP source address spoofing. |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\