Dell OS10 Switch Router Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Dell OS10 Router must be configured to log all packets that have been dropped.
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate ...Rule Low Severity -
The Dell OS10 Router must be configured to use encryption for routing protocol authentication.
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to l...Rule Medium Severity -
The Dell OS10 Router must be configured to authenticate all routing protocol messages using NIST-validated FIPS 198-1 message authentication code algorithm.
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to l...Rule Medium Severity -
The PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial-of-service (DoS) attacks.
DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial-of-service (DDoS) attacks are referred to as volumetric attacks and have the objective o...Rule Medium Severity -
The Dell OS10 Router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.
Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.Rule Medium Severity -
The Dell OS10 Router must be configured to implement message authentication for all control plane protocols.
A rogue router could send a fictitious routing update to convince a site's perimeter router to send traffic to an incorrect or even a rogue destination. This diverted traffic could be analyzed to l...Rule Medium Severity -
The Dell OS10 Router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
If the keys used for routing protocol authentication are guessed, the malicious user could create havoc within the network by advertising incorrect routes and redirecting traffic. Some routing prot...Rule Medium Severity -
The Dell OS10 Router must not be configured to have any zero-touch deployment feature enabled when connected to an operational network.
Network devices that are configured via a zero-touch deployment or auto-loading feature can have their startup configuration or image pushed to the device for installation via TFTP or Remote Copy (...Rule Medium Severity -
The Dell OS10 Router must be configured to have Gratuitous ARP disabled on all external interfaces.
A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can c...Rule Medium Severity -
The Dell OS10 Router must be configured to have IP directed broadcast disabled on all interfaces.
An IP directed broadcast is a datagram sent to the broadcast address of a subnet that is not directly attached to the sending machine. The directed broadcast is routed through the network as a unic...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.