What are the Security Best Practices for using Dell servers via iDRAC, SNMP, IPMI and BMC?
SNMP:
-
Segment SNMP interfaces on managed servers using virtual LANs (VLANS), access control lists (ACLs), or physical separation to isolate the management network from the rest of the network.
-
Ensure that all devices using SNMP to communicate with ITA are in the same segment as the ITA system. Do not bind SNMP to public or internal networks.
-
Avoid using "public", "private", or an easily guessable string as the SNMP community name.
BMC/IPMI (including the DRAC and iDRAC):
-
Segment IPMI traffics (UDP and stateless) from the rest of the network.
-
Do not allow IPMI traffic from outside the network.
-
If using IPMI 1.5-capable BMCs, use ACLs and strict source routing to help ensure the IPMI traffic is secure. IPMI 2.0 uses stronger encryption than IPMI 1.5.
-
Segment SNMP interfaces on managed servers using virtual LANs (VLANS), access control lists (ACLs)
-
Authentication should be required (see below for steps to disallow bypassing authentication, also known as Cipher 0)
DRAC/iDRAC:
-
Allow TCP port 80 and 443 (HTTP and HTTPS respectively).
-
Filter TCP port 25 (Use ACLs to limit port 25 traffic to the mail servers).
-
Change the default username/password.
-
A strong password should be used. Use of NULL passwords should not be allowed (Dell DRAC/iDRACs do not allow the use of NULL passwords).
-
Anonymous logons should not be allowed (Anonymous logons are NOT allowed by default on Dell DRAC/iDRACs. User account 1 (the anonymous user account) is disabled with no way to enable this account.
Additional Information:
Dell documents regarding security best practices:
Dell response to CVE (Common Vulnerabilities and Exposures) ID’s
Dell response to US-CERT (United States Computer Emergency Readiness Team) TA13-207A: IPMI TechAlert
Dell response to Vulnerability Note VU#920038
- Firmware should be updated to the latest available version to ensure all security patches are applied.
- Management networks (subnets/VLANs) should also be separated by firewalls, and access should be limited (via ACLs and other methods) to authorized server administrators.
- If you choose not to use IPMI the DRAC/iDRAC IPMI firewall should be enabled, and IPMI over the network should be disabled. (Control available via the iDRAC web interface and the iDRAC CLI).
- IPMI Over Lan is disabled by default on all Dell 8G Servers and later, including our currently shipping 12G models.
Disable Cipher 0 - Cipher 0 is an option usually enabled by default, that can allow authentication to be bypassed. Disabling Cipher 0 can prevent attackers from bypassing authentication and sending arbitrary IPMI commands.
ipmitool lan set 1 cipher_privs Xaaaaaaaaaaaaaa
The syntax for the cipher suites will vary by customer needs. The initial X disabled cipher suite 0. In the example above, all remaining cipher suites would be available to ADMIN users.
