Databáza poznatkov

Security - Best Practices for Security for iDRAC, IPMI, SNMP



Issue:

What are the Security Best Practices for using Dell servers via iDRAC, SNMP, IPMI and BMC?



Solution:


SNMP:

  • Segment SNMP interfaces on managed servers using virtual LANs (VLANS), access control lists (ACLs), or physical separation to isolate the management network from the rest of the network.
  • Ensure that all devices using SNMP to communicate with ITA are in the same segment as the ITA system. Do not bind SNMP to public or internal networks.
  • Avoid using "public", "private", or an easily guessable string as the SNMP community name.

BMC/IPMI (including the DRAC and iDRAC):

  • Segment IPMI traffics (UDP and stateless) from the rest of the network.
  • Do not allow IPMI traffic from outside the network.
  • If using IPMI 1.5-capable BMCs, use ACLs and strict source routing to help ensure the IPMI traffic is secure. IPMI 2.0 uses stronger encryption than IPMI 1.5.
  • Segment SNMP interfaces on managed servers using virtual LANs (VLANS), access control lists (ACLs)
  • Authentication should be required (see below for steps to disallow bypassing authentication, also known as Cipher 0)

DRAC/iDRAC:

  • Allow TCP port 80 and 443 (HTTP and HTTPS respectively).
  • Filter TCP port 25 (Use ACLs to limit port 25 traffic to the mail servers).
  • Change the default username/password.
  • A strong password should be used. Use of NULL passwords should not be allowed (Dell DRAC/iDRACs do not allow the use of NULL passwords).
  • Anonymous logons should not be allowed (Anonymous logons are NOT allowed by default on Dell DRAC/iDRACs. User account 1 (the anonymous user account) is disabled with no way to enable this account.


Additional Information:

Dell documents regarding security best practices:

Dell response to CVE (Common Vulnerabilities and Exposures) ID’s
Dell response to US-CERT (United States Computer Emergency Readiness Team) TA13-207A: IPMI TechAlert
Dell response to Vulnerability Note VU#920038

  • Firmware should be updated to the latest available version to ensure all security patches are applied.
  • Management networks (subnets/VLANs) should also be separated by firewalls, and access should be limited (via ACLs and other methods) to authorized server administrators.
  • If you choose not to use IPMI the DRAC/iDRAC IPMI firewall should be enabled, and IPMI over the network should be disabled. (Control available via the iDRAC web interface and the iDRAC CLI).
  • IPMI Over Lan is disabled by default on all Dell 8G Servers and later, including our currently shipping 12G models.


Disable Cipher 0 - Cipher 0 is an option usually enabled by default, that can allow authentication to be bypassed. Disabling Cipher 0 can prevent attackers from bypassing authentication and sending arbitrary IPMI commands.

ipmitool lan set 1 cipher_privs Xaaaaaaaaaaaaaa

The syntax for the cipher suites will vary by customer needs. The initial X disabled cipher suite 0. In the example above, all remaining cipher suites would be available to ADMIN users.




Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

ID článku: SLN156429

Dátum poslednej zmeny: 06/23/2014 07:59 AM


Ohodnotiť tento článok

Presné
Užitočné
Jednoducho pochopiteľné
Bol pre vás tento článok užitočný?
Áno Nie
Pošlite nám pripomienky.
Pripomienky obsahujú neplatný znak. Nie je možné používať špeciálne znaky <> () &#92;.
Ľutujeme, náš systém odosielania pripomienok je momentálne nefunkčný. Skúste znova neskôr.

Ďakujeme. Vaše pripomienky boli odoslané.