iDRAC9 Security Configuration Guide

SNMP Security Best Practices:

iDRAC supports SNMP 2/3 for information gathering, alerting, and configuration. The SNMP protocol can potentially leak sensitive information if configured improperly. If SNMP is not needed, Dell Technologies recommends disabling this service. If SNMP is required, below are recommendations for how to configure the service as securely as possible.

1. Enable SNMPv3 only if possible.
2. Segment SNMP interfaces on managed servers using virtual LANs (VLANS), access control lists (ACLs), or physical separation to isolate the management network from the rest of the network.
3. Ensure that all devices using SNMP to communicate with ITA are in the same segment as the ITA system. Do not bind SNMP to public or internal networks.
4. Avoid using "public", "private", or an easily guessable string as the SNMP community name.
5. Set separate SNMPv3 Authentication Passphrase & Privacy Passphrase (requires 6.00 firmware or higher).

Additional Security Considerations for SNMP

• SNMP security lockout feature
  • iDRAC supports a simple, non-configurable SNMP security lockout feature. If more than six SNMPv3 USM authentication failures occur within a 2-minute window, then the iDRAC SNMP Agent blocks all subsequent SNMPv3 requests/queries for 10 minutes.
• Restriction of access to sensitive data
  • Some of the MIB data that iDRAC supports can only be accessed using SNMPv3 queries. Access to such data is blocked for SNMPv1 and SNMPv2c queries.
  • Currently, the following attributes and table are considered to be “sensitive” data and have this restriction:
    • numLCLogEntries (which has an SNMP OID of 1.3.6.1.4.1.674.10892.5.4.300.2.0)
    • lcLogTable (which has an SNMP OID of 1.3.6.1.4.1.674.10892.5.4.300.90)