DRAC 5 Dell Remote Access Card 5 Security Information in this document is subject to change without notice. © Copyright 2006 Dell Inc. All rights reserved. Reproduction in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. Dell, the Dell Logo, and OpenManage are trademarks of Dell Inc.
Table of Contents TERMINOLOGY......................................................................................................................................................................................................4 INTRODUCTION.....................................................................................................................................................................................................6 AUTHENTICATION AND AUTHORIZATION .......................................
CONSOLE REDIRECTION SECURITY .....................................................................................................................................................................22 Authentication and Encryption.....................................................................................................................................................................22 User Session Privacy..................................................................................................
Terminology Term Definition CA Certificate Authorization CAST 128 CAST Algorithm 128-bit CD Compact Disk CLI Command Line Interface CSR Certificate Signing Request 3 DES Triple Data Encryption Standard DH Diffie-Hellman DNS Domain Name Server DRAC 5 Dell Remote Access Controller DSA Digital Signature Algorithm GUI Graphic User Interface HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure IP Internet Protocol IPMI Intelligent Platform Management Interface
Term Definition SHA1 Seane Hash Algorithm SMCLP Server Management Command Line Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SOL Serial Over LAN SSH Secured Shell SSL Secured Socket Layer TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol TFTP Trivial File Transfer Protocol TLS1.
Introduction Today, managing distributed servers from a remote location is a critical requirement. DRAC 5 enables users to remotely monitor, troubleshoot, and repair servers even when the server is down. DRAC 5 offers a rich set of features like virtual media, virtual KVM, and so on, which have the potential to make the system prone to security risks. DRAC 5 security features mitigate the security risks that exist while data is being transmitted across the network.
Authentication and Authorization Log in via Local Account The DRAC 5 ships with a default local user account that is pre-configured with an administrator role. This default user name is “root” and the password is “calvin” for this user. Dell strongly recommends changing this default setting during deployment of the DRAC 5. DRAC 5 supports up to 16 local users. Each user can be enabled or disabled.
The DRAC 5 RAC channel has nine privileges. Each user can have any combination of the nine privileges. The nine privileges are as follows: RAC Login User Privilege This privilege allows a user to log in to the DRAC 5 card. An administrator can easily disable a user from a DRAC 5 by removing this privilege. Removing the login privilege from a user is not the same as deleting a user. The user will remain in the user database but will not be able to log in and use this DRAC 5 card.
The Active Directory data is a distributed database of Attributes and Classes. The Active Directory schema includes the rules that determine the type of data that can be added or included in the database. The user class is one example of a Class that is stored in the database. Some example user class attributes can include the user’s first name, last name, phone number, and so on.
For an Active Directory user to have authority to access a DRAC 5, this user object or group has to be added to the Dell Association object. A Dell privilege object with the right privilege setting also needs to be added to the Dell Association object. Finally, a Dell RAC device object which represents a DRAC 5 is added to Dell Association object. The RAC device object name has to be configured to that DRAC 5.
Figure 2: Dell Standard Schema Active Directory Architecture PAGE 11 OF 24
Encryption The SSL security protocol that is built upon public key/private key encryption technology has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers to prevent eavesdropping across the network. Running above TCP/IP and below higher-level protocols such as HTTP, SSL allows an SSL-enabled server to authenticate itself to an SSL-enabled client and the client to authenticate itself to the server.
Secure Shell Encryption DRAC 5 supports only SSH-2.0 because SSH-1.0 is not considered secure. The following are ciphers supported by the DRAC 5 SSH: Public key: DSA, RSA Hash: SHA-1, MD5 Symmetric: 3DES, RC4, Blowfish, CAST-128 IPMI RMCP+ Encryption DRAC 5 IPMI over LAN and SOL use RMCP+ for Authentication and Key exchange. For details on the RMCP+ protocol, see the IPMI 2.0 specification.
Event Logging DRAC 5 has a persistent log which stores all critical events like user login/logout, DRAC 5 configuration changes, and critical operations to a server via DRAC 5, and so on. Administrators can use this log to audit critical operations on the DRAC 5.
Access to DRAC 5 Disabling Services and Changing the Service Port Number There are several out-of-band services running on a DRAC 5 by default. These services open a network port that listens for a connection. Dell strongly recommends disabling all unused services on DRAC 5 cards.
Port # Protocol Port Type DRAC 5 Firmware Version Maximum Encryption Level Direction Usage Configurable 68 DHCP UDP 1.0 None In/Out DHCP assigned IP address No 69 TFTP UDP 1.0 None In/Out Firmware update via Trivial FTP No 80 HTTP TCP 1.0 None In/Out Web GUI redirected to HTTPS Yes 161 SNMP UDP 1.0 None In/Out SNMP query management No 162 SNMP UDP 1.0 None Out SNMP trap event No 443 HTTPS TCP 1.
Security Policy To prevent unauthorized access to the remote system, DRAC 5 provides the following features which have been described in ”IP Blocking” and “Invalid Login Attack Blocking.” IP address filtering (IPRange) — defines a specific range of IP addresses that can access the DRAC 5 IP address blocking — limits the number of failed login attempts from a specific IP address IP Blocking This feature is disabled in the DRAC 5 default configuration.
As login failures accumulate from a specific IP address, they are "aged" by an internal counter. When the login failures reach the maximum age of the internal counter window, they are deleted (or forgiven). When a valid login occurs from an IP address that is not penalized (the excessive login failures are being held in cfgRacTuneIpBlkPenaltyTime), all previous login failures for the IP address are deleted. The failure history cannot be cleared except by a valid login attempt.
Shared NIC Security The DRAC 5 on 9xxx Generation Dell servers has the capability to use the host LOM for DRAC 5 management traffic instead of a dedicated NIC. In this case, the host LOM shares the host traffic with DRAC 5 management traffic. This feature has an advantage for customers who do not want to maintain a separate network for management traffic. It can reduce the cabling mess and network switch port requirements.
reluctant to use the shared NIC feature because they want to separate regular host traffic from management traffic; if so, they can use VLANs to segment the traffic. Web Browser Security The browser connects to our web server via the HTTPS port. All the data streams are encrypted using 128-bit SSL to provide privacy and integrity. Any connection to the HTTP port will be redirected to HTTPS. Administrators can upload their own SSL certificate via an SSL CSR generation process to secure the web server.
Only supports password user authentication Provides a default authentication timeout of 2 minutes Provides six authentication attempts as a default SNMP Security An SNMP agent runs on a DRAC 5 by default. The DRAC 5 SNMP agent is used by Dell OpenManage™ IT Assistant or other management frameworks to discover the DRAC 5 out-ofband service point, for example, a web GUI URL. DRAC 5 only supports SNMP version 1.
Managed System Web Server Management Station SSL Channel Connection Request VM Info with Authentication Key Authentication Key Virtual Media Server Client Authentication Key SSL if VM encryption enabled Open session request (authentication key) Session established Virtual Media Client Figure 4: Virtual Media Architecture Console Redirection Security Authentication and Encryption DRAC 5 can continuously redirect the managed system’s video, keyboard and mouse (KVM) to the management station.
Managed Node Web Server Management Station SSL Channel Connection Request CR Info with Authentication Key Authentication Key Authentication Key Console Redirection Server Client SSL Channel Open session request (Authentication Key) Session established Keyboard/Mouse pipe SSL Channel If video encryption enabled Video pipe Console Redirection Client SSL Channel Figure 5: Console Redirection Architecture User Session Privacy User session privacy is a security concern in the console redirection featur
IPMI Out-of-Band Access Security DRAC 5 implements IPMI version 2.0 which dramatically improved security over IPMI version 1.5. IPMI out-of-band including IPMI over LAN and SOL can be disabled if these features are not used in your environment. Dell strongly recommends disabling the IPMI over LAN and SOL features if they are not required. IPMI version 2.0 uses RMCP+ for authentication and encryption key exchange.
