White Papers

ManualsBrandsDell ManualsActive System ManagerDRAC4 Version 1.70

Information in this document is subject to change without notice.

Reproduction in any manner whatsoever without the written permission of Dell Inc. is strictly

forbidden.

THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. THE CONTENT IS

PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.

Dell, the Dell Logo, and Op enManage are trademarks of Dell Inc. Other trademarks and trade

names may be used in this document to refer to either the entities claiming the marks and

names or their products. Dell disclaims proprietary interest in the marks and names of others.

DRAC 4

Dell Remote Access Controller 4 Security

Summary of content (17 pages)

PAGE 1
DRAC 4 Dell Remote Access Controller 4 Security Information in this document is subject to change without notice. © Copyright 2006 Dell Inc. All rights reserved. Reproduction in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. Dell, the Dell Logo, and OpenManage are trademarks of Dell Inc.
PAGE 2
Table of Contents TERMINOLOGY...........................................................................................................................................................3 INTRODUCTION..........................................................................................................................................................5 AUTHENTICATION AND AUTHORIZATION ............................................................................................................
PAGE 3
Terminology Term Definition 3 DES Triple Data Encryption Standard ADS Active Directory Services CA Certificate Authorization CAST 128 CAST Algorithm 128 bit CD Compact Disk CLI Command Line Interface CN Common Name CSR Certificate Signing Request DH Diffie-hellman DNS Domain Name Server DRAC 4 Dell Remote Access Controller 4 DSA Digital Signature Algorithm GUI Graphic User Interface HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure IP Internet Protoco
PAGE 4
Term Definition SEL System EvenT Log SHA1 Seane Hash Algorithm SMCLP Server Management Command Line Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SOL Serial Over Lan SSH Secured Shell SSL Secured Socket Layer TCP Transmission Control Protocol TCP/IP Transmission Control Protocol/Internet Protocol TFTP Trivial File Transfer Protocol TLS1.
PAGE 5
Introduction Today, managing distributed servers from a remote location is a critical requirement. DRAC 4 enables users to remotely monitor, troubleshoot and repair servers, even when the server operating system is down. DRAC 4 offers a rich set of features such as virtual media, virtual KVM which can make the system less prone to security risks. DRAC 4 security features mitigate the security risks that exist while data is being transmitted across the network.
PAGE 6
Authentication and Authorization Login Using Local Account The DRAC 4 comes with a default local user account pre-configured with an administrator role. The default user name for this account is “root” and the default password is “calvin”. Note: Dell strongly recommends changing the default user name and password settings during deployment of the DRAC 4. DRAC 4 supports up to 16 local users. Each user can be enabled or disabled.
PAGE 7
RAC Log Clear Privilege This privilege allows a user to clear the SEL, RAC log, or last crash screen log. RAC Server Reset and Power-On/Off Privilege This privilege allows a user to do any power management operation (like reset or power-on/off a system). RAC Console Redirection Privilege This privilege allows a user to use the console redirection feature. RAC Virtual Media Privilege This privilege allows a user to use the virtual media feature.
PAGE 8
Figure 1: Dell Extended Schema Active Directory Architecture DRAC 4 authenticates against Active Directory using LDAP simple binding and queries Active Directory objects using an SSL channel. All data (including user name and password) for authentication are sent using an encrypted channel to Active Directory. When a DRAC 4 establishes an SSL connection with Active Directory Domain Controller, it verifies the Domain Controller entity using SSL server authentication.
PAGE 9
Look at the list using the Member attribute for all of the groups that are in the list. If the name of the RAC device that is being authenticated is in the list, the user has been authenticated. Read the dellPrivilegeObject attributes and enter them to the RAC as the authorization data (Privileges). Login Using Active Directory without Dell Schema Extension Note: Requires DRAC 4 version 1.50 firmware and later.
PAGE 10
Figure 2: Dell Standard Schema Active Directory Architecture PAGE 10 OF 17
PAGE 11
Encryption The SSL security protocol that is built upon public key/private key encryption technology has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers to prevent eavesdropping across the network. Running above TCP/IP and below higher-level protocols (such as HTTP), SSL allows an SSLenabled server to authenticate itself to an SSL-enabled client and the client to authenticate itself to the server.
PAGE 12
Event Logging DRAC 4 has a persistent log that stores all critical events like user login/logout, DRAC 4 configuration changes, critical operations to a server via DRAC 4, and so on. Administrators can use this log to audit critical operations on the DRAC 4.
PAGE 13
The following are services which can be enabled or disabled by administrators: SNMP Agent Telnet (disabled by default) SSH Remote RACADM Ports must be correctly configured to allow DRAC 4 to work through firewalls. Table 1 lists the ports used by DRAC 4. Port # Protocol Port Type Version Maximum Encryption Level Direction Usage Configurable 22 SSHv2 TCP 1.30 128 bit In/Out Optional SSH CLI management Yes 23 Telnet TCP 1.
PAGE 14
Port # Protocol Port Type Version Maximum Encryption Level Direction Usage Configurable authentication 3269 LDAPS TCP 1.0 128-bit SSL In/Out Optional ADS authentication No 3668 Proprietary TCP 1.0 None In/Out CD/diskette virtual media service Yes 5869 Proprietary TCP 1.0 None In/Out Remote RACADM No 5900 Proprietary TCP 1.
PAGE 15
SSH Security The SSH service is enabled by default on DRAC 4. The RACADM CLI can be run in SSH. The SSH service can be disabled using DRAC 4 configuration setting. DRAC 4 only supports SSH version 2. DRAC 4 supports DSA and RSA host key algorithms. A unique 1024-bit DSA and 1024-bit RSA host key is generated during a DRAC 4 the first time that power is turned on.
PAGE 16
Figure 3: Virtual Media Architecture Console Redirection Security Authentication and Encryption DRAC 4 can continuously redirect the managed system’s KVM to the management station. It is a very powerful feature, is very easy to use, and does not require any software installation on the managed system. A user can access this feature to remotely manage the system.
PAGE 17
Figure 4: Console Redirection Architecture User Session Privacy User session privacy is a security concern in the console redirection feature in DRAC 4. DRAC 4 supports the following techniques to maintain user session privacy and prevent user sessions from being hijacked: The default maximum number of console redirection sessions is limited to two.