Manualshelf

White Papers

ManualsBrandsDell ManualsActive System ManagerDRAC5 Version 1.60
15161718192021222324
PAGE 21 OF 24
Only supports password user authentication
Provides a default authentication timeout of 2 minutes
Provides six authentication attempts as a default
SNMP Security
An SNMP agent runs on a DRAC 5 by default. The DRAC 5 SNMP agent is used by Dell
OpenManage™ IT Assistant or other management frameworks to discover the DRAC 5 out-of-
band service point, for example, a web GUI URL. DRAC 5 only supports SNMP version 1. Since
SNMP version 1 does not encrypt data and does not have a strong authentication protocol, there
could be security concerns about the data leaking from DRAC 5 (for example, service tag of a
system or IP address of DRAC 5, and so on).
Dell strongly recommends using one of the following options to secure your DRAC 5 card from
these concerns:
If the DRAC 5 SNMP agent is not being used in your environment, administrators can disable
the DRAC 5 SNMP service.
Change the DRAC 5 SNMP community name to secure their SNMP service. The default
DRAC 5 SNMP community name is “public.”
Limit inbound SNMP access by only accepting specific client traffic by configuring the DRAC 5
allowed client IP address range.
Virtual Media Security
Virtual media is a powerful remote access feature that allows a remote user to use a remote
CD/floppy/image on the client side through the network. Administrators can use this feature for
various administrative tasks such as remote operating system installation, remote diagnostics,
remote driver/application software installation, and so on.
A security authentication protocol is being used in the virtual media connection when a user logs
into a DRAC 5 web server via HTTPS with virtual media privilege and selects the virtual media tab.
A request for a connection request command is sent to the DRAC 5 firmware. The DRAC 5
firmware responds by sending a set of virtual media configuration information along with an
authentication key via the HTTPS (SSL encrypted) channel. The authentication key is randomly
generated and is 32 bytes long. To prevent replay attacks, the authentication key is a one-time key
and has its own limited lifetime. If a user selects an encrypted connection, the virtual media client
software starts a connection via an SSL channel and sends the authentication key to the virtual
media server for authentication. If the key passes the virtual media server authentication, a virtual
media session will be established. Otherwise, a fail authentication message will be sent back to the
client and the connection will be dropped. All virtual media data is encrypted via a 128-bit RC4 key
and key exchanges via SSL, if an encrypted connection is selected. To keep virtual media
operation going and still have session idle timeout security, DRAC 5 locks the web session when a
virtual media operation is running and the web session is timed out. A user needs to re-
authenticate to unlock the web session after session timeout. The virtual media operation will not
be interrupted during the lock-out period.