iDRAC6 Integrated Dell™ Remote Access Controller 6 Security Version 1.
THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. © 2010 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever without the express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell. Dell, the DELL logo, and OpenManage are trademarks of Dell Inc.
Table of Contents Introduction ...................................................................................................................................................................5 Physical connections to iDRAC ......................................................................................................................................5 Shared NIC Mode ......................................................................................................................................
Firewall ....................................................................................................................................................................22 IP Blocking ...........................................................................................................................................................22 Invalid Login Attack Blocking ..............................................................................................................................
Introduction The Integrated Dell Remote Access Controller 6 (iDRAC6) is designed to improve the overall availability of Dell servers and to help system administrators save time. The iDRAC6 achieves this by alerting administrators to server problems, enabling remote server management and reducing the need for the administrator to physically visit the server. The iDRAC6 can help improve an administrator’s ability to manage a server without having physical access to the server, even when it is not operational.
Figure 1 iDRAC physical connections Access to iDRAC6 from a local user of the server is assumed to be mitigated by operating system authentication as mentioned later in this paper. The primary focus of security measures is to prevent attacks from remote users through a network. As shown in the picture, there are two possible ways to connect the iDRAC6 to a network. First, the iDRAC6 is accessible over the same network as the server’s embedded NIC interfaces.
filtering. This feature is active with both the shared and dedicated network modes and provides protection against a denial of service attack. In addition, there is internal firewall software as described by the IP blocking and IP range filtering in subsequent sections. Shared NIC Mode Figure 2 provides more detail about the connection between the iDRAC6 and the network adapter. Incoming packets are filtered by the MAC address of the iDRAC6.
User Authentication and Authorization Local Accounts By default the iDRAC6 is configured with a local administrator account. This default user name is “root” and the password is “calvin”. The default user allows users to access the iDRAC6 after it arrives in their environment. Dell highly recommends that this user account is secured after arriving in the user environment. The iDRAC6 supports up to 16 local users each of which can be enabled or disabled.
The users’ roles can be configured as administrator, operator, read only, or none. This role defines the maximum privileges available. Operator privileges can be individually configured. The user guide provides further explanation of these roles and privileges. Dell recommends restricting privileges to the minimum needed by individual users. There is much flexibility that could be used for different levels of administrative maintenance.
Enable setting, reserving the Enable with Remote RACADM setting for iDRAC administrators needing to access the iDRAC6 to run scripts using remote RACADM commands. After administrators have configured smart card logon for local iDRAC6 and Microsoft Active Directory users and enabled the smart card logon feature, the iDRAC6 GUI displays the smart card login page when users attempt to access the iDRAC6.
sent via an encrypted channel to Active Directory. When iDRAC6 establishes an SSL connection with Active Directory Domain Controller, it verifies the Domain Controller entity via SSL server authentication. The root CA SSL certificate (which is used to sign all the Domain Controller SSL certificates) has been imported to the iDRAC6. The iDRAC6 supports up to a 4096-bit root CA certificate and Domain Controller SSL certificate.
RacDevice, from which we are authenticating, is part of this attribute. Note that the dellProductMembers can be groups of RACs and will retain the aforementioned member-memberOf relationship. So, we will walk the list using the Member attribute for all of the groups that are in the list.
Single Sign On (SSO) iDRAC6 allows a user configured in the Active Directory with Standard Schema to log in directly to the iDRAC6 GUI without explicitly providing login credentials. This feature is referred to as Single Sign-On (SSO) and it uses AD authentication along with Kerberos Network Authentication Protocol. Kerberos is a network authentication protocol that provides protection against eavesdropping and replay attacks (see further reading).
Figure 5 Log in via Active Directory with Smart Card (TFA) Smart Card Authentication that uses the AD standard schema authentication is referred to as Two Factor Authentication. TFA uses the same Kerberos Authentication procedure as used in Single-Sign On.
Active Directory login troubleshooting If you want to verify whether your configuration works, or if you need to diagnose the problem with your failed Active Directory login, you can test your settings from the iDRAC6 Web-based interface. After you finish configuring settings in the iDRAC6 Web-based interface, click Test Settings at the bottom of the page. You will be required to enter a test user's name (for example, username@domain.com) and password to run the test.
clients running Windows and ssh-keygen CLI for clients running Linux. The ssh-keygen CLI utility comes by default on all standard installations. Logging in Using Public Key Authentication After the public keys are uploaded, the user can log into the iDRAC6 over SSH without entering a password. The user also has the option of sending a single RACADM command as a command line argument to the SSH application.
Redirection server. Administrators can replace the iDRAC6 server SSL certificate using the following steps: • Generate the CSR and the Private Key from iDRAC6. 1024-bit, 2048-bit and 4096-bit RSAkey are supported. NOTE: Dell strongly recommends having CSR CN (common name) set to be the same as your iDRAC6 RAC name to avoid a host name mismatch complaint during SSL connection from browsers. • Certificate asymmetric key size (RSA key size) can affect iDRAC 6 performance.
have administrator privilege, an error message is displayed indicating that they do not have privileges. On a Linux-based system, a user must log in as root on the system to have a right to run the local RACADM utility. A user who can run Local RACADM is guaranteed to have administrator privilege to the system. The administrator privilege level indicates that the user has full rights to manage iDRAC6. SSH The SSH service is enabled by default on iDRAC6. RACADM CLI can be run in SSH.
the client and the connection will be dropped. All virtual media data is encrypted with AES256 and key exchanges via SSL, if an encrypted connection is selected. To keep virtual media operation going and still have session idle timeout security, iDRAC6 locks the web session when a virtual media operation is running and the web session is timed out. A user needs to re-authenticate to unlock the web session after session timeout. The virtual media operation will not be interrupted during the lock-out period.
• • NOTE: Dell strongly recommends setting the maximum number of console redirection sessions to one if additional simultaneous remote access is not required. Remote users can use the Blank Local Video feature to prevent a local user from viewing the remote session. NOTE: Dell strongly recommends using the Blank Local Video feature if local access is not required during remote console redirection.
Other Security Features VLAN Virtual LAN tagging can be configured in the web browser interface. If enabled, the iDRAC6 firmware requires the presence of inserted fields in the network packets to send them through for processing. This provides a way to put multiple IP networks on the same switch in addition to being an extra measure of security. Disabling Services and Changing the Service Port Number There are several out-of-band services running on a IDRAC 6 by default.
Firewall To prevent unauthorized access to the remote system, IDRAC 6 provides the following features: • • IP address filtering (IPRange) — defines a specific range of IP addresses that can access the iDRAC 6 IP address blocking — limits the number of failed login attempts from a specific IP address IP Blocking This feature is disabled in the IDRAC 6 default configuration. Use the RACADM config subcommand or the Web-based interface to enable this feature.
Recommended Practices Dell recommends the following practices to enhance security with iDRAC6. Use a dedicated NIC for the iDRAC. This isolates the management processor on its own network as discussed above. Further, access rights can be given only to a select few individual administrators. Change or disable the default local user account. This is a relatively well known default credential. Implement advanced user authentication measures such as TFA and directory services.
The Kerberos Network Authentication Service: http://tools.ietf.org/html/rfc4120 Appendix A: Supported SSL Cipher Suites IDRAC 6 supports SSL version 3 and TLS version 1.0.
Appendix B: Secure Shell Encryption IDRAC 6 supports only SSH-2.0 because SSH-1.0 is not considered secure.
