Force Dell iDracs and BMC's to use lanplus instead of lan interface

security dell ipmi bmc drac

You can:

1 - use the Dell DRAC Configuration Utility to lock down a DRAC installation

2 - use a BMC Management Utility to do the same with BMC. Please see my references at the end.

3 - Depending on the IPMI implementation, you can use .conf file to disable the lan interface, or execute a command to disable it, or turn off the LAN channel.

4 - Deny IPMI over LAN at the network level by identifying ports used, and prohibiting them, or using resets.

Although using lanplus rather than LAN will help with the cleartext password broadcast problems of IPMI, I'm not convinced this is the best approach, and it may not be secure anyways, given the legacy nature of IPMI and older, weaker crypto.

So, I'm going to ask your question in an alternative manner.

"How do I use iDracs and BMCs securely and create a secure Out of Band (OOB) Network?"

My understanding is this is what you are really trying to do.

Background: iDRACs and BMCs are out of band management devices to enable both LAN and serial connections. See http://en.wikipedia.org/wiki/IBM_Remote_Supervisor_Adapter & http://en.wikipedia.org/wiki/Dell_DRAC

Based on risk, here are some ideas for you to consider:

1 - If creating a secure OOB LAN, use standard VPN/firewall with strong authenticators, or an ASA type of device.

2 - Separate IPMI/OOB LAN from regular LAN traffic and do not cross-connect them, except into other management networks. Try to get IPMI/OOB network off onto other LANs if required to use them.

3 - Least Privilege / Deny all (unused) for all connected infrastructure, and user roles. This infrastructure should only be accessible to security admins, and network admins. Depending on the IPMI implementation, some of these protocols may not even be hitting the CPU so host configuration may not help in securing them.

4 - Strong authenticators for access to the serial access concentrator / KVM.

5 - Use high security serial access concentrators that specifically enable strong authenticators and potentially roles,etc. E.g. See http://www.raritan.com/cac-reader/ for a sample of a secure KVM/serial solution.

6 - If you are forced to telnet or another insecure protocol, tunnel it over something secure e.g. SSH, SSL, IPSEC

7 - Lock down any management workstations for the BMC / DRAC

8 - If your software supports it, disable legacy and insecure protocols such as telnet, and use SSH preferably, or IPSEC

9 - Consider enabling auditing / logging to a central location particularly on OOB access components

10 - Separate authentication devices from authentication information sources (TACACS / RADIUS / etc )

11 - Choose the strongest authentication key types possible for the length and version of IPMI being used. Thinking about random passwords and password controls too. Liberman's Enterprise Random Password Manager looks pretty nifty for this.

12 - See if some of the more advanced network management tools may help perform some of this for you. The IPMI adopters list software vendors are probably building in some of this functionality.

13 - Think about a potential replacement for IPMI such as vPro or other standards.

References used:

http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac10mono/en/ug/html/racugc1k.htm

http://support.dell.com/support/edocs/software/smbmcmu/1.2/en/ug/bmcugc0d.htm

http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac14modular/en/ug/html/chap07.htm

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap9.html

http://www.sans.org/reading_room/whitepapers/networkdevs/securing-out-of-band-device-management_906

http://www.gnu.org/software/freeipmi/manpages/man5/bmc-config.conf.5.html

http://ipmitool.sourceforge.net/

http://www.gnu.org/software/freeipmi/

http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaai/ipmi/liaaiipmi.htm

http://www.intel.com/design/servers/ipmi/adopterlist.htm

How does IPMI sideband share the ethernet port with the host?

http://www.liebsoft.com/Enterprise_Random_Password_Manager/


Although I have never personally tried this, I think it is conceivable to disable all of the IPMI 1.5 authentication mechanisms and only enable IPMI 2.0 authentication mechanisms, which would probably make IPMI 2.0 (i.e. ipmitool lanplus) connections work but all IPMI 1.5 (i.e. ipmitool lan) connections impossible.

I'm more familiar with FreeIPMI than ipmitool, but in ipmitool I think the IPMI 1.5 authentication is configured via "lan set auth" and IPMI 2.0 via "lan set cipher_privs".

(In FreeIPMI's bmc-config it's the Lan_Conf_Auth and Rmcpplus_Conf_Privilege sections respectively.)

Naturally, you still need to configure things smartly. For example, enabling the cipher suites that allow no-authentication would be really bad.

Related

identifying ssh trusts between multiple servers on a network
Debian, 6rd tunnel, and connection troubles
Best options to create and mount an ext4 volume containing > 10M files in one directory
Do Windows virtual machines suffer from entropy shortage too?
2008 R2 DC refuses to Sync w32tm with an external NTP server
Mounting a linux image built with "dd" on Mac OSX 10.7 [closed]
Anacron and fcron, what are the differences?
What's the right way to start a node.js service?
Cannot create a project TFS 2012 - TF218027
Freebsd jail for an small company - checklist - what shouldn't forget
Is it generally safe to use SIGCONT on processes?
UCARP: prevent the original master from taking over the VIP when it comes back after failure?