How do I secure a Dell Idrac card?

security remote-access dell drac hardening

I'm trying to completely lock down a server which has to exist outside of a firewall/directly routed to the internet and whilst I have hardened the base OS to the best of my ability, I had a moment of horror when I thought that if the worst should happen and someone was able to gain access, it may be possible that the DRAC could be used as a back door to our management network.

As far as I am aware, it is not possible to just connect and run arbitrary commands, you need a username and password - however, if given unlimited time and root access, I suppose a brute force may be possible, so, I was wondering how would I go about securing the DRAC?

Other than the last crash screen feature, I can't really think of any reason that the local host even needs access to the DRAC, so, I would like to completely disable local access.

Is running the following sufficient from the drac:

racadm config -g cfgRacTune -o cfgRacTuneLocalConfigDisable 1

And by running this, are there any down sides?

I could only find a small guide for the old iDrac 5, but, I was wondering if anything has changed/been added since?

update

This is a dedicated Drac (add on) card with a dedicated network port and the management network is a completely different subnet/network.

Whilst logged on via SSH to the Drac, I notice that you can do some funky stuff, I simply want to make sure that if the box was ever rooted/hacked, it is not possible to log on to the DRAC (even if given unlimited time/brute force from host) and basically make sure it is completely 100% isolated.


Solution 1:

Remote management controllers are generally problematic from a security perspective because they're fairly full-featured systems (the (i)DRAC series, like many others, is Linux-based) that are dropped onto a card with full access to your server hardware and rarely, if ever, updated. Accessing them from a dedicated management network (as you're doing) is a necessary minimum level of security.

You're concerned, however, about someone gaining access to your server and then managing to get through the DRAC into your management network. This is in theory possible but difficult because the data exchanged between the systems is fairly minimal. If you're willing to live with the drawbacks, disabling as much communication between the system and the DRAC as possible will reduce your attack surface.

One thing to be aware of is that local access to the DRAC requires administrative access to the OS running on the server but does not require authentication beyond that. If you're running Unix and run racadm or omconfig (or one of the IPMI tools) as root, you will have administrative access to the DRAC.

The main drawback to disabling local DRAC access with racadm config -g cfgRacTune -o cfgRacTuneLocalConfigDisable 1, is that you will no longer be able to change the DRAC's configuration locally, which will probably have the greatest potential impact if you need to reconfigure the DRAC's network settings at some point. Doing that will require care, because you could render yourself unable to configure it further remotely. As far as I can tell, you will still be able to modify DRAC settings through the server's BIOS even with local configuration disabled.

Note that this setting does not disable communication between the two; local programs will still be able to read configuration parameters from the DRAC. IPMI-based tools should see the same effects as racadm; all settings should be read-only, but things like sensor readings will still work. If you you have the OpenManage Server Administrator software installed, you'll have to see what DRAC-related settings you can alter with omconfig (hopefully, none).

Mxx mentioned disabling "OS To iDRAC Pass-through". I haven't worked with iDRAC7s yet (I have a few on order), but the documentation indicates that this is a faster communications channel between the main system and the DRAC. Disabling it probably won't make a functional difference for you--communication between the two will still take place, just over IPMI instead of via the NIC--but it also won't inconvenience you (since you want to limit communication as much as possible), so I'd go ahead and disable it.

Solution 2:

Dell recommends the iDRAC port be on a physically dedicated LAN, and blows off many of the concerns one would rationally have about such a feature.

Solution 3:

I'm not familiar with racadm commands, but in iDRAC7 gui, there's an option called OS To iDRAC Pass-through. Its description is:

Use this page to enable the internal system communication channel that provides a high-speed bi-directional in-band communication between iDRAC7 and the host operating system through a shared LOM or a dedicated NIC. This is applicable for systems that have Network Daughter Card (NDC) or LAN On Motherboard (LOM) devices.

I think this is something you would want to make sure is disabled.

Additionally, instead of using local user accounts, perhaps it makes sense to implement AD/LDAP authentication. That way you can setup failed login notification/lockouts.

Related

Changing netmask from /24 to /16 on a Windows 2003 domain
How to create a software raid5 array without a spare
Ubuntu: Network driver reset to eth0?
Cannot login to SQL Server 2008 R2 with Windows authentication
OpenVPN with Active Directory integration
HTTP status code to signal bad or missing Host header
How do you install ClearCase 7.1 on a Unix-based server with no GUI and no internet?
Active directory with duplicate machine SIDs
How do you set up redundant servers?
Dynamic Virtual Hosts In Apache
smbclient NT_STATUS_ACCESS_DENIED on directories when Windows doesn't
Disable/Remove Apt(-get)