Force Dell iDracs and BMC's to use lanplus instead of lan interface

ipmi drac security bmc dell
5,491

Solution 1

You can:

1 - use the Dell DRAC Configuration Utility to lock down a DRAC installation

2 - use a BMC Management Utility to do the same with BMC. Please see my references at the end.

3 - Depending on the IPMI implementation, you can use .conf file to disable the lan interface, or execute a command to disable it, or turn off the LAN channel.

4 - Deny IPMI over LAN at the network level by identifying ports used, and prohibiting them, or using resets.

Although using lanplus rather than LAN will help with the cleartext password broadcast problems of IPMI, I'm not convinced this is the best approach, and it may not be secure anyways, given the legacy nature of IPMI and older, weaker crypto.

So, I'm going to ask your question in an alternative manner.

"How do I use iDracs and BMCs securely and create a secure Out of Band (OOB) Network?"

My understanding is this is what you are really trying to do.

Background: iDRACs and BMCs are out of band management devices to enable both LAN and serial connections. See http://en.wikipedia.org/wiki/IBM_Remote_Supervisor_Adapter & http://en.wikipedia.org/wiki/Dell_DRAC

Based on risk, here are some ideas for you to consider:

1 - If creating a secure OOB LAN, use standard VPN/firewall with strong authenticators, or an ASA type of device.

2 - Separate IPMI/OOB LAN from regular LAN traffic and do not cross-connect them, except into other management networks. Try to get IPMI/OOB network off onto other LANs if required to use them.

3 - Least Privilege / Deny all (unused) for all connected infrastructure, and user roles. This infrastructure should only be accessible to security admins, and network admins. Depending on the IPMI implementation, some of these protocols may not even be hitting the CPU so host configuration may not help in securing them.

4 - Strong authenticators for access to the serial access concentrator / KVM.

5 - Use high security serial access concentrators that specifically enable strong authenticators and potentially roles,etc. E.g. See http://www.raritan.com/cac-reader/ for a sample of a secure KVM/serial solution.

6 - If you are forced to telnet or another insecure protocol, tunnel it over something secure e.g. SSH, SSL, IPSEC

7 - Lock down any management workstations for the BMC / DRAC

8 - If your software supports it, disable legacy and insecure protocols such as telnet, and use SSH preferably, or IPSEC

9 - Consider enabling auditing / logging to a central location particularly on OOB access components

10 - Separate authentication devices from authentication information sources (TACACS / RADIUS / etc )

11 - Choose the strongest authentication key types possible for the length and version of IPMI being used. Thinking about random passwords and password controls too. Liberman's Enterprise Random Password Manager looks pretty nifty for this.

12 - See if some of the more advanced network management tools may help perform some of this for you. The IPMI adopters list software vendors are probably building in some of this functionality.

13 - Think about a potential replacement for IPMI such as vPro or other standards.

References used:

http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac10mono/en/ug/html/racugc1k.htm

http://support.dell.com/support/edocs/software/smbmcmu/1.2/en/ug/bmcugc0d.htm

http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac14modular/en/ug/html/chap07.htm

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap9.html

http://www.sans.org/reading_room/whitepapers/networkdevs/securing-out-of-band-device-management_906

http://www.gnu.org/software/freeipmi/manpages/man5/bmc-config.conf.5.html

http://ipmitool.sourceforge.net/

http://www.gnu.org/software/freeipmi/

http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaai/ipmi/liaaiipmi.htm

http://www.intel.com/design/servers/ipmi/adopterlist.htm

How does IPMI sideband share the ethernet port with the host?

http://www.liebsoft.com/Enterprise_Random_Password_Manager/

Solution 2

Although I have never personally tried this, I think it is conceivable to disable all of the IPMI 1.5 authentication mechanisms and only enable IPMI 2.0 authentication mechanisms, which would probably make IPMI 2.0 (i.e. ipmitool lanplus) connections work but all IPMI 1.5 (i.e. ipmitool lan) connections impossible.

I'm more familiar with FreeIPMI than ipmitool, but in ipmitool I think the IPMI 1.5 authentication is configured via "lan set auth" and IPMI 2.0 via "lan set cipher_privs".

(In FreeIPMI's bmc-config it's the Lan_Conf_Auth and Rmcpplus_Conf_Privilege sections respectively.)

Naturally, you still need to configure things smartly. For example, enabling the cipher suites that allow no-authentication would be really bad.

Share:
5,491
edgester
Author by

edgester

Updated on September 18, 2022

Comments

  • edgester
    edgester almost 2 years

    Is there a way to force my Dell BMCs and iDrac cards to only use the lanplus interface and not use the insecure "lan" interface. I understand that there are some "firewall" features in the IPMI spec. to restrict certain functions between chassis and such, but I don't know if it can be used in this manner.

    Update: All out my boxes are in a switched environment. There is no NAT going on between my servers or my work desktop. I'm using ipmitool -I lanplus -H myhost -u root -p password -K sol activate" to talk to the serial console over IPMI.

    update2: While I'm in a switched environment, I have no control of the switches. If I can't do it on the host or the idrac itself, then it's a non-starter.

    • Nixphoe
      Nixphoe about 12 years
      Have you contacted Dell? They're pretty good at explaining how their product works.
    • Nils
      Nils about 12 years
      @Nixphoe if you get the right supporter, that is...
  • edgester
    edgester about 12 years
    While I do want an OOB network, that requires more planning and money than we can't do right now. I'm looking for something quicker, and I'll plan for the proper solution as a strategic plan.
  • Brennan
    Brennan about 12 years
    Much of above can be applied without a pure OOB.
  • edgester
    edgester about 12 years
    I'm trying to lock down the idrac/BMC, but I can't find the answers in the documentation, which is why I asked here. Thank you for the references, but it's a little overkill and doesn't help me right now. I was trying to find out how to secure the idrac/BMC itself without reconfiguring the network. I've used the Dell idrac tool to lock some things down. The Dell tools can't lock down IPMI as well as the idrac. A separate IT group handles network, so reconfiguring the network is a long-term project.
  • Brennan
    Brennan about 12 years
    Considering that most of idrac/BMC/IPMI seems based off very legacy protocols with broken crypto, I'd say not very.
  • edgester
    edgester about 12 years
    While this answer was helpful, I couldn't really use the advice.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Restrict IPMI access on Dell BMC and iDRAC to an allowed IP range
How do I secure a Dell Idrac card?
Can you install a Dell DRAC card in a desktop machine?
Cant access Dell BMC IPMI Over IP
Is it Possible to Configure a Dell DRAC from Windows (without Rebooting)?
Unable to login to IPMI of Supermicro X9DRW-iF after f/w upgrade
Why can't I change my iDRAC7 DNS name?
Shutting down Dell Server via iDRAC and UPS
Can I configure network cards with iDRAC?
Can I schedule machine boot via Dell iDRAC?