The DRAC 5 provides the following security features:
Advanced Security options for the DRAC administrator:
The Console Redirection disable option allows the local system user to disable console redirection using the DRAC 5 Console Redirection feature.
The local configuration disable features allows the remote DRAC administrator to selectively disable the ability to configure the DRAC 5 from:
BIOS POST option-ROM
operating system using the local racadm and Dell OpenManage™ Server Administrator utilities
RACADM CLI and Web-based interface operation, which supports 128-bit SSL encryption and 40-bit SSL encryption (for countries where 128-bit is not acceptable)
NOTE: Telnet does not support SSL encryption.
Session time-out configuration (in seconds) through the Web-based interface or RACADM CLI
Configurable IP ports (where applicable)
Secure Shell (SSH), which uses an encrypted transport layer for higher security.
Login failure limits per IP address, with login blocking from the IP address when the limit is exceeded.
Limited IP address range for clients connecting to the DRAC 5
Security Options for the DRAC Administrator
Disabling the DRAC 5 Local Configuration
Administrators can disable local configuration through the DRAC 5 graphical user interface (GUI) by selecting Remote Access→ Configuration→ Services. When the Disable the DRAC local Configuration using option ROM check box is selected, the Remote Access Configuration Utility—accessed by pressing Ctrl+E during system boot—operates in read-only mode, preventing local users from configuring the device. When the administrator selects the Disable the DRAC local Configuration using RACADM check box, local users cannot configure the DRAC 5 through the racadm utility, or the Dell OpenManage Server Administrator, although they can still read the configuration settings.
Administrators can enable one or both of these options at the same time. In addition to enabling them through the GUI, administrators can do so using local racadm commands.
Disabling Local Configuration During System Reboot
This feature disables the ability of the managed system's user to configure the DRAC 5 during system reboot.
racadm config -g cfgRacTune -o
cfgRacTuneCtrlEConfigDisable 1
NOTE: This option is supported only on the Remote Access Configuration Utility
version 1.13 and later. To upgrade to this version, upgrade your BIOS using the BIOS
update package from the Dell Server Updates DVD or the Dell Support website at
support.dell.com.
Disabling Local Configuration From Local racadm
This feature disables the ability of the managed system's user to configure the DRAC 5 using the local racadm or the Dell OpenManage Server Administrator utilities.
NOTICE: These features severely limit the ability of the local user to configure the
DRAC 5 from the local system, including performing a reset to default of the
configuration. Dell recommends that you use these features with discretion and
should disable only one interface at a time to help avoid losing login privileges
altogether.
NOTE: See the white paper on Disabling Local Configuration and Remote Virtual
KVM in the DRAC on the Dell Support site at support.dell.com for more information.
Although administrators can set the local configuration options using local racadm commands, for security reasons they can reset them only from an out-of-band DRAC 5 GUI or command-line interface. The cfgRacTuneLocalConfigDisable option applies once the system power-on self-test is complete and the system has booted into an operating system environment. The operating system could be one such as Microsoft® Windows Server® or Enterprise Linux operating systems that can run local racadm commands, or a limited-use operating system such as Microsoft Windows® Preinstallation Environment or vmlinux used to run Dell OpenManage Deployment Toolkit local racadm commands.
Several situations might call for administrators to disable local configuration. For example, in a data center with multiple administrators for servers and remote access devices, those responsible for maintaining server software stacks may not require administrative access to remote access devices. Similarly, technicians may have physical access to servers during routine systems maintenance—during which they can reboot the systems and access password-protected BIOS—but should not be able to configure remote access devices. In such situations, remote access device administrators may want to disable local configuration.
Administrators should keep in mind that because disabling local configuration severely limits local configuration privileges—including the ability to reset the DRAC 5 to its default configuration—they should only use these options when necessary, and typically should disable only one interface at a time to help avoid losing login privileges altogether. For example, if administrators have disabled all local DRAC 5 users and allow only Microsoft Active Directory® directory service users to log in to the DRAC 5, and the Active Directory authentication infrastructure subsequently fails, the administrators may be unable to log in. Similarly, if administrators have disabled all local configuration and place a DRAC 5 with a static IP address on a network that already includes a Dynamic Host Configuration Protocol (DHCP) server, and the DHCP server subsequently assigns the DRAC 5 IP address to another device on the network, the resulting conflict may disable the out-of-band connectivity of the DRAC, requiring administrators to reset the firmware to its default settings through a serial connection.
Disabling DRAC 5 Remote Virtual KVM
Administrators can selectively disable the DRAC 5 remote KVM, providing a flexible, secure mechanism for a local user to work on the system without someone else viewing the user's actions through console redirection. Using this feature requires installing the DRAC managed node software on the server. Administrators can disable remote vKVM using the following command:
racadm LocalConRedirDisable 1
The command LocalConRedirDisable disables existing remote vKVM session windows when executed with the argument 1
To help prevent a remote user from overriding the local user's settings, this command is available only to local racadm. Administrators can use this command in operating systems that support local racadm, including Microsoft Windows Server 2003 and SUSE Linux Enterprise Server 10. Because this command persists across system reboots, administrators must specifically reverse it to re-enable remote vKVM. They can do so by using the argument 0:
racadm LocalConRedirDisable 0
Several situations might call for disabling DRAC 5 remote vKVM. For example, administrators may not want a remote DRAC 5 user to view the BIOS settings that they configure on a system, in which case they can disable remote vKVM during the system POST by using the LocalConRedirDisable command. They may also want to increase security by automatically disabling remote vKVM every time an administrator logs in to the system, which they can do by executing the LocalConRedirDisable command from the user logon scripts.
NOTE: See the white paper on Disabling Local Configuration and Remote Virtual
KVM in the DRAC on the Dell Support site at support.dell.com for more information.
For more information on logon scripts, see technet2.microsoft.com/windowsserver/en/library/31340f46-b3e5-4371-bbb9-6a73e4c63b621033.mspx.
Securing DRAC 5 Communications Using SSL and Digital Certificates
This subsection provides information about the following data security features that are incorporated in your DRAC 5:
The DRAC includes a Web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data over the Internet. Built upon public-key and private-key encryption technology, SSL is a widely accepted technique for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across a network.
An SSL-enabled system:
Authenticates itself to an SSL-enabled client
Allows the client to authenticate itself to the server
Allows both systems to establish an encrypted connection
This encryption process provides a high level of data protection. The DRAC employs the 128-bit SSL encryption standard, the most secure form of encryption generally available for Internet browsers in North America.
The DRAC Web server includes a Dell self-signed SSL digital certificate (Server ID). To ensure high security over the Internet, replace the Web server SSL certificate by submitting a request to the DRAC to generate a new Certificate Signing Request (CSR).
Certificate Signing Request (CSR)
A CSR is a digital request to a Certificate Authority (CA) for a secure server certificate. Secure server certificates protect the identity of a remote system and ensure that information exchanged with the remote system cannot be viewed or changed by others. To ensure security for your DRAC, it is strongly recommended that you generate a CSR, submit the CSR to a CA, and upload the certificate returned from the CA.
A CA is a business entity that is recognized in the IT industry for meeting high standards of reliable screening, identification, and other important security criteria. Examples of CAs include Thawte and VeriSign. After the CA receives your CSR, they review and verify the information the CSR contains. If the applicant meets the CA's security standards, the CA issues a certificate to the applicant that uniquely identifies that applicant for transactions over networks and on the Internet.
After the CA approves the CSR and sends you a certificate, you must upload the certificate to the DRAC firmware. The CSR information stored on the DRAC firmware must match the information contained in the certificate.
Accessing the SSL Main Menu
Expand the System tree and click Remote Access.
Click the Configuration tab and then click SSL.
Use the SSL Main Menu page options (see Table 11-1) to generate a CSR to send to a CA. The CSR information is stored on the DRAC 5 firmware. Table 11-2 describes the buttons available on the SSL Main Menu page.
Table 11-1. SSL Main Menu Options
Field
Description
Generate a New Certificate Signing Request (CSR)
Click Next to open the Certificate Signing Request Generation page that enables you to generate a CSR to send to a CA to request a secure Web certificate.
NOTICE: Each new CSR overwrites any pervious CSR
on the firmware. For a CA to accept your CSR, the CSR
in the firmware must match the certificate returned
from the CA.
Upload Server Certificate
Click Next to upload an existing certificate that your company has title to, and uses to control access to the DRAC 5.
NOTICE: Only X509, Base 64 encoded certificates are
accepted by the DRAC 5. DER encoded certificates
are not accepted. Upload a new certificate to replace
the default certificate you received with your DRAC 5.
View Server Certificate
Click Next to view an existing server certificate.
Table 11-2. SSL Main Menu Buttons
Button
Description
Print
Prints the SSL Main Menu page.
Next
Navigates to the next page.
Generating a New Certificate Signing Request
NOTE: Each new CSR overwrites any previous CSR on the firmware. Before a
certificate authority (CA) can accept your CSR, the CSR in the firmware must match the
certificate returned from the CA. Otherwise, the DRAC 5 will not upload the certificate.
In the SSL Main Menu page, select Generate a New Certificate Signing
Request (CSR) and click Next.
In the Generate Certificate Signing Request (CSR) page, type a value for
each CSR attribute value.
Click the appropriate Generate Certificate Signing Request (CSR) page
button to continue. Table 11-4 describes the buttons available on the
Generate Certificate Signing Request (CSR).
The exact name being certified (usually the Web server's domain name, for example, www.xyzcompany.com). Only alphanumeric characters, hyphens, underscores, and periods are valid. Spaces are not valid.
Organization Name
The name associated with this organization (for example, XYZ Corporation). Only alphanumeric characters, hyphens, underscores, periods and spaces are valid.
Organization Unit
The name associated with an organizational unit, such as a department (for example, Enterprise Group). Only alphanumeric characters, hyphens, underscores, periods, and spaces are valid.
Locality
The city or other location of the entity being certified (for example, Round Rock). Only alphanumeric characters and spaces are valid. Do not separate words using an underscore or some other character.
State Name
The state or province where the entity who is applying for a certification is located (for example, Texas). Only alphanumeric characters and spaces are valid. Do not use abbreviations.
Country Code
The name of the country where the entity applying for certification is located. Use the drop-down menu to select the country.
Email
The e-mail address associated with the CSR. You can type your company's e-mail address, or any e-mail address you desire to have associated with the CSR. This field is optional.
Print the Generate Certificate Signing Request (CSR) page.
Go Back to Security Main Menu
Return to the SSL Main Menu page.
Generate
Generate a CSR.
Uploading a Server Certificate
In the SSL Main Menu page, select Upload Server Certificate and click Next.
The Certificate Upload page appears.
In the File Path field, type the path of the certificate in the Value field or
click Browse to navigate to the certificate file.
NOTE: The File Path value displays the relative file path of the certificate you are
uploading. You must type the absolute file path, which includes the full path and the
complete file name and file extension
Click Apply.
Click the appropriate page button to continue.
Viewing a Server Certificate
In the SSL Main Menu page, select View Server Certificate and click Next.
Table 11-5 describes the fields and associated descriptions listed in the Certificate window.
Click the appropriate View Server Certificate page button to continue.
The DRAC 5 SSH implementation supports multiple cryptography schemes, as shown in Table 11-6.
Table 11-6. Cryptography Schemes
Scheme Type
Scheme
Asymmetric Cryptography
Diffie-Hellman DSA/DSS 512-1024 (random) bits per NIST specification
Symmetric Cryptography
AES256-CBC
RIJNDAEL256-CBC
AES192-CBC
RIJNDAEL192-CBC
AES128-CBC
RIJNDAEL128-CBC
BLOWFISH-128-CBC
3DES-192-CBC
ARCFOUR-128
Message Integrity
HMAC-SHA1-160
HMAC-SHA1-96
HMAC-MD5-128
HMAC-MD5-96
Authentication
Password
NOTE: SSHv1 is not supported.
Configuring Services
NOTE: To modify these settings, you must have Configure DRAC 5 permission.
Additionally, the remote RACADM command-line utility can only be enabled if the
user is logged in as root.
Expand the System tree and click Remote Access.
Click the Configuration tab and then click Services.
Use the Automated Systems Recovery Agent to enable the Last Crash Screen functionality of the DRAC 5.
NOTE: Server Administrator must be installed with its Auto Recovery feature
activated by setting the Action to either: Reboot System, Power Off System, or
Power Cycle System, for the Last Crash Screen to function in the DRAC 5.
Click Apply Changes.
Click the appropriate Services page button to continue. See Table 11-14.
Table 11-7. Local Configuration Settings
Setting
Description
Disable the DRAC local configuration using option ROM
Disables local configuration of the DRAC 5 using option ROM. The option ROM prompts you to enter the setup module by pressing <Ctrl+E> during system reboot.
Disable the DRAC local configuration using RACADM
Disables local configuration of the DRAC 5 using local RACADM.
Table 11-8. Web Server Settings
Setting
Description
Enabled
Enables or disables the Web server. Checked=Enabled; Unchecked=Disabled.
Max Sessions
The maximum number of simultaneous sessions allowed for this system.
Active Sessions
The number of current sessions on the system, less than or equal to the Max Sessions.
Timeout
The time in seconds that a connection is allowed to remain idle. The session is cancelled when the timeout is reached. Changes to the timeout setting do not affect the current session. When you change the timeout setting, you must log out and log in again to make the new setting effective. Timeout range is 60 to 1920 seconds.
HTTP Port Number
The port used by the DRAC that listens for a server connection. The default setting is 80.
HTTPS Port Number
The port used by the DRAC that listens for a server connection. The default setting is 443.
Table 11-9. SSH Settings
Setting
Description
Enabled
Enables or disables SSH. Checked=Enabled; Unchecked=Disabled.
Max Sessions
The maximum number of simultaneous sessions allowed for this system. Up to four sessions are supported.
Active Sessions
The number of current sessions on the system, less than or equal to the Max Sessions.
Timeout
The Secure Shell idle timeout, in seconds. Range = 60 to 1920 seconds. Enter 0 seconds to disable the Timeout feature. The default setting is 300.
Port Number
The port used by the DRAC that listens for a server connection. The default setting is 22.
Table 11-10. Telnet Settings
Setting
Description
Enabled
Enables or disables Telnet. Checked=Enabled; Unchecked=Disabled.
Max Sessions
The maximum number of simultaneous sessions allowed for this system. Up to four sessions are supported.
Active Sessions
The number of current sessions on the system, less than or equal to the Max Sessions.
Timeout
The Secure Shell idle timeout, in seconds. Range = 60 to 1920 seconds. Enter 0 seconds to disable the Timeout feature. The default setting is 0.
Port Number
The port used by the DRAC that listens for a server connection. The default setting is 23.
Table 11-11. Remote RACADM Settings
Setting
Description
Enabled
Enables or disables remote RACADM. Checked=Enabled; Unchecked=Disabled.
Max Sessions
The maximum number of simultaneous sessions allowed for this system. Up to four sessions are supported.
Active Sessions
The number of current sessions on the system, less than or equal to the Max Sessions.
Table 11-12. SNMP Agent Settings
Setting
Description
Enabled
Enables or disables the SNMP agent. Checked=Enabled; Unchecked=Disabled.
Community Name
The name of the community that contains the IP address for the SNMP Alert destination. The Community Name can be up to 31 non-blank characters in length. The default setting is public.
Table 11-13. Automated System Recovery Agent Setting
Setting
Description
Enabled
Enables the Automated System Recovery Agent.
Table 11-14. Services Page Buttons
Button
Description
Print
Prints the Services page.
Refresh
Refreshes the Services page.
Apply Changes
Applies the Services page settings.
Enabling Additional DRAC 5 Security Options
To prevent unauthorized access to your remote system, the DRAC 5 provides the following features:
IP address filtering (IPRange) — Defines a specific range of IP addresses that can access the DRAC 5.
IP address blocking — Limits the number of failed login attempts from a specific IP address
These features are disabled in the DRAC 5 default configuration. Use the following subcommand or the Web-based interface to enable these features:
Additionally, use these features in conjunction with the appropriate session idle time-out values and a defined security plan for your network.
The following subsections provide additional information about these features.
IP Filtering (IpRange)
IP address filtering (or IP Range Checking) allows DRAC 5 access only from clients or management workstations whose IP addresses are within a user-specific range. All other logins are denied.
IP filtering compares the IP address of an incoming login to the IP address range that is specified in the following cfgRacTuning properties:
cfgRacTuneIpRangeAddr
cfgRacTuneIpRangeMask
The cfgRacTuneIpRangeMask property is applied to both the incoming IP address and to the cfgRacTuneIpRangeAddr properties. If the results of both properties are identical, the incoming login request is allowed to access the DRAC 5. Logins from IP addresses outside this range receive an error.
The login proceeds if the following expression equals zero:
Table 11-15. IP Address Filtering (IpRange) Properties
Property
Description
cfgRacTuneIpRangeEnable
Enables the IP range checking feature.
cfgRacTuneIpRangeAddr
Determines the acceptable IP address bit pattern, depending on the 1's in the subnet mask.
This property is bitwise AND'd with cfgRacTuneIpRangeMask to determine the upper portion of the allowed IP address. Any IP address that contains this bit pattern in its upper bits is allowed to establish a DRAC 5 session. Logins from IP addresses that are outside this range will fail. The default values in each property allow an address range from 192.168.1.0 to 192.168.1.255 to establish a DRAC 5 session.
cfgRacTuneIpRangeMask
Defines the significant bit positions in the IP address. The subnet mask should be in the form of a netmask, where the more significant bits are all 1's with a single transition to all zeros in the lower-order bits.
Enabling IP Filtering
Below is an example command for IP filtering setup.
To restrict logins to a small set of four adjacent IP addresses (for example, 192.168.0.212 through 192.168.0.215), select all but the lowest two bits in the mask, as shown below:
Use the following guidelines when enabling IP filtering:
Ensure that cfgRacTuneIpRangeMask is configured in the form of a netmask, where all most significant bits are 1's (which defines the subnet in the mask) with a transition of all 0's in the lower-order bits.
Use the range base address you prefer as the value for cfgRacTuneIpRangeAddr. The 32-bit binary value of this address should have zeros in all the low-order bits where there are zeros in the mask.
IP Blocking
IP blocking dynamically determines when excessive login failures occur from a particular IP address and blocks (or prevents) the address from logging into the DRAC 5 for a preselected time span.
The IP blocking parameter uses cfgRacTuning group features that include:
The number of allowable login failures
The timeframe in seconds when these failures must occur
The amount of time in seconds when the "guilty" IP address is prevented from establishing a session after the total allowable number of failures is exceeded
As login failures accumulate from a specific IP address, they are "aged" by an internal counter. When the user logs in successfully, the failure history is cleared and the internal counter is reset.
NOTE: When login attempts are refused from the client IP address, some SSH
clients may display the following message: ssh exchange
identification: Connection closed by remote host.
When consecutive failures (cfgRacTuneIpBlkFailCount) from a single IP address are encountered within a specific amount of time (cfgRacTuneIpBlkFailWindow), all further attempts to establish a session from that address are rejected for a certain timespan (cfgRacTuneIpBlkPenaltyTime).
cfgRacTuneIpBlkFailCount
Sets the number of login failures from an IP address before the login attempts are rejected.
cfgRacTuneIpBlkFailWindow
The timeframe in seconds when the failure attempts are counted. When the failures exceed this limit, they are dropped from the counter.
crgRacTuneIpBlkPenaltyTime
Defines the timespan in seconds when all login attempts from an IP address with excessive failures are rejected.
Enabling IP Blocking
The following example prevents a client IP address from establishing a session for five minutes if that client has failed its five login attempts in a one-minute period of time.
Configuring the Network Security Settings Using the DRAC 5 GUI
NOTE: You must have Configure DRAC 5 permission to perform the following steps.
In the System tree, click Remote Access.
Click the Configuration tab and then click Network.
In the Network Configuration page, click Advanced Settings.
In the Network Security page, configure the attribute values and then click
Apply Changes.
Table 11-17 describes the Network Security page settings.
Click the appropriate Network Security page button to continue. See
Table 11-18 for description of the Network Security page buttons.
Table 11-17. Network Security Page Settings
Settings
Description
IP Range Enabled
Enables the IP Range checking feature, which defines a specific range of IP addresses that can access the DRAC 5.
IP Range Address
Determines the acceptable IP subnet address.
IP Range Subnet Mask
Defines the significant bit positions in the IP address. The subnet mask should be in the form of a netmask, where the more significant bits are all 1's with a single transition to all zeros in the lower-order bits.
For example: 255.255.255.0
IP Blocking Enabled
Enables the IP address blocking feature, which limits the number of failed login attempts from a specific IP address for a preselected time span.
IP Blocking Fail Count
Sets the number of login failures attempted from an IP address before the login attempts are rejected from that address.
IP Blocking Fail Window
Determines the time span in seconds within which IP Block Fail Count failures must occur to trigger the IP Block Penalty Time.
IP Blocking Penalty Time
The time span in seconds within which login attempts from an IP address with excessive failures are rejected.
Table 11-18. Network Security Page Buttons
Button
Description
Print
Prints the Network Security page
Refresh
Reloads the Network Security page
Apply Changes
Saves the changes made to the Network Security page.
