By Chip Webb and Doug Iler
There are recent concerns about IPMI security, and since Dell servers allow for IPMI sessions, we wanted to clarify a few points. IPMI is an industry standard protocol, developed by Intel and supported by over two hundred vendors, including Dell. The Baseboard Management Controller, or BMC, is an out of band interface found on Dell PowerEdge servers to provide remote access. DRAC uses the same hardware as the BMC, but provides additional features as well as additional security options. DRAC’s are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the internet. Doing so could expose the connected system to security and other risks for which Dell is not responsible.
Dell recommends following the best practices:
The IPMI specification defines 15 “cipher suites”. Each defined cipher suite specifies what authentication, integrity, and encryption protocol are used when an IPMI connection is made. Cipher 0 is defined to not use any authentication, integrity, or encryption. Cipher 0 allows anonymous connections. While in some IT organizations anonymous connections may be desirable, in most organizations it is not worth the risk of malicious attack enabled. Starting with iDRAC7 release 1.37.35, Cipher 0 is disabled by default. (Additionally DRAC has a setting to enable/disable IPMI over LAN. This setting has defaulted to disabled for the most current releases of the last 4 generations of DRAC.)
.\ipmitool.exe -H 10.35.180.91 -P calvin -U root lan print
.\ipmitool.exe -H 10.35.180.91 -P calvin -U root lan lan set 1 cipher_privs XXXaXXXXXXXXXXX
For more information on cipher suites and cipher privacy settings, visit the IPMI site at http://www.intel.com/content/www/us/en/servers/ipmi/ipmi-home.html.