By Chip Webb and Doug Iler 

There are recent concerns about IPMI security, and since Dell servers allow for IPMI sessions, we wanted to clarify a few points.  IPMI is an industry standard protocol, developed by Intel and supported by over two hundred vendors, including Dell. The Baseboard Management Controller, or BMC, is an out of band interface found on Dell PowerEdge servers to provide remote access. DRAC uses the same hardware as the BMC, but provides additional features as well as additional security options.   DRAC’s are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the internet. Doing so could expose the connected system to security and other risks for which Dell is not responsible.

Dell recommends following the best practices:

  • Along with locating DRACs on a separate management subnet, users should isolate the management subnet/vLAN with technologies such as firewalls, and limit access to the subnet/vLAN to authorized server administrators.
  • IPMI over LAN is disabled by default on all Dell 8th, 9th, 10th, 11th, and on our currently shipping 12th generation PowerEdge Servers.
  • Dell recommends that you maintain your systems with essential/important updates to ensure your servers have the most recent performance and security revisions for proper server operation and availability of your applications.

 

The IPMI specification defines 15 “cipher suites”. Each defined cipher suite specifies what authentication, integrity, and encryption protocol are used when an IPMI connection is made. Cipher 0 is defined to not use any authentication, integrity, or encryption.  Cipher 0 allows anonymous connections. While in some IT organizations anonymous connections may be desirable, in most organizations it is not worth the risk of malicious attack enabled. Starting with iDRAC7 release 1.37.35, Cipher 0 is disabled by default. (Additionally DRAC has a setting to enable/disable IPMI over LAN. This setting has defaulted to disabled for the most current releases of the last 4 generations of DRAC.)

  • In order to determine if Cipher suite 0 is enabled on PowerEdge servers (this will work with any device that supports IPMI), run the following command (in brown).  
  • If the character circled in red is an X then cipher 0 is not enabled.
  • If the character is not an “X”, then use the command in green to setup the highest security that IPMI currently supports, which Dell recommends.  

.\ipmitool.exe -H 10.35.180.91 -P calvin -U root lan print


.\ipmitool.exe -H 10.35.180.91 -P calvin -U root lan lan set 1 cipher_privs XXXaXXXXXXXXXXX

 

For more information on cipher suites and cipher privacy settings, visit the IPMI site at http://www.intel.com/content/www/us/en/servers/ipmi/ipmi-home.html.