Is there a way to force my Dell BMCs and iDrac cards to only use the lanplus interface and not use the insecure "lan" interface. I understand that there are some "firewall" features in the IPMI spec. to restrict certain functions between chassis and such, but I don't know if it can be used in this manner.
Update: All out my boxes are in a switched environment. There is no NAT going on between my servers or my work desktop. I'm using ipmitool -I lanplus -H myhost -u root -p password -K sol activate" to talk to the serial console over IPMI.
update2: While I'm in a switched environment, I have no control of the switches. If I can't do it on the host or the idrac itself, then it's a non-starter.
Although I have never personally tried this, I think it is conceivable to disable all of the IPMI 1.5 authentication mechanisms and only enable IPMI 2.0 authentication mechanisms, which would probably make IPMI 2.0 (i.e. ipmitool lanplus) connections work but all IPMI 1.5 (i.e. ipmitool lan) connections impossible.
I'm more familiar with FreeIPMI than ipmitool, but in ipmitool I think the IPMI 1.5 authentication is configured via "lan set auth" and IPMI 2.0 via "lan set cipher_privs".
(In FreeIPMI's bmc-config it's the Lan_Conf_Auth and Rmcpplus_Conf_Privilege sections respectively.)
Naturally, you still need to configure things smartly. For example, enabling the cipher suites that allow no-authentication would be really bad.
You can:
1 - use the Dell DRAC Configuration Utility to lock down a DRAC installation
2 - use a BMC Management Utility to do the same with BMC. Please see my references at the end.
3 - Depending on the IPMI implementation, you can use .conf file to disable the lan interface, or execute a command to disable it, or turn off the LAN channel.
4 - Deny IPMI over LAN at the network level by identifying ports used, and prohibiting them, or using resets.
Although using lanplus rather than LAN will help with the cleartext password broadcast problems of IPMI, I'm not convinced this is the best approach, and it may not be secure anyways, given the legacy nature of IPMI and older, weaker crypto.
So, I'm going to ask your question in an alternative manner.
"How do I use iDracs and BMCs securely and create a secure Out of Band (OOB) Network?"
My understanding is this is what you are really trying to do.
Background: iDRACs and BMCs are out of band management devices to enable both LAN and serial connections. See http://en.wikipedia.org/wiki/IBM_Remote_Supervisor_Adapter & http://en.wikipedia.org/wiki/Dell_DRAC
Based on risk, here are some ideas for you to consider:
1 - If creating a secure OOB LAN, use standard VPN/firewall with strong authenticators, or an ASA type of device.
2 - Separate IPMI/OOB LAN from regular LAN traffic and do not cross-connect them, except into other management networks. Try to get IPMI/OOB network off onto other LANs if required to use them.
3 - Least Privilege / Deny all (unused) for all connected infrastructure, and user roles. This infrastructure should only be accessible to security admins, and network admins. Depending on the IPMI implementation, some of these protocols may not even be hitting the CPU so host configuration may not help in securing them.
4 - Strong authenticators for access to the serial access concentrator / KVM.
5 - Use high security serial access concentrators that specifically enable strong authenticators and potentially roles,etc. E.g. See http://www.raritan.com/cac-reader/ for a sample of a secure KVM/serial solution.
6 - If you are forced to telnet or another insecure protocol, tunnel it over something secure e.g. SSH, SSL, IPSEC
7 - Lock down any management workstations for the BMC / DRAC
8 - If your software supports it, disable legacy and insecure protocols such as telnet, and use SSH preferably, or IPSEC
9 - Consider enabling auditing / logging to a central location particularly on OOB access components
10 - Separate authentication devices from authentication information sources (TACACS / RADIUS / etc )
11 - Choose the strongest authentication key types possible for the length and version of IPMI being used. Thinking about random passwords and password controls too. Liberman's Enterprise Random Password Manager looks pretty nifty for this.
12 - See if some of the more advanced network management tools may help perform some of this for you. The IPMI adopters list software vendors are probably building in some of this functionality.
13 - Think about a potential replacement for IPMI such as vPro or other standards.
References used:
http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac10mono/en/ug/html/racugc1k.htm
http://support.dell.com/support/edocs/software/smbmcmu/1.2/en/ug/bmcugc0d.htm
http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac14modular/en/ug/html/chap07.htm
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap9.html
http://www.sans.org/reading_room/whitepapers/networkdevs/securing-out-of-band-device-management_906
http://www.gnu.org/software/freeipmi/manpages/man5/bmc-config.conf.5.html
http://ipmitool.sourceforge.net/
http://www.gnu.org/software/freeipmi/
http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaai/ipmi/liaaiipmi.htm
http://www.intel.com/design/servers/ipmi/adopterlist.htm
How does IPMI sideband share the ethernet port with the host?
http://www.liebsoft.com/Enterprise_Random_Password_Manager/