iDRAC, which stands for integrated Dell Remote Access Controller, has been part of Dell PowerEdge servers forever. iDRAC is Dell’s version of an agentless out-of-band management controller for PowerEdge servers. iDRAC allows the traditional remote management of servers, such as remote power cycles, consoles, and updates, without the need for an agent but also has some interesting “hidden” features that I will dive into in this blog post.
The first of these features is the choice of methods to access iDRAC
iDRAC can be accessed in a multitude of ways:
- Using a web browser
- Using a management console, such as Dell OpenManage, VMware vCenter or Microsoft Windows Admin Center
- Using scripting and APIs, such as Ansible and Redfish
These choices seem obvious but are important as they allow iDRAC to adapt to the existing server management practices, instead of the other way around, which removes barriers to the introduction of Dell PowerEdge servers in an existing environment.
The second feature is Server Configuration Profile, aka SCP
A server configuration profile creates a template based on all the configuration parameters of the server the profile is created on. It can then be exported and used to configure new servers while ensuring identical configuration. A SCP contains all of the server configuration attributes, including RAID configuration. Dell OpenManage Enterprise isn’t required to build a SCP, as it can be done directly from the iDRAC or through the CLI, using racadm, and exported to a USB key or a local file. That USB key or local file can then be used to import the SCP to a new server. Dell OpenManage Enterprise does leverage SCP to automate the provisioning and deployment of hundreds of servers and to detect configuration drift. A server configuration profile can also be used within VMware vCenter through the Dell OpenManage Integration with VMware vCenter. SCP is a key feature to ensure consistency within an environment and ease of deployment for servers joining an existing environment.
The third feature I want to mention is the iDRAC lockdown mode
Lockdown mode can be used in conjunction or separately from the server configuration profile. Lockdown mode is the ability of an IT administrator to literally lock down the configuration of the iDRAC, BIOS, and all the components of the server. Once lockdown mode is enabled, very few configuration changes can be made to the system. This helps IT administrators protect PowerEdge servers from malicious or unintended configuration changes resulting in a more vulnerable system.
Finally, the last feature is actually a few features linked to security
Cyber security is a critical component of an IT infrastructure, and one of the key pillars of any cyber security strategy is knowing that the hardware running your environment hasn’t been tampered with. To give customers peace of mind, Dell offers a few features within iDRAC:
- Silicon-based Root of Trust
- Signed firmware updates
- Non-Root Support
The list above isn’t an exhaustive list of all the security features in iDRAC, but a sample I want to dive deeper into.
Having silicon-based Root of Trust is the foundation upon which everything else is built Silicon-based Root of Trust means that each Dell PowerEdge server has immutable cryptographic public keys written in the silicon itself. Intel Boot Guard technology and AMD Root-of-Trust technology verifies that the digital signature of the cryptographic hash of the boot image matches the digital signature that is stored in the silicon. If they don’t, the server will automatically shut down and events will be logged in the BIOS and the Lifecycle Controller. This ensures that if the boot image has been tampered with, a compromised server can’t boot the tampered boot image. This is called the silicon-based root of trust because each BIOS module involved in the boot process has the hash of the next module and validates it before starting the module. This validates that none of the modules involved in the boot process have been compromised and could include malicious code.
All firmware updates for key server components, such as iDRAC, NICs, RAID controllers, BIOS, PSUs, I/O adapters, storage drivers, and backplane controllers, are signed with SHA-256 hashing with 2048-bit RSA encryption. This signature is then verified by iDRAC against the signature stored in the silicon-based Root of Trust, and packages will only be installed if the signatures are validated. If they are not, an event is logged and can be consulted by an IT administrator.
iDRAC can be thought of as a mini-computer with multiple processes. One of the core designs of iDRAC is to run these processes at the least-required privileges. For instance, if the process responsible for the virtual console is compromised, it doesn’t have the ability to change fan speeds or NIC configuration. This ensures that an attack on one process doesn’t propagate to the rest of the system.
In Summary
On the surface, iDRAC looks like any other out-of-band management controller, but, when looking deeper into it, it reveals some “hidden” features that can make the life of the IT administrator easier and the environment, in which those servers operate, more secure.
Opinions expressed in this article are entirely our own and may not be representative of the views of Dell Technologies.