On Edge #4 - PowerEdge Cyber Security by Design
Introduction
Cyber security is considered at every stage in the lifecycle of a PowerEdge server. Inception of what the server should be, designing the architecture and feature set, prototyping software and hardware, manufacturing parts, distribution and the supply chain, and ultimately : end-user operation.
For the operator, security is ensured from the Silicon level, and a rich feature set enables comprehensive coverage.
Concepts, Features & iDRAC
Keeping a PowerEdge server secure is conducted primarily through the integrated Dell Remote Access Controller or iDRAC.
Protection
Root of Trust
A hardware-validated boot process from an immutable source.
Intel Boot Guard verifies the integrity of the Initial Boot Block, executed from the Management Engine (ME), a chipset-integrated co-processor.
The AMD Secure Processor is also a co-processor that validates BIOS firmware, executing before the main CPU cores are live.
UEFI Secure Boot
The OEM generates a private 2048-bit verification key for the initial boot block that corresponds to a public key programmed into field programmable fuses during the manufacturing process. These fuses cannot be updated once written.
UEFI Secure Boot Customisation
A custom boot loader certificate not signed by Microsoft may be used, and uploaded using the iDRAC API for authentication. The NSA recommends using this feature to mitigate Grub2 vulnerabilities.
Signed Firmware Updates
Each update image includes a private key provided by a Certificate Authority that is verified against a public key as apart of Public Key Infrastructure.
Dynamic System Lockdown
A preventative intervention against drift or malicious execution. Restricts admin privileges to read-only access, while keeping operational power management, health monitoring, virtual console access, and hypervisor functions. The server workload uptime is unaffected.
Enhanced System Erase
The following are wiped or reset :
- Hardware Cache e.g. PERC NVCache
- vFlash SD Cards
- Self-Encrypting Drives (SED)
- Instant Secure Erase (ISE) Drives
- Non-Volatile Devices (NVDIMMS)
- BIOS
- iDRAC
- iDRAC Service Module
- Lifecycle Controller
- Embedded Diagnostics
- OS Driver Packs
- SupportAssist Collection Reports
Encryption
Secured Component Verification (SCV)
To assure supply chain security, a factory-generated certificate details component IDs unique to the paired system that is encrypted and stored on iDRAC. The SCV application compares the certificate and system inventory, generating a report of valid and invalid components.
Cipher Select
Secure iDRAC access with TLS 1.3 and 256-bit encryption from a choice of seven ciphers.
Commercial National Security Algorithm (CNSA)
The cryptographic suite that underpins Cipher Select, including :
- AES 256
- Elliptic Curve Diffie-Hellman (ECDH)
- Elliptic Curve Digital Signature Algorithm (ECDSA)
- P-384 curve
Hard Drives
Also known as Full Disk Encryption (FDE).
Includes Self-Encrypting drives (SED) and Instant Erase (ISE) drives.
Most major manufacturers make SEDs, and primarily to the Opal SSC (Security Subsystem Class) specification published by the Trusted Computing Group Storage Workgroup.
The encryption standard of choice is AES 128-bit or 256-bit.
In addition to self-encryption, an ISE drive will then destroy the associated cipher key.
Secure Enterprise Key Management (SEKM)
A dedicated, external server manages storage-locking keys that can only be retrieved by authenticated iDRACs. Availability can be scaled and redundancy possible through clustering. The industry standard protocol, KMIP, is supported, allowing compatible devices to be integrated. In the event of server compromise, non-transferring drives are instantly protected.
Automatic Certificate Enrolment & Renewal
With a Datacenter licence, SSL/TSL Certificates can be manually or automatically updated using the Simple Certificate Enrolment Protocol (SCEP) via a dedicated client.
RSA SecurID Multi Factor Authentication
A flexible alternative to simplified 2 Factor Authentication (2FA). The service provides MFA, Tokens, Risk-Based, OTP, and Passwordless means by which to authenticate a user.
Detection
Chassis Intrusion
A physical switch linked between enclosure and motherboard, logging an event if the enclosure has been opened, notifying the operator.
Live BIOS Scanning
At host power on, the BIOS image in ROM is verified for authenticity and integrity.
Configuration & Firmware Drift
Host machines are associated with and monitored against a compliance template described by operator criteria. Deviation from the baseline is logged, the machine tagged as non-compliant, and the operator notified.
Persistent Event Logging
Logs that may reside in a dedicated data store that can include events regarding hardware, firmware, software, and other details.
System Event Logs and SupportAssist Collections detail :
- System - Tag#, OS, Host Name, Timestamp
- Inventory - CPU, RAM, NIC, RAID Controller, Disks, PSU
- Firmware - BIOS, CPLD, iDRAC, NIC, RAID, Disks, PSU
- Virtual Disk Config - per drive
- System Board - BIOS, CPLD, Sockets, DIMM Slots, PCIe Slots, Part#, PPID
- Processors - Index, Model, Clock Rate, Cores, Threads, Cache Sizes, Features
- RAM - Index, Vendor, Model, Size, Clock Rate, Rank, Serial#, Manufacture Date
Audit Logging & Alerts
Logs normally relevant to either critical components or accounts and policies. Alerts ensure administrators and operators are aware and informed at first notice.
The Lifecycle Log details audits and policies.
Recovery
BIOS
In the event of BIOS corruption, a backup image can be loaded from iDRAC, either automatically initiated by BIOS, or by an operator via the RACADM CLI command.
Firmware Rollback
Where a new version conflicts, corrupts, or otherwise renders a device partially or fully inoperable, the firmware can be reverted, or downgraded, to the previous version.
OS
A clean OS image is stored on an internal SD Card, SATA device, M.2 Drive, or USB host that is disabled and hidden from the boot list and OS. In the event of corruption, the device can be enabled, revealed and loaded.