Veritas NetBackup™ Appliance Security Guide
- About the NetBackup appliance Security Guide
- User authentication
- About user authentication on the NetBackup appliance
- About configuring user authentication
- About authenticating LDAP users
- About authenticating Active Directory users
- About authentication using smart cards and digital certificates
- About authenticating Kerberos-NIS users
- About the appliance login banner
- About user name and password specifications
- User authorization
- Intrusion prevention and intrusion detection systems
- About Symantec Data Center Security on the NetBackup appliance
- About the NetBackup appliance intrusion prevention system
- About the NetBackup appliance intrusion detection system
- Reviewing SDCS events on the NetBackup appliance
- Running SDCS in unmanaged mode on the NetBackup appliance
- Running SDCS in managed mode on the NetBackup appliance
- Log files
- Operating system security
- Data security
- Web security
- Network security
- Call Home security
- Remote Management Module (RMM) security
- STIG and FIPS conformance
- Appendix A. Security release content
- Index
Recommended IPMI settings
This section lists the recommended IPMI settings to ensure a secure IPMI configuration.
Use the following recommendations when creating IPMI users:
Do not create accounts with null user names or passwords.
Limit the number of administrative users to one.
Disable any anonymous users.
To mitigate the CVE-2013-4786 vulnerability:
Use strong passwords to help prevent offline dictionary attacks and brute force attacks. The recommended password length is 16-20 characters.
Change the default user password (
sysadmin) as soon as possible.Use Access Control Lists (ACLs) or isolated networks to limit access to the IPMI interface.
Keep the IPMI protocol port (623) turned off when not in use to mitigate security risks associated with the IPMI protocol (CVE-2013-4786). For more information, see https://nvd.nist.gov/vuln/detail/CVE-2013-4786.
Use the following recommendations when applying login settings for IPMI users:
Table: Login security settings
Settings | Recommended values |
|---|---|
Failed login attempts | 3 |
User Lockout time (min) | 60 seconds |
Force HTTPS | Yes Enable Force HTTPS to ensure that the IPMI connection always takes place over HTTPS. |
Web Session Timeout | 1800 |
For NetBackup Appliance models 5250, 5340, and 5350 that are updated with BIOS version 2.01.0010 or later, the following message appears when you log in to the IPMI console:
KCS Policy Control Mode is Allow All. This setting is intended for BMC provisioning and is considered insecure for deployment.
You can safely ignore this message because the KCS policy setting only affects the in-band access of IPMI commands at the operating system level. These commands are accessible only to root level users. This default policy setting matches those from previous Veritas product releases.
Veritas recommends that you enable LDAP authentication with OpenLDAP. The IPMI sub-system is not compatible with Active Directory.
Veritas recommends that you import a new or a custom SSL certificate.
Table: Remote session security settings
Settings | Recommended value |
|---|---|
KVM Encryption | Stunnel Note: Support for AES and RC4 algorithms have been removed from KVM encryption in BMC Firmware: 01.51.11142. |
Media Encryption | Enable |
You can also log in to the appliance shell menu by using iKVM over HTML5.
Note:
The HTML5 option is available only on appliances with firmware (BIOS) versions 00.01.0016 or later.
To help prevent IPMI user actions or activity with no authentication, specific ciphers should be disabled. For further assistance, contact Technical Support and inform the representative to reference article number 000127964.
Use a dedicated Ethernet connection for IPMI and avoid sharing the physical server connection.
Use a static IP.
Avoid using DHCP.