H3C G6 Servers HDM2
Security Technology White Paper

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Overview·· 1

Server hardware security· 1

Server intrusion monitoring· 1

Trusted computing· 2

Firmware security· 3

Software security· 4

Security management interfaces· 4

IPMI 1.5 and IPMI 2.0 management interfaces· 4

SNMP management interface· 4

Redfish management interface· 4

Link security· 4

HTTPS link· 4

KVM·· 5

Virtual media· 5

VNC· 5

SMTP alarm emails· 5

Syslog alarms· 6

Log security· 6

Complete operation logs and directory records· 6

SDS logs· 6

Firewall 6

User management and authentication· 6

Domain management 6

LDAP directory service· 7

AD directory service· 7

Kerberos directory service· 8

Account security· 9

User privileges· 11

Configure two-factor authentication· 12

SSH secret key· 14

Secondary certification· 15

SSL certificate· 15

Access services· 15

Security monitoring information· 16

Secure erasure· 17

System locks· 18

Hardware encryption· 18

 

Overview

The server management system, HDM2, is an important management software product for H3C second-generation servers. HDM2 not only provides a browser-based Web management interface for end users, but also provides many interfaces for the users' network management system to meet diverse management needs.

HDM2 meets the functional requirements of users, and externally exports the security support of server hardware. In addition, HDM2 improves its own security to meet the needs for the security of the management channel in various scenarios.

For support of hardware security features, a corresponding user management interface is provided for the security features supported by the hardware of each specific server. Thus, the users can view the support status, operation log, and enable the related features.

For HDM2, the reliability of server management operations is guaranteed from several dimensions such as access mode, account management, transmission link encryption, data storage, and operation audit.

For convenience of description, HDM in the following content refers to HDM2.

Server hardware security

Server intrusion monitoring

As shown in Figure 1, the chassis-open alarm module triggers a signal every time the access panel is removed. Then, the software receives the signal sent by the hardware GPIO pin, triggers a software interrupt, and then determines whether the access panel is removed. When the access panel is removed, the sensor reports the chassis-open alarm generated through the event log (SEL). You can also perform the access panel detection when the AC is powered off. The chassis-open signal is captured by the BIOS, and the chassis-open alarm generated by the sensor is reported through the event log (SEL) after the HDM is fully started.

Figure 1 Chassis-open alarm module on the server chassis

 

You can view information on the HDM Web interface to identify whether the access panel was opened or closed. When the access pane was opened or removed, an event log entry is generated on HDM, as shown in Figure 2.

Figure 2 Viewing event log entries

 

Trusted computing

Virus programs embed the virus code into the execution code to realize virus transmission by making use of the operating system's weakness of not checking the consistency of the execution code. Then, hackers use the vulnerabilities of the attacked system to steal super user permissions and install malicious programs for attacks. The most serious thing is that the system has no strict access control over legitimate users, and unauthorized access might cause security issues.

To solve the previous problems, in October 1999, a number of IT companies jointly initiated the Trusted Computing Platform Alliance (TCPA), which was later re-organized into the Trusted Computing Group (TCG). This is an effort to formulate the standards and specifications for reliable computers in terms of both hardware and software in the cross-platform and operating environment.

A Trusted Platform Module (TPM) must be secure itself, and have various functions required for a trusted computing platform and remote authentication, which is the core of the TPM.

A trusted computing platform requires the support of microchips, firmware, and software. For H3C servers, both TPM and TCM modules are available. In terms of software, you can identify the enablement status of TPM/TCM from HDM, as shown in Figure 3.

Figure 3 Identifying the enablement status of TPM/TCM

 

Different places might use different standards based on security policies.

Due to compatibility limitations, different functional modules might require different standards. For example, the BitLocker and virtual smart card feature of the Windows operating system is available only with the TPM.

Firmware security

Firmware has a vital influence on the normal operation of the system. Once the firmware is damaged, the system might become abnormal or even fail to start. To ensure firmware security, the following mechanisms are provided:

·     The Flash area that stores the BMC image supports one primary firmware image, one backup firmware image, and one Golden image. When a flash misoperation or storage block damage occurs, you can perform an image switchover to run HDM with the Golden image.

·     For critical firmware, both BMC and the BIOS images support the exceptional recovery mechanism. When HDM experiences abnormal restarts or fails to fully boot during the operation in the BMC main partition, HDM will proactively switch to the Golden image to restore the primary or backup firmware image, and then switch back to the primary or backup firmware image. When a power-on timeout or failure to fully start is detected during the BIOS startup process, HDM will proactively restore and power on the BIOS firmware image.

·     The firmware upgrade process supports the upgrade task recovery mechanism. This mechanism ensures that the upgrade process will not be interrupted by a mid-way power failure or HDM exceptional restart when upgrading components through HDM. After HDM restarts, the system continues to perform component upgrade tasks that were not completed before the restart.

·     All released HDM and BIOS firmware versions have a signature mechanism. When the firmware is packaged, the SHA-384 algorithm is used for digest calculation, and RSA4096 is used to encrypt the digest. When you upgrade the firmware, signature verification is used to avoid tampering. Only the firmware with the required signature can be upgraded on the device.

·     When HDM is running, write protection is enabled on the running image. In addition, upon HDM start, the system checks the integrity of the image files. If the image files are corrupt, the system can recover the image files as needed.

Software security

Security management interfaces

All management interfaces must pass authentication before accessing relevant management information.

IPMI 1.5 and IPMI 2.0 management interfaces

HDM is compatible with IPMI 1.5 and IPMI 2.0 standards. It can effectively manage a server by using a third-party tool, such as IPMItool, through the eSPI-based KCS or LAN-based UDP or IP.

·     If eSPI-based KCS is used, the third-party tool must operate on the OS of the server.

·     If LAN-based UDP or IP is used, the third-party tool can remotely manage the server and support RMCP+ authentication.

SNMP management interface

Simple Network Management Protocol (SNMP) is widely used for remote management and operation of network devices. SNMP allows administrators to manage devices from different vendors with different physical characteristics and various interconnection technologies through NMS, including status monitoring, data collection, and fault handling.

HDM supports SNMP configuration, including SNMP version selection, read-only community name, and read-write community name.

SNMP v1/v2c community names are displayed in cipher text on Web. To prevent data from being monitored on the link, the community name data is encrypted and transmitted using the AES128 encryption algorithm. SNMP supports SNMPv3, and provides authentication and encryption mechanisms and uses the user-based access control function in SNMPv3 for security enhancement. SNMPv3 authentication algorithms support SHA, MD5, SHA256, SHA384, and SHA512. SNMPv3 encryption algorithms support DES, AES, AES192, and AES256. The encryption algorithms AES192 and AES256 must be used in conjunction with authentication algorithm SHA256, SHA384 or SHA512.

Redfish management interface

Out-of-band access based on the Redfish APIs can only be performed after the session authentication is passed. The relevant data is transmitted over the SSL link.

Link security

HTTPS link

HDM uses HTTPS-based Web interfaces, which can protect your data from prying eyes. TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 are supported, and the following cipher suites are available: RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_CAMELLIA_256_CBC_SHA, RSA_WITH_AES_128_GCM_SHA256, and RSA_WITH_AES_256_GCM_SHA384.

Due to security risks in TLSv1.1 and lower versions, HDM's HTTPS link uses the TLSv1.2 secure transmission protocol by default.

KVM

KVM allows you to monitor and control remote devices in real time by using the local client. You can operate remote devices through KVM.

To ensure that the server information connected to the user is not leaked, the data during the interaction process is not monitored, and the KVM channel with a security port enabled supports encrypted communication for data transmission.

H5 KVM supports single port authentication. The KVM and virtual media-related functions are realized uniformly through the Web service port, which can reduce the use of the external Web interfaces to improve security.

Virtual media

The virtual media feature allows you to use a virtual USB DVD-ROM drive or a floppy disk drive to remotely access the local media over the network. The local media might be the DVD-ROM drive, floppy disk drive, DVD-ROM image file, floppy disk image file, or hard drive folder. To use virtual media is to virtualize the media devices on the local client to the media devices on the remote server over the network.

The following virtual storage media are available:

·     CD/DVD drives.

·     Floppy disk drives.

·     ISO files and IMG files.

·     Virtual folders.

·     USB keys.

To prevent data from being monitored on the link when you access virtual media, data can be transmitted in encrypted format through the security port.

VNC

Virtual Network Console (VNC) transmits the original images of the server to the client. VNC allows you to access and manage the server from a local PC without logging in to HDM.

For the VNC client to connect to the VNC server, the IPv4 or IPv6 address of the remote server and the VNC password are required. The authentication process is as follows:

1.     The server sends a 16-byte random code to the client.

2.     The client uses the VNC password as the KEY, encrypts the random code through DES encryption, and then sends it to the server for verification.

During the access process, you can decide whether to encrypt the data over the link according to the selected connection type.

Some versions of HDM support the following secure VNC connection types:

·     VNC over SSH—Data is transmitted through an SSH tunnel.

·     VNC over stunnel—Data is transmitted through the TLS/SSL channel established by the stunnel program.

SMTP alarm emails

SMTP alarm emails are sent to specified recipients using the Simple Mail Transfer Protocol (SMTP). Enable TLS encrypted transmission function to ensure the confidentiality and integrity of data transmission.

Syslog alarms

The syslog alarm feature allows the server to send operation logs, event logs, security logs, sensor logs, and serial port logs to a destination server in syslog packet format.

To ensure that the traffic between the device and the Syslog server is safe and trustworthy, data transmission supports TLS one-way authentication and TLS two-way authentication. This provides an additional layer of security for users logging into a Syslog organization's network or applications. It can also verify the connection of devices that do not follow the login process.

Log security

Complete operation logs and directory records

The operation log includes audit log entries, configuration log entries, firmware update log entries, and hardware update log entries.

·     Audit log entries record HDM administrative events, including access to HDM and remote console startup.

·     Configuration log entries record user configuration operations as well as their results.

·     Firmware update log entries record HDM firmware updates as well as their results.

·     Hardware update log entries record hardware updates as well as their results.

You can obtain information about user login, hardware replacement, and configuration changes from the operation log. Thus, the operations on the device can be audited and tracked.

SDS logs

The Smart Diagnosis System (SDS) logs include HDM event logs, HDM operation logs, device information, operational parameters, and internal diagnostic information. To prevent sensitive information leakage, certain logs such as fault diagnosis, boot logs, periodic collection data (temperature and power), and internal debug logs are encrypted. You must install the SDSViewer tool with HDM License to view the above information.

Firewall

For security purposes, HDM provides firewall features to implement scenario-based login management. HDM can control the server management interface access to the minimum extent in terms of time, IP address, and IP version (IPv4 or IPv6), MAC, port, and transmission protocol (TCP/UDP). Firewall features are available for controlling logins through the Web interface, SSH, SNMP v1/v2c/v3, and IPMI LAN interfaces.

You can create allowlist rules for the firewall. A login attempt can succeed only when an allowlist rule is matched. The firewall rules apply to all local users and domain user groups.

User management and authentication

Domain management

You can add all managed servers to a management domain and access HDM of a server by using the domain name. Domain management can manage user accounts in a convenient and centralized way with higher security. It is conducive to the management of confidential information and greatly improves the efficiency of user management. Domains provide a single login process for users to access network resources. A domain determines that only users with legal privileges to specific resources can access the resources by assigning user permissions, thereby ensuring the legality and safety of resource use. Domain users currently supported by HDM include LDAP users, AD users, and Kerberos users.

LDAP directory service

Lightweight Directory Access Protocol (LDAP) enables you to efficiently access online directory services over an IP network. You can save multiple types of data, such as email addresses and email routing information in LDAP directories, and filter them in a convenient and centralized way.

As shown in Figure 4, enabling LDAP directory service centralizes user, permission, and validity period management to the LDAP server, which reduces duplicate configuration, improves management efficiency, and improves system security.

You can customize user permissions in LDAP user role groups. Combined with domain user management of domain controllers, you can configure different access permissions for different users, which improves HDM security.

Figure 4 LDAP directory service diagram

 

LDAP provides the following advantages:

·     High scalability—Dynamically adds users on the LDAP server for all HDMs at the same time.

·     Enhanced security—Implements the user password policies on the LDAP server. SSL encryption is supported.

·     Real-time performance—Applies user account update on the LDAP server to all HDMs immediately.

·     Improved efficiency—Integrates user management for HDM, which minimizes repeated user configuration tasks and improves management efficiency.

AD directory service

Active Directory (AD) is a directory service developed for the Windows Server operating system. The directory service integrates organization and management of and access to network resources, making the network topology and protocols transparent to users.

The AD service is implemented based on domains, which can support expansion as an enterprise grows.

HDM supports AD authentication. AD authentication enables users to access HDM by using the username and password of user accounts in a valid AD group configured on the AD server. The privileges of a user account depend on the network privileges of the AD group to which the user account belongs.

Kerberos directory service

Kerberos is a network authentication protocol that provides strict identity verification services for communication between parties, ensuring the authenticity and security of their identities.

The authentication process of the protocol has the following features:

·     It does not rely on the host operating system for authentication.

·     It does not require trust based on host addresses.

·     It does not require physical security of all hosts on the network.

·     It assumes that data packets transmitted over the network can be read, modified, and inserted arbitrarily.

Kerberos is a trusted third-party authentication service that uses traditional password techniques (such as shared keys) to perform authentication services.

HDM's Kerberos user authentication function is controlled by the HDM License authorization status. After enabling Kerberos function authentication and formulating an access policy, you can directly access the HDM through the username and password set in the Kerberos directory server. After configuring on a PC that has been added to the domain, you can access the HDM through single-node login without entering a username or password. The user's permissions are determined by the role group they belong to.

The roles supported by the Kerberos protocol are as follows:

·     Client: Party that sends requests.

·     Server: Party that receives requests.

·     Key Distribution Center (KDC), which is generally divided into the following parts:

¡     Authentication Server (AS): Specifies the authentication server, which is specially used to authenticate the identity of the client and issue the Ticket Granting Ticket (TGT) used by the client to access TGS.

¡     Ticket Granting Server (TGS): Specifies the ticket granting server, which is used to issue service granting tickets (Tickets) required for the entire authentication process and when the client accesses the server.

Figure 5 Kerberos authentication process

 

Every communication using Kerberos authentication uses a key, and the types of keys are constantly changing. In order to prevent the network from intercepting the keys, these keys are temporarily generated session keys. The key only works within one session, which ensures high security for the entire process.

Account security

You can enhance HDM access security by setting rules that the passwords of user accounts must follow in the password policy.

Procedure

1.     On the top navigation bar, click Users & Security.

2.     In the left navigation pane, select Users.

3.     Click Settings to configure the password policies.

Figure 6 Configuring the password policy

 

Parameters

·     Complexity check: Disable or enable password complexity check.

¡     If this feature is enabled, passwords must meet the following enhanced complexity requirements:

-     8 to 40 characters in length.

-     Case sensitive. Valid characters are letters, digits, spaces, and the following special characters: ` ~ ! @ # $ % ^ & * ( ) _ + - = [ ] \ { } | ; ' : " , . / < > ?

-     Must contain characters from at least two of the following categories: uppercase letters, lowercase letters, and digits.

-     Must contain at least one space or special character.

-     Cannot be identical to the username or the reverse of the username.

-     Must meet the old password reuse requirement.

·     Maximum password age: Maximum number of days that a password can be used. When a password is about to expire, HDM prompts the user to change the password.

·     Password history count: Number of unique passwords that a user must create before an old password can be reused.

·     Account lockout threshold: Number of consecutive login failures that will cause a user account to be locked.

·     Account lockout duration: Amount of time before a locked account can be used again.

·     Prompt for password modification: Select whether to remind users to change the default password when they successfully log into HDM.

·     Weak password detection: Forbid users from using passwords that completely match dictionary words.

User privileges

To meet the requirements for security, you can configure a user role and customize the extended privileges for a user account as needed. Available user roles include Administrator, Operator, and User. You can disable a user account or part of user privileges through the IPMI interface, Redfish interface, or Web interface. For example, you can select the KVM, VMedia, Web, IPMI, and SNMP access privileges as needed.

You can configure user accounts, including local users, LDAP users, and AD groups, to control access to HDM on the User Accounts page.

The network access privilege of a user is determined by the user role. Available user roles include:

·     Administrator—The user has read and write permissions to all features.

·     Operator—The user has read permission to all features and has write permission to some features.

·     User—The user has read-only permission.

·     CustomRoleN—The user has the privileges specified for the custom role by an administrator user. The system supports a maximum of five custom user roles. In order to achieve unified management of user permissions, HDM divides functional permissions in line with user experience. The divided permission modules include:

¡     User accounts: Includes local user configuration, LDAP user configuration, AD user configuration, OTP authentication, certificate authentication, SSH key management, license management, secure erasure, import/export configuration, and operational privileges for HDM federation management.

¡     Basic configuration: Includes setting asset tags, network configuration, setting LLDP, wireless management, NTP configuration, SNMP configuration, alarm settings (SMTP, Trap, and Syslog), event log policy settings, clearing operation logs, playback of recordings, and operational privileges for the security panel.

¡     Security: Includes privileges to configure services, firewall, SSL certificates, PFR firmware protection, and login security information.

¡     Remote console: Includes privileges for storage information management, system resource monitoring settings, BIOS settings, KVM (excluding power control and image mounting), H5 KVM (excluding power control and image mounting), VNC password management, system startup items, UID LED control, SOL serial port settings, and MCA policy.

¡     Remote media: Includes privileges for virtual media configuration, KVM image mounting, and H5 KVM image mounting.

¡     Power control: Includes privileges for power management, NMI control, physical power button control, fan configuration, and intelligent power saving.

¡     Maintenance: Includes privileges for clearing event logs, package management, firmware updates, firmware library management, scheduling tasks management, restoring HDM configuration, restarting HDM, restarting CPLD, and service USB settings.

¡     System audit: Includes privileges to view or save event logs, operation logs, and one-click collection and download of SDS logs.

¡     Information query: Includes privileges to view primary information of HDM, excluding event logs, operation logs, and one-click collection and download of SDS logs. The privilege to view other user information is only applicable to Administrator users.

¡     Password modification: Allows users (limited to local users) to configure their own passwords.

Figure 7 Configuring privileges for custom users

 

Configure two-factor authentication

Traditional platform login only requires entering a username and password. User passwords are the system's only protection barrier, making security management relatively weak. Under the framework of two-factor authentication, users must meet another factor in addition to entering their username and password to log in to the management system. This avoids security issues caused by the leakage of HDM user information and enhances the security of system management.

HDM supports two-factor authentication with certificate authentication and OTP authentication, and they cannot be enabled at the same time. After enabling two-factor authentication, the system will shut down interfaces or services such as TSSH, VNC, IPMI, and Redfish. Users should carefully enable two-factor authentication mode.

Certificate authentication

To improve HDM reliability for security and avoid user information leakage, HDM provides certificate authentication that requires a client certificate and client private key for each login.

Figure 8 Configuring certificate authentication

 

After applying for the root certificate and client certificate file from the certification authority, you can upload them to HDM through certificate authentication, and bind a local HDM user to each client certificate. After successful binding, open a browser and upload the client private key certificate. Once the private key certificate is uploaded, you can enter the HDM login page and select the client certificate as prompted, and then log in to HDM as the local user bound to the client certificate.

Figure 9 Processing of certificate authentication

 

To avoid authentication failures, upload the root certificate and client certificate, and bind the HDM local user who has permissions to access HDM Web interface.

OTP authentication

HDM supports one-time password (OTP) DKEY token, which supports national encryption algorithms and has obtained national encryption qualification certification. It uses standard RADIUS protocols (RFC2865, RFC2866) and can be integrated with any two-factor authentication platform. After enabling OTP authentication, users must enter a dynamic password in addition to their username and password when logging in to HDM Web. This dynamic password can be generated by a hardware token or a mobile token and must be authenticated on the OTP server before being able to log in to the HDM system. The network configuration scheme is shown in Figure 10.

Figure 10 Network diagram

 

After OTP authentication is enabled, a dynamic password input box will be added to the HDM login interface, as shown in Figure 11.

Figure 11 OTP authentication login

 

The Web and Telnet services support two-factor authentication.

SSH secret key

HDM supports uploading a Secure Shell (SSH) secret key, and bind the SSH secret key to a local user for HDM login.

At access attempts, the user must also enter the password for the key if a password was specified during key generation on the HDM CLI client. If no password was specified, the user can directly log in to the HDM CLI.

In the current software version, RSA, ECDSA, and ED25519 keys are supported. The length of an SSH key varies by key format.

·     For RSA SSH keys, the length can be 1024, 2048, or 4096 bytes.

·     For ECDSA SSH keys, the length can be 256, 384, or 521 bytes.

·     For ED25519 SSH keys, the length can only be 256 bytes.

Figure 12 SSH secret key

 

Secondary certification

For important management operations, such as user configuration, permission configuration, and public key import, secondary authentication is required for logged-in users. Important operations can be executed only after authentication is successfully completed, preventing unauthorized or accidental operations by other malicious users if the logged-in user does not disconnect from the system.

SSL certificate

Secure Sockets Layer (SSL) is a protocol for securely transmitting private data over the Internet by using for TCP-based application layer protocols, such as HTTP. It uses keys to encrypt and decrypt data. Using SSL, the Web server and client can have secure data transmission, verify the identity of the data source, and ensure the integrity of the data.

HDM supports the following operations for SSL certificate management:

·     View detailed information of current SSL certificates, including issuer, subject, validity period, and serial number.

·     Upload SSL certificates.

·     Generate SSL certificates.

HDM has its own SSL certificates, but for higher security performance, replace them with user's own certificates and public keys as a best practice.

Access services

To meet service and security requirements, HDM allows users to control the enablement status of the following services: Remote XDP (ASD), CD-Media, FD-Media, HD-Media, HTTP, HTTPS, IPMI, KVM, SNMP, SSDP, SSH, Telnet, and VNC.

Figure 13 Configuring access services

 

Security monitoring information

This feature allows you to view the status of important security settings and verify whether potential risks exist for HDM static security settings. When risks are detected, you can use this feature to view details and suggestions. As shown in Figure 14, HDM evaluates the current system security from the aspects of account authentication security and application service security, and provides corresponding risk level indications.

The risk levels are as follows:

·     Security settings do not have any risks.

·     Security monitoring is disabled.

·     The overall security status has been ignored: All risky security configuration items are ignored.

·     Security settings have risks: One or more security configuration items are identified as risky.

Figure 14 Security monitoring information

 

Secure erasure

Perform this task to erase HDM, the BIOS, and storage data for the server to avoid data leakage when the server service life terminates or the server operation is terminated.

The secure erasure function depends on the HDM license status. The feature interface is shown in Figure 15.

Figure 15 Secure erasure page

 

The available erasure results and methods for the erasure to take effect are shown in Table 1.

Table 1 Secure erasure

Item	Erasure result
HDM	Restore HDM factory defaults. SDS logs and flash card data are erased.
BIOS	·     Restore to the BIOS default settings. ·     The administrator and user passwords for the BIOS are erased. The BIOS does not require a password for the user whose password is erased to enter the BIOS Setup utility at next restart. ·     The server power-on password is erased from the BIOS.
No-volatile DRAM (NVDIMM)	Data in NVDIMMs that are not in memory mode are erased. After erasure, all NVDIMMs operate in memory mode.
Storage controller	·     All logical drives managed by the RSTe RAID controller and VROC module are deleted. ·     All logical drives managed by the RAID-P460-B2 storage controller are deleted.
Drive	All data in the drive are deleted.
SD card	All data in the SD card are deleted.

 

To ensure a successful erase, make sure the server uses iFIST-1.38 or later version.

System locks

Perform this task to lock specific server features, configurations, and firmware version to avoid mistaken or malicious modification.

System locks require licensing. The feature interface are shown in Figure 16.

Figure 16 System locks

 

Hardware encryption

AST2600 supports hardware security acceleration, which enhances the performance of security related functions. The acceleration module primarily applies to authentication and data encryption and decryption. It supports the following algorithms: AES, DES, 3DES, RC4, MD5, SHA1, SHA224, SHA256, HMAC-MD5, HMAC-SHA1, HMAC-SHA224, and HMAC-SHA256.