Security Recommendations

Connect the iDRAC to a separate, isolated management network. This network should be physically and logically isolated from the production network using firewalls and VLANs.

Do not connect the iDRAC directly to the internet.

Change the default iDRAC password located on the pull-out service tag. Choose a strong, unique password that meets the complexity requirements. Keep the new password in a safe and known place for remote service support.

Limit access to authorized management stations only. Define specific IP ranges or subnets allowed to access the iDRAC.

Ensure all iDRAC network communications are encrypted using TLS 1.2 or higher to protect data in transit.

Integrate with Microsoft Active Directory or LDAP to manage user accounts, roles, and permissions centrally. Configure iDRAC to use LDAPS (LDAP over SSL) for secure communication with the directory server.

Enable MFA using supported methods such as RSA SecurID or Smartcards (CAC/PIV). Configure iDRAC to require an additional authentication factor beyond the password for login.

You can enable the Setup password option to prevent access to the device BIOS settings. It is recommended to use a strong password of at least 8 characters. Keep the new password in a safe and known place for service support.

Do not Enable Secure Boot in the BIOS settings as it is not compatible with the SBC software installation. When upgrading the device software, all CMP files are digitally signed. This digital signature ensures that only files that have been verified and approved by AudioCodes can be loaded to the device. During the update process, the device verifies the digital signature of the CMP file. If the file is not signed or the signature does not match, the update is rejected. This ensures that only authentic and unaltered files are used.

Enable chassis intrusion detection in the iDRAC settings. Configure alerts to notify administrators of any detected intrusion attempts. This provides an additional layer of security by alerting personnel to potential physical tampering with the server.

USB Port Management is a security feature that allows administrators to selectively enable or disable USB ports on the device. This helps prevent unauthorized use of USB devices, which can be a potential security risk. It is recommended to disable the User Accessible USB Ports.

Lock the front bezel to prevent unauthorized access to the server's hard drives.

Ensure the server is securely mounted in a locked rack or cabinet to prevent unauthorized access.

Regularly check for firmware updates on the AudioCodes Support website and install them promptly. For non-HA deployments, schedule these updates during maintenance windows.

Before discarding the device, use System Erase to securely wipe data from storage drives. This ensures data is irrecoverable and protects against unauthorized access.

Change the default Admin user login passwords immediately upon setup to prevent unauthorized access.

Ensure strong passwords for authentication.

Use LDAP for centralized user authentication and authorization.

Use X.509 certificates for two-way authentication.

Ensure all management access is secured using HTTPS.

Ensure all management network communications are encrypted using TLS 1.2 or later to protect data in transit.

Avoid using Telnet; if necessary, secure sessions.

Use SSH for securing CLI sessions.

Define an authorized access list.

Prefer SNMPv3 over SNMPv2 for secure SNMP interface access

Use TLS for SIP interfaces and block unnecessary TCP/UDP ports.

Use X.509 certificates for securing SIPS (TLS) sessions.

Ensure all network communications are encrypted using TLS 1.2 or later to protect data in transit.