Securing your UPS from a DOS attack

Version 1

    A Thwack member asked a question about why their NPM wasn't discovering a UPS, and that discussion brought to mind some ideas that might not be in the front of a UPS Administrator's mind . . .

     

     

    A UPS is often treated like an after thought--a stupid device with which few "important tasks" can be done.  It just does it's job--or it fails.  Hopefully you've got a maintenance program in place to have it tested & monitored and maintained with replacement batteries on the manufacturer's recommended schedule.  If not, then a UPS can cause more outages than it prevents.

     

    Ideally a UPS will automatically go into bypass mode (bypass the batteries and use building power) when the batteries fail.  Plus it should have the ability to be put into bypass mode both locally (via a dedicated wall-mounted toggle or rotating switch) and remotely (via the network management card).  This ensures the devices it powers will stay up when the batteries are being replaced.

     

    But newer UPS's also can create a serious security hole once they're on the network--because anyone with remote access into them can shut down power to their outlets.  Talk about your basic DOS attack!  What could be more serious than someone shutting down your equipment through your UPS?

     

    If you connect UPS management cards to the network, UPS snmp/mgmt cards must have adequate protection in place.  But you are responsible for enabling it.  At a minimum, a UPS should be protected from remote attacks in these manners:

    • A White List must be created, allowing remote access only from trusted sources
    • Default accounts and passwords deleted/changed (anyone can lookup the default user name and password on the Internet)
    • SNMP should only be allowed if using V3
    • Read/Write or Write SNMP accounts should not be created. 
      • It's enough have Read-Only into a UPS so NPM can monitor it.
      • Read-Write permissions enables someone with access to the trusted snmp server (Orion?) to remotely make changes on the UPS, and that can mean there may be no logs of the event on the UPS, since log creation could be limited to tracking by CLI or Web access only, thus missing snmp-write commands
    • HTTP access should be disabled and replaced with HTTPS
    • Telnet access should be disabled and replaced with SSH2 (no longer is SSH version 1 acceptable)
    • Access should be restricted to TACACS only.  AAA through TACACS gives you complete records and accountability.  RADIUS is a distant second, but if you don't have TACACS and DO have RADIUS, use RADIUS.  It's better than nothing.

     

    What other ways do you protect your UPS's?