Hey, big spender. Are you as secure as a whitebox vendor? Security flaws are a great source of inter-company marketing FUD, but it is how a company responds to them that determines how trustworthy they are. Can you bet your business – or your personal data – on a company that simply brushes flaws under a rug? Where does the vendor's responsibility end and that of the customer begin? …
Comparing Supermicro's IPMI to HP iLO, it's a bit of a Hobson's choice - iLO is much more friendly (IPMI configuration procedures surely originated with space aliens) and at least for that reason easier to verify as having been locked down... EXCEPT... on every HP server we've had the iLO firmware was at least buggy and at worst simply broken... and the new HP policy of no-updates-without-a-maintenance-contract seems to make the associated risk unacceptable. Hopefully someone can tell me that HP have relented!
What we have done on our remote sites is to put all the BMCs regardless of make on a dedicated network that can only be accessed from a jump-host that has a second internet-facing NIC.
What we have done on our remote sites is to put all the BMCs regardless of make on a dedicated network that can only be accessed from a jump-host that has a second internet-facing NIC.
That's common sense for most of these kind of devices - at work they're on the same subnet as the switches and console servers, no external routing to the internet and only selective access even from within. Other devices such as WAPs and printers are better on the subnet where they belong logically, so we always block all external connectivity to the uppermost addresses of each subnet at the router to provide room for them. In short if things don't need the Internet they don't get it - as you point out you can always take a stepping stone approach from a properly secured system if you must get in remotely for maintenance.
> What we have done on our remote sites is to put all the BMCs regardless of make on a dedicated >network that can only be accessed from a jump-host that has a second internet-facing NIC.
Assuming you have the IPMI port as a separate, non shared port.
There are a handful of SuperMicro boards with integrated IPMI that share the first NIC port. I had to throw ours behind some transparent mode firewalls to block their IPMI special sharing.
Thankfully they aren't set to DHCP by default, just some random private IP. That could have been even more fun.
There are a handful of SuperMicro boards with integrated IPMI that share the first NIC port. I had to throw ours behind some transparent mode firewalls to block their IPMI special sharing.
Sounds like you aren't using the capabilities supplied. Where there isn't a dedicated port the option is present to place the BMC on a separate VLAN for segregation purposes. That's expected to the point that VLAN selection is usually in the initial set up as opposed to buried away somewhere.
From when I upgraded the firmware back when that security thing made news. I haven't had time to go out on site to fix it.
The issue was upgrading the firmware required wiping all configuration from the ipmi controller as part of the upgrade process. Something that I don't recall ever happening with ILO or DRAC.
My IPMI wasn't behind a firewall mainly because it is a standalone 1U server in a colo with a single power outlet available to it. I have thought about putting in a soekris box with a power strip running off the colo's power strip (as long as it doesn't have a circuit breaker they say it's fine), but hasn't been a priority.
ILO 4 is just crazy good though, I love it anyway. Especially the integrated email alerting. Had a memory upgrade in a DL380Gen8 a few weeks ago and when the system powered up ILO emailed me that the memory was not installed correctly and it would not be used (wasn't aware there was a specific installation sequence required). Was able to look up the correct installation procedure and tell the on site tech to fix it.
"EVENT (14 Jul 21:27): POST Error: 207-Invalid Memory Configuration - Processor 1, DIMM 10 incorrectly installed. Please refer to Memory Population Rules in Documentation. This Memory will not be utilized."
And I love Advanced ECC(along with pre failure warranty - they replaced the memory chip no questions asked):
EVENT (13 Jul 05:18): Corrected Memory Error threshold exceeded ((Processor 2, Memory Module 12))
Also emails when NIC links go down, when the firmware is updated .. and the KVM remote console is crazy fast pretty much as good as being local. I think ILO4 has something like a dual core processor and 1GB of ram.
I've never personally had an ILO go unresponsive on me.
Though I do recall about 10 years ago at a company we had a network loop for a bit and it killed the redundant management interfaces on our HP Itanium systems. HP support said those modules were hot swappable so you could just yank them out of the chassis to reset them(regular reset methods did not work). We learned the hard way that they were in fact not hot swappable and it caused the systems to crash(well the first one we tried it on we obviously stopped after that one).
I liked ILO3 and ILO2 as well (though in some cases liked ILO2 more than 3).
"My IPMI wasn't behind a firewall mainly because I don't care about security." There, FTFY.
What does 1U or colo or number of outlets have to do with foregoing basic security? Own up -- you're lazy and don't care much about security. I sympathize. I'm lazy too and cut corners on security.
http://www.amazon.com/SF-Cable-Outlet-Saver-Splitter/dp/B004PFJYNA/ref=sr_1_12?s=electronics&ie=UTF8&qid=1406955307&sr=1-12&keywords=Outlet+saver
Long term it looks like all vendors are going to have to get more into security.
If you're a small company with limited resources it seems like common sense to be friendly and receptive with security researchers rather than play the "Our products are fully secure. There is nothing to worry about" routine.
I've always wondered at the difficulty of implementing protocols. My instinct is keep it simple and work through the spec as a state machine using a tool, not writing huge chunks of code.
Yep, Out-of-band management goes on a firewall segment with only super-user access. It's roughly equivalent with standing in front of the host.
That said, I'm amazed at the rubbish Tier 1 vendors put out there. With the cost of a Checkpoint firewall, you'd think they could include an Atom-SBC with a mainstream linux distro on it which is properly maintained, not some hobbled ancient debian-on-ARM rubbish from the last century with most enterprise features (LDAP, two-factor auth etc) missing. All you really need to do is hook it up to a serial port and the power supply switch.
@P.Lee: "All you really need to do is hook it up to a serial port and the power supply switch."
That assumes you're using a real OS, not Windows. And since it's the suits that make the business plans, it has to be Windows compatible, otherwise they won't believe it is actually working unless they see the Desktop.
"That assumes you're using a real OS, not Windows. And since it's the suits that make the business plans, it has to be Windows compatible"
Cry me a river, you snob.
ILO, IPMI etc. are most definitely Windows compatible because Windows is the most popular OS of choice according to IDC.
They all support serial port redirection so yes, you can install your precious 'real OS' with it.
I'd never expose a server management interface to WAN without VPN/firewall. The vendors are against it too. They've all had vulnerabilities from authentication bypassing to full root access. Fully patched or not, there may well be another Heartbleed-like bug waiting and the question is which blackhatter knows it first, NSA or the Chinese?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
