freeipmi-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Freeipmi-devel] ipmi configuration security best practices

From: Andy Cress
Subject: Re: [Freeipmi-devel] ipmi configuration security best practices
Date: Tue, 19 Feb 2013 11:07:41 -0500 
Dan,

RE 5. 20-character passwords
This assumes that all deployed platforms are IPMI 2.0, since IPMI 1.5
platforms only support 16-character passwords.  There are still some
IPMI 1.5 platforms in use out there.

RE 12. Disable gratuitous ARP replies
The description here is a bit off.  There are two bits to be
configured for gratuitous ARPs:
Sending Gratuitous ARPs from the BMC, and enabling responses from the
BMC to ARPs.
The BMC firmware must support one or both mechanisms.  I think you
mean to recommend disabling >sending< gratuitous ARPs, which is good
as long as the firmware supports enabling replies/responses to ARPs
instead (not all implementations support both).

RE 14 BMC to use its own dedicated physical NIC
On some systems, this requires an additional cost for the BMC NIC
module, and I understand that your recommendations center around
security, so this is more secure, but it definitely costs more in
terms of components, cabling, routing, etc.  There are a variety of
customer use cases for IPMI, some involve only in-band usage, without
IPMI LAN, and some value the convenience of the shared physical NIC.
Some have physically secured LANs, etc.   Note that the BMC IP and the
OS IP in a shared NIC configuration could also be on separate subnets.
So, this recommendation might say that using a dedicated physical NIC
is more secure, but this item is not one-size-fits-all.

One thing that you didn't list is to find out whether each vendor's
IPMI LAN firmware passes a Nessus (or similar) scan.  If it does not
pass, the firmware vendor needs to handle the issues.

Andy

On Mon, Feb 18, 2013 at 11:52 AM, dan farmer <address@hidden> wrote:
[...]
> 12. Disable gratuitous ARP replies. An ARP is a packet defined in
> RFC 831 that permits computers to find a physical Ethernet (aka
> MAC) address and map it to an IP address. A gratuitous ARP reply
> is when a computer sends a broadcast network packet to update the
> mapping between an IP address and an Ethernet, or MAC, address.
> While gratuitous ARPS may be useful at times, BMCs shouldn't be
> sending traffic on the local LAN anyway, and it may be used to spoof
> addresses.
[...]
>
> 14. The BMC should use its own dedicated Ethernet connection (e.g.
> don't share the server's physical connection!)
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]