Basic BMC and IPMI Management Security Practices

Discussion in 'STH Main Site Posts' started by Rohit Kumar, Oct 19, 2018.

  1. Rohit Kumar

    Rohit Kumar Guest

    #1
  2. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    488
    Likes Received:
    183
    You can also enhance IPMI security in some implementations by adding RADIUS/LDAP (and by the same token, AD) authentication methods to the BMC (but with a non-trivial fallback in case the network poops up). This of course mean that your IPMI setup is talking to NTP so the clock is synched up. If I remember my Dell iDRAC config menu, there are provisions to do so.

    Remember, AAA (Authenticate, Authorize and Audit) is one of the keystones of good security practices. Whenever someone logs into IPMI in a box you should optimally generate a paper trail pointing to a specific user doing so at a specific machine at a specific time.
     
    #2
  3. Rand__

    Rand__ Well-Known Member

    Joined:
    Mar 6, 2014
    Messages:
    3,463
    Likes Received:
    501
    Syslog or SNMP traps to get logs off-box and of course use SNMPv3 or at least change SNMP passwords
     
    #3
  4. RTM

    RTM Active Member

    Joined:
    Jan 26, 2014
    Messages:
    421
    Likes Received:
    140
    I am more in favor of isolating IPMI interfaces than integrating it with stuff like AD and NTP services, but if that is something you want to do, you should take great care with it, I think it is fair to assume that there are going to be vulnerable software inside IPMI systems that could be exploited via their interaction with other systems.

    Unlike the article I would not recommend isolating all IPMI interfaces to a single management network, given that it is possible for an attacker to move laterally within the management network from one compromised IPMI system to compromise the others (and from compromise the machines). The only system that should be able to access the IPMI systems should be a hardened jumphost that logs/records everything you do on it.

    Nowadays we have to assume that systems get compromised, so we have to focus on preventing them from achieving success on their objectives, preventing or limiting their ability move laterally is a good way to do this.
     
    #4
Similar Threads: Basic IPMI
Forum Title Date
STH Main Site Posts Mikrotik hEX RB750Gr3 Router Mini-Review Basic Routing Under 3W Sep 3, 2017

Share This Page