Basic BMC and IPMI Management Security Practices

WANg

Well-Known Member
Jun 10, 2018
796
441
63
You can also enhance IPMI security in some implementations by adding RADIUS/LDAP (and by the same token, AD) authentication methods to the BMC (but with a non-trivial fallback in case the network poops up). This of course mean that your IPMI setup is talking to NTP so the clock is synched up. If I remember my Dell iDRAC config menu, there are provisions to do so.

Remember, AAA (Authenticate, Authorize and Audit) is one of the keystones of good security practices. Whenever someone logs into IPMI in a box you should optimally generate a paper trail pointing to a specific user doing so at a specific machine at a specific time.
 

Rand__

Well-Known Member
Mar 6, 2014
4,494
878
113
Syslog or SNMP traps to get logs off-box and of course use SNMPv3 or at least change SNMP passwords
 

RTM

Active Member
Jan 26, 2014
554
194
43
I am more in favor of isolating IPMI interfaces than integrating it with stuff like AD and NTP services, but if that is something you want to do, you should take great care with it, I think it is fair to assume that there are going to be vulnerable software inside IPMI systems that could be exploited via their interaction with other systems.

Unlike the article I would not recommend isolating all IPMI interfaces to a single management network, given that it is possible for an attacker to move laterally within the management network from one compromised IPMI system to compromise the others (and from compromise the machines). The only system that should be able to access the IPMI systems should be a hardened jumphost that logs/records everything you do on it.

Nowadays we have to assume that systems get compromised, so we have to focus on preventing them from achieving success on their objectives, preventing or limiting their ability move laterally is a good way to do this.