Basic BMC and IPMI Management Security Practices

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
W

WANg

Well-Known Member
Jun 10, 2018
1,308
971
113
46
New York, NY
You can also enhance IPMI security in some implementations by adding RADIUS/LDAP (and by the same token, AD) authentication methods to the BMC (but with a non-trivial fallback in case the network poops up). This of course mean that your IPMI setup is talking to NTP so the clock is synched up. If I remember my Dell iDRAC config menu, there are provisions to do so.

Remember, AAA (Authenticate, Authorize and Audit) is one of the keystones of good security practices. Whenever someone logs into IPMI in a box you should optimally generate a paper trail pointing to a specific user doing so at a specific machine at a specific time.
 
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
Syslog or SNMP traps to get logs off-box and of course use SNMPv3 or at least change SNMP passwords
 
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
I am more in favor of isolating IPMI interfaces than integrating it with stuff like AD and NTP services, but if that is something you want to do, you should take great care with it, I think it is fair to assume that there are going to be vulnerable software inside IPMI systems that could be exploited via their interaction with other systems.

Unlike the article I would not recommend isolating all IPMI interfaces to a single management network, given that it is possible for an attacker to move laterally within the management network from one compromised IPMI system to compromise the others (and from compromise the machines). The only system that should be able to access the IPMI systems should be a hardened jumphost that logs/records everything you do on it.

Nowadays we have to assume that systems get compromised, so we have to focus on preventing them from achieving success on their objectives, preventing or limiting their ability move laterally is a good way to do this.
 
You must log in or register to reply here.
Top Bottom