BMC/IPMI Best Practices

[fohdeesha]

yeah, I agree with @WANg and @kapone's line of thought. You have to find a balance between security and practicality. Not everyone is a fortune 500 with billions of dollars of assets to protect. "Absolute security" as a mindset will lead you down a black hole that never ends. If your method of guarding against service interruptions (security breaches) involves purposeful interrupting service (disabling ipmi altogether, etc), then what's the point?

You need to find a balance between security effort appropriate for your target size and not making day to day operations a massive hassle

 

[ReturnedSword]

While "absolute security" is nice, I do realize the real world doesn't work that way. I agree that if one were to constantly obsess over changing oblique scenarios things would just never get done. That's how I've approached it throughout my career anyway. I try, and insist on the same from others, that we do our homework to cover as many possibilities as thinkable. Even then there are things that didn't come to mind during design and implementation, that needs to be fixed later.

I think the appropriate mindset is to keep learning, and staying open minded to discussion. After all, that's where best practices come from.

While I don't think my homelab is that interesting to state actors (hah!), my main concern regarding home stuff are more mundane things such as systems being hijacked to mine crypto coins or join DDoS botnets. So far I haven't had an issue, but have seen it other home networks get infected before. Granted those individuals were not technically minded at all, nor do I think they really knew they were infected.

 

[WANg]

any chance you can adjust cpu voltage in there?

not saying that, but it became pretty clear that even with all the "good admin" preventative measures you can think of, you're still left with firmware that's inherently much less secure than the competitors. Personal choice, of course. Just don't put it anywhere on the internet (inbound OR outbound) and don't let anyone you don't trust near it, you'll be fine (assuming nothing happened in the supply chain, but you'd have to be an important target for that to happen)

for a point of reference: idracula took 2 to 3 weeks of nightly work to discover/make happen, with supermicro, 30 to 60 seconds, depending, and I don't know how much I should say publicly but it's also not something that I believe they can patch with software, only way around it I see is full keys embedded in processor + sig checking. Not trying to sound like a dell salesmen here (really) but that's my experience the last month or two

Well, that's similar to my experiences, and here's something that should surprise NO ONE who worked with Cisco, HPe, Dell and SM gear - SM is cheap for a reason, and that reason is because they often cut corners with firmware development, and that means most of them are very rudimentary with no built-in protection against anyone with ill-intent. Granted, when I boot up an R620 or something 13th Gen (whatever that means), I don't want to wait 5 minutes before power-up, BMC/"lifecycle controller" init and the actual boot menu/BIOS/whatever (which I tend to see on Dell and HPe gear). It's usually 1 minute or less on SM stuff - that's because SM is usually "roll your own". They typically expose all the hardware features to you and expect you to be the grown-up in the room. Don't forget that implementing security is an expensive preposition - the engineers who knows how to do proper chain-of-trust in firmware are expensive, and you'll often need to beef up your hardware (bigger EEPROM, stronger BMC, more scratch RAM) to deal with it, and if you implement fixes, that's a post-sale expense that you rarely get rewarded/incentivized upon, and if the motivation isn't there, they won't do it. When I worked for the company that used SM hardware (the prop trading firm) we treated the machines like they are disposable - base warranty and off to the curb if they break, since we'll need to cycle out to the faster hardware to keep up with the market anyways. So yeah, not to say that I don't trust SuperMicros (since there are "disposable" environments where I would use them or labs where you can test out new hardware features without throwing down some serious dollars), but as the old saying goes, you do get what you paid for.