Towards a separate IPMI Domain

Stefan Lüders CERN Computer Security Officer

AI 2014/1/23

About IPMI No-Security• IPMI/BMC is the most direct way to access physical hosts

• BMCs are full fledged computers themselves today

• IPMI/BMC interfaces insufficiently protected:

• New firmware only irregularly provided

• Old BMC are difficult to upgrade

• Prompt patching, in any case, difficult

• 2013: Fixing severe IPMI/BMC vulnerabilities took 5 months

A CC MGMT Domain

Firewall /Gateway

General Purpose Network(GPN)

Experiment Network

GPN

IPMI

We have already a dedicated network domain for IPMI,PDUS, KVM connections, …• …in the barn and at Wigner• …to come to CC machine room• …transparent to GPN/LCG

Proposal:• Restrict access on Feb 5th

• Any objections?• What misses to be “trusted”?

(e.g. IPMI no_contact)

“Trusted” Bypass List:IT CC AGILE IPMIIT CC CONSOLE SERVICEIT CC LXADM WITH SSHIT DRUPAL IPMIIT LINUXSOFT IPMIHTTPS