towards a separate ipmi domain
DESCRIPTION
Towards a separate IPMI Domain. Stefan L üders CERN Computer Security Officer AI 2014/1/23. About IPMI No-Security. IPMI/BMC is the most direct way to access physical hosts BMCs are full fledged computers themselves today IPMI/BMC interfaces insufficiently protected: - PowerPoint PPT PresentationTRANSCRIPT
Towards a separate IPMI Domain
Stefan Lüders CERN Computer Security Officer
AI 2014/1/23
About IPMI No-Security• IPMI/BMC is the most direct way to access physical hosts
• BMCs are full fledged computers themselves today
• IPMI/BMC interfaces insufficiently protected:
• New firmware only irregularly provided
• Old BMC are difficult to upgrade
• Prompt patching, in any case, difficult
• 2013: Fixing severe IPMI/BMC vulnerabilities took 5 months
A CC MGMT Domain
Firewall /Gateway
General Purpose Network(GPN)
Experiment Network
GPN
IPMI
We have already a dedicated network domain for IPMI,PDUS, KVM connections, …• …in the barn and at Wigner• …to come to CC machine room• …transparent to GPN/LCG
Proposal:• Restrict access on Feb 5th
• Any objections?• What misses to be “trusted”?
(e.g. IPMI no_contact)
“Trusted” Bypass List:IT CC AGILE IPMIIT CC CONSOLE SERVICEIT CC LXADM WITH SSHIT DRUPAL IPMIIT LINUXSOFT IPMIHTTPS