towards a separate ipmi domain
DESCRIPTION
Towards a separate IPMI Domain. Stefan L üders CERN Computer Security Officer AI 2014/1/23. About IPMI No-Security. IPMI/BMC is the most direct way to access physical hosts BMCs are full fledged computers themselves today IPMI/BMC interfaces insufficiently protected: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Towards a separate IPMI Domain](https://reader033.vdocuments.site/reader033/viewer/2022051116/5681570c550346895dc4ace2/html5/thumbnails/1.jpg)
Towards a separate IPMI Domain
Stefan Lüders CERN Computer Security Officer
AI 2014/1/23
![Page 2: Towards a separate IPMI Domain](https://reader033.vdocuments.site/reader033/viewer/2022051116/5681570c550346895dc4ace2/html5/thumbnails/2.jpg)
About IPMI No-Security• IPMI/BMC is the most direct way to access physical hosts
• BMCs are full fledged computers themselves today
• IPMI/BMC interfaces insufficiently protected:
• New firmware only irregularly provided
• Old BMC are difficult to upgrade
• Prompt patching, in any case, difficult
• 2013: Fixing severe IPMI/BMC vulnerabilities took 5 months
![Page 3: Towards a separate IPMI Domain](https://reader033.vdocuments.site/reader033/viewer/2022051116/5681570c550346895dc4ace2/html5/thumbnails/3.jpg)
A CC MGMT Domain
Firewall /Gateway
General Purpose Network(GPN)
Experiment Network
GPN
IPMI
We have already a dedicated network domain for IPMI,PDUS, KVM connections, …• …in the barn and at Wigner• …to come to CC machine room• …transparent to GPN/LCG
Proposal:• Restrict access on Feb 5th
• Any objections?• What misses to be “trusted”?
(e.g. IPMI no_contact)
“Trusted” Bypass List:IT CC AGILE IPMIIT CC CONSOLE SERVICEIT CC LXADM WITH SSHIT DRUPAL IPMIIT LINUXSOFT IPMIHTTPS