30 likes | 208 Views
Towards a separate IPMI Domain. Stefan L üders CERN Computer Security Officer AI 2014/1/23. About IPMI No-Security. IPMI/BMC is the most direct way to access physical hosts BMCs are full fledged computers themselves today IPMI/BMC interfaces insufficiently protected:
E N D
Towards a separate IPMI Domain Stefan LüdersCERN Computer Security Officer AI 2014/1/23
About IPMI No-Security • IPMI/BMC is the most direct way to access physical hosts • BMCs are full fledged computers themselves today • IPMI/BMC interfaces insufficiently protected: • New firmware only irregularly provided • Old BMC are difficult to upgrade • Prompt patching, in any case, difficult • 2013: Fixing severe IPMI/BMC vulnerabilities took 5 months
A CC MGMT Domain • We have already a dedicated network domain for IPMI,PDUS, KVM connections, … • …in the barn and at Wigner • …to come to CC machine room • …transparent to GPN/LCG • Proposal: • Restrict access on Feb 5th • Any objections? • What misses to be “trusted”?(e.g. IPMI no_contact) “Trusted” Bypass List: IT CC AGILE IPMI IT CC CONSOLE SERVICE IT CC LXADM WITH SSH IT DRUPAL IPMI IT LINUXSOFT IPMI HTTPS