250 likes | 271 Views
Session ID: 1764 Establishing and Maintaining a Highly Secure HP ProLiant Server Management Environment. Establishing and Maintaining a Highly Secure HP ProLiant Server Management Environment.
E N D
Session ID: 1764Establishing and Maintaining a Highly Secure HP ProLiant Server Management Environment
Establishing and Maintaining a Highly Secure HP ProLiant Server Management Environment • Interest in security is at an all time high in the IT community. No one wants to be the cause of a major organizational outage due to an attack or exploit. But security is not only high profile, it is also labor intensive. • Discuss methods to assist in locking down the environment • Learn how to provide a management interface that doesn't compromise security using best practices around Lights-Out Management processors, HP Systems Insight Manager, and HP Storage Essentials software
“Understanding HP SIM security” whitepaper Understanding HP SIM security Covers most of the subjects and more from this session… Other useful information in the ‘HP SIM User Guide’ and in online help… http://h10018.www1.hp.com/wwsolutions/misc/hpsim-helpfiles/hpsim_5_Security.pdf …or, access any HP SIM document / userguide / whitepaper from http://www.hp.com/go/hpsim --> Information Library
Login security • HP SIM allows you to identify valid users for the operating system and does not maintain passwords • HP SIM 5.0 added the ability to add users based on ActiveDirectory groups • Role-based security can be used to authorize users on a system-by-system basis and what tools they have access to • Starting with Insight Agents 7.1 they changed to operating system security also • iLO has on-board accounts but with an Advanced Pack or Select Pack (iLO2 only) can validate to a directory (AD or eDIR) • Additional two-factor security is also available with the directory option • HP c-Class Onboard Administrator has on-board accounts plus supports LDAP security out of the box • Accounts can be authorized/de-authorized on a system bay basis
CMS Port List From HP SIM security whitepaper 1 All ports are for TCP and UDP (except ICMP). 2 The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be configured to block these ports if the CMS is not to be managed from another system. 3 RMI port is used within the CMS for inter-process communication. Connections from outside the CMS are not accepted, and firewalls may block this port. 4 Many CMS outgoing ports are used for discovery. 5 The exact UDP/TCP ports used by DMI are dynamic and vary from system to system, but they tend to be around 32,780 and higher. 6 Port number is configurable in mx.properties using MX_SOAP_PORT. 7 Port number is configurable in mx.properties using MX_SOAP_SSO_PORT. 8 Port number is configurable in mx.properties using MX_SOAP_HTTP_PORT; port can be enabled/disabled in globalsettings.props using HTTP_SOAP_PORT_ENABLE with “true” or “false.”
Ports used • Additional ports used by ProLiant Essentials, documented in the same whitepaper • Virtual Machine Management Pack • Vulnerability and Patch Management Pack • Ports assigned by Internet Assigned Numbers Authority • The Registered Ports are those from 1024 through 49151 • Listing can be accessed from http://www.iana.org/assignments/port-numbers • This list can be useful in tracking down where a port request may be coming from (although not all are documented)
Security and SNMP • Yes, it’s true that SNMP is not secure and plain text community strings are passed • But, if you’ve got people sniffing your corporate network, you have bigger problems than SNMP • At any rate, SNMP is not recommended for use outside of a firewall on the Internet • HP SIM does not use a ‘write’ community string for any operation • You can use reasonable measures to secure SNMP • Respond to only specific hosts (SNMP layer) • Bind to a specific interface (Insight agent) • NOTE: It is not recommended that you enable management protocols such as SNMP or DMI on systems outside your firewall or directly connected to the Internet
HP SIM, Insight Agents and SNMP • HP SIM uses SNMP for • Discovery • Data collection • Events (SNMP traps) • All WRITE operations performed by HP SIM are done through secure HTTP, not SNMP • Insight Agents use SNMP for • Threshold setting • Intra-agent communication • Example: even though HP SIM talks to the agent over the wire over HTTPS, without a ‘Read-Write’ community string, an ‘Update Software/Firmware task’ will fail, typically with an erroneous error such as ‘Not enough storage space on target device.’
HP SIM usage of SNMP by platform • ProLiant servers • Status polling (ProLiant status array) • Data collection • Events (SNMP Traps) • Integrity servers • Windows • Status polling • Data collection • Events (SNMP Traps) • Linux • Status polling • Data collection • Events (SNMP Traps) • HP-UX • Status polling • Non-HP devices • Status polling • Events (SNMP Traps) NOTE: It is not recommended that you enable management protocols such as SNMP or DMI on systems outside your firewall or directly connected to the Internet.
WBEM and WMI • Use authentication security based on username and password • Traverse using secure protocols • WBEM uses secure HTTP • WMI uses DCOM • HP Integrity servers running HP-UX 11i use WBEM services instead of SNMP • This is the SAME mechanism used for SMI-S providers used for storage • It is NOT practical at this time to manage ProLiant servers without using SNMP
WMI and DCOM error 10009 • HP SIM performs an ‘Identification’ process immediately after discovery and (by default) on a daily basis • ‘Identification’ is like playing 20 questions with a device to find out what it can do • With WBEM enabled and the WMI Mapper installed, each and every device will be asked if it supports WMI and will attempt to authenticate for each and every username/password combination it has • Devices that don’t support WMI (printers, routers, Linux servers, etc) or for which HP SIM doesn’t have the proper credentials will result in a DCOM error 10009 on the CMS • This can be minimized but not eliminated by not enabling WBEM on the Global Protocol Settings but instead by using it on a system by system basis
Secure Shell (SSH) • Used by HP SIM on the CMS to perform local commands and also by the Distributed Task Function • Reason to update to HP SIM 5 • Local commands can bypass SSH and avoid setup problems • Tools in HP SIM using SSH are designed to run in the context ‘administrator’ • Disabled or renamed administrator accounts need special handling
Renamed or disabled account • Renamed account • HP SIM automatically detects the renamed account during installation and sets the global property • After installation, execute mxglobalsettings -ld WindowsAdminUserName WindowsAdminUserName = MyAdmin • Any tools that are to run as Administrator automatically run with this changed name. • Disabled account • Specify a different account to be used mxglobalsettings -s WindowsAdminUserName=MyDomain\AlternateAdmin • Add the user account to HP SIM mxuser –a MyDomain\AlternateAdmin -p full –C Administrator • Don’t forget to also run ‘mxauth’ to set appropriate permissions • Step by step instructions in ‘Secure Shell in HP SIM 5.0’ in the information library at http://www.hp.com/go/hpsim
Single Sign-on • HP SIM can eliminate the need to login to each individual agent session through trust relationships • Certificate (preferred) • Name (insecure because hostnames easily spoofed) • None (no security at all) • Ways to distribute the certificate • Manual request from the agent • Browse from HP SIM to an untrusted agent and log-in; the certificate will be populated automatically • Pre-configure the certificate in the PSP before distribution (via RDP, Software/Firmware upgrade, manually) • Replicate agent settings • Configure or repair agents
Single Sign-on • HP c-Class Onboard Administrator uses a certificate trust mechanism with HP SIM • Does not change / obviate local accounts or directory • Coming soon: iLO2 single sign-on (standard)
User context • Role-based security enables granular control of users specifying access to: • Systems • Tools • When adding a user to HP SIM there is a context that can be specified • This includes ability to be administrator or operator, and permission to configure the HP SIM system • Levels of control can be specified right down to the agent level
User context • HP SIM non-administrative users do NOT have the ability to clear or delete events • A workaround ‘hack’ is available that enables users to both clear and delete when not administrator • dclaypool@hp.com • Next major release of HP SIM (think January) includes the ability to grant clear and delete privileges individually
Configure or repair agents… • New feature first appeared in HP SIM 4.2 • Uses operating system security to establish a connection with the agent(s) and “fixes” all security problems • Distributes certificate to the agent and sets the agent to certificate trust • Configures OpenSSH if present • Configures a Read-Only community string that HP SIM knows about • If a Read-Write community string doesn’t exist, HP SIM will create a long, individualized random one and forgets it, plus enables SNMP sets • Adds an SNMP trap destination of the HP SIM server • Subscribes to WBEM indications (events)
Target security best practicesProLiant server with ProLiant Support Pack • Network • Consider setting up a separate management network to house all iLOs, OAs and a production NIC • This can be a VLAN and can share a production NIC through tagging • SNMP • Sets need to be enabled for agent operation • A Read-Only community string • Use this string for HP SIM • A Read-Write or Read-Create (Windows) community string • Do NOT use this string with HP SIM so it does not traverse the wire • Respond only to ‘localhost’ and the HP SIM server(s) • Insight Agents • Bind to a specific IP address (includes VLAN tagging) • Respond to administrator’s subnet only, including HP SIM • SSH • Only install OpenSSH on target machines if distributed task function desired
Best way to get your security questions answered… • HP IT Resource Center Forum for HP SIM • http://www.hp.com/itrc/forums • System Management • HP Systems Insight Manager • Great community with loads of experience • Also monitored by 3rd level HP Support and the HP SIM development team
Session1840 HP Systems Insight Manager and Plug-in Security Claudia Peters, Enterprise Solutions Architect 2:00 – 4:30 TODAY Room 332 F Also recommended…