BMC/IMPI security

Lamont Granquist lamont at scriptkiddie.org
Thu Sep 13 20:29:05 CDT 2007 

If you're using VLAN tagging can't you just reconfigure the host O/S eth0 
to use the management VLAN?

I also believe that the host O/S can send arbitrary packets out the BMC 
interface and that if one was sufficiently bored one could write a bmc0 
network interface to let the host O/S use the BMC just like eth0 and 
thereby hop onto the management VLAN.  I believe this will also work for 
the DRACs since they support the IPMI spec out the DRAC port, so you 
should be able to compromise the management VLAN that way as well.

IMO, if you take a thousand servers, hook up a front-end "production" 
network and a back-end "secure" administrative network you do not actually 
have any of the security that you think you do.  Multi-purpose servers are 
not security devices and if you have a thousand of them in between two 
netowrks you should always consider those two networks to have an 
identical level of security.

It might be possible to get this level of security out of using IP-based 
KVM switches or something like that, since its difficult to hack out of 
the VGA port and takeover the KVM switch.

I'd just make sure that you've got different passwords and keys on all 
your servers and keep those keys in a database on a bastion host that has 
to be used to access the consoles.  That way you don't need to buy 
additional hardware, and you can prevent takeovers of one machine from 
compromising the BMC IPMI controller on another machine.  Secure 
provisioning of the key material is difficult, but I believe the Trusted 
Computing Modules that will eventually be making their way into servers 
will address this (and let you securely distribute ssh keys, kerberos 
keys, webserver keys, etc).

On Wed, 12 Sep 2007, t m wrote:
> I've been experimenting with the BMC on my SC1435 which shares the
> local network interface with the server, and I'm wondering about
> security.
>
> My testing is only preliminary, but it appears that while the BMC is
> on a particular vlan, the local server doesn't seem to be able to
> transmit frames on that same VLAN to the network.  If this is
> accurate, then the BMC would be masking the managment VLAN away from
> the server.  Additionally, I haven't been able to use ipmitool on the
> local machine's command line to reconfigure the BMC's VLAN.  Here's
> what I get after several seconds:
>
> [root at test ~]# ipmitool lan set 1 vlan id off
> LAN Parameter Data does not match!  Write may have failed.
>
> If this behavior is actually intended, then this is exactly what I'm
> after as it provides a mechanism to properly segregate my management
> network from my production network for the BMC and server interfaces,
> respectively.  However, I can't seem to find anything in Dell's
> PowerEdge documentation detailing how this aspect of the BMC should
> work, so I'm not sure if I should rely on this from a security
> perspective.  I'm ultimately trying to avoid a scenario where a
> compromised server could break into the management network.  I care
> less if the server reconfigures the local BMC, but I definitely want
> to keep a compromised machine from accessing other BMCs or a
> management server.
>
> Are there any knowledgeable folks out there who know if this behavior
> is by design?
>
> Thanks,
> Tom
>
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> http://lists.us.dell.com/mailman/listinfo/linux-poweredge
> Please read the FAQ at http://lists.us.dell.com/faq
>

More information about the Linux-PowerEdge mailing list