BMC/IMPI security
Fred Skrotzki
fskrotzki at textwise.com
Fri Sep 14 09:24:58 CDT 2007
You must have something else set wrong (duplicate Ips?) and/or other
settings in conflict. We've run systems and BMC's with vlanning
disabled and enabled without a issue. The BMC has a separate NIC
interface from the server NIC. Same wire coming in but a separate
interface and Mac address from the main systems.
There are very few manufactures (Dell not being one of them) that has
the BMC using the same NIC and sniffing the traffic for BMC requests.
It was found that it was not reliable and sometimes the BMC would grab a
packet that was not actually intended for it causing issues with the
main systems operation.
You can learn a lot more by looking at the ipmitool mailing list and
archives.
-----Original Message-----
From: linux-poweredge-bounces at dell.com
[mailto:linux-poweredge-bounces at dell.com] On Behalf Of t m
Sent: Wednesday, September 12, 2007 12:25 PM
To: linux-poweredge at dell.com
Subject: BMC/IMPI security
I've been experimenting with the BMC on my SC1435 which shares the local
network interface with the server, and I'm wondering about security.
My testing is only preliminary, but it appears that while the BMC is on
a particular vlan, the local server doesn't seem to be able to transmit
frames on that same VLAN to the network. If this is accurate, then the
BMC would be masking the managment VLAN away from the server.
Additionally, I haven't been able to use ipmitool on the local machine's
command line to reconfigure the BMC's VLAN. Here's what I get after
several seconds:
[root at test ~]# ipmitool lan set 1 vlan id off LAN Parameter Data does
not match! Write may have failed.
If this behavior is actually intended, then this is exactly what I'm
after as it provides a mechanism to properly segregate my management
network from my production network for the BMC and server interfaces,
respectively. However, I can't seem to find anything in Dell's
PowerEdge documentation detailing how this aspect of the BMC should
work, so I'm not sure if I should rely on this from a security
perspective. I'm ultimately trying to avoid a scenario where a
compromised server could break into the management network. I care less
if the server reconfigures the local BMC, but I definitely want to keep
a compromised machine from accessing other BMCs or a management server.
Are there any knowledgeable folks out there who know if this behavior is
by design?
Thanks,
Tom
_______________________________________________
Linux-PowerEdge mailing list
Linux-PowerEdge at dell.com
http://lists.us.dell.com/mailman/listinfo/linux-poweredge
Please read the FAQ at http://lists.us.dell.com/faq
More information about the Linux-PowerEdge
mailing list