[165032] in North American Network Operators' Group
Re: WaPo writes about vulnerabilities in Supermicro IPMIs
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Thu Aug 15 22:46:29 2013
Date: Thu, 15 Aug 2013 22:46:13 -0400 (EDT)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <520D8BDA.1010504@monmotha.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Brandon Martin" <lists.nanog@monmotha.net>
> As to why people wouldn't put them behind dedicated firewalls, imagine
> something like a single-server colo scenario. Most such providers don't
> offer any form of lights-out management aside from maybe remote reboot
> (power-cycle) nor do they offer any form of protected/secondary network
> to their customers. So, if you want to save yourself from a trip, you
> chuck the thing raw on a public IP and hope you configured it right.
Well, *I* would firewall eth1 from eth0 and cross-over eth1 to the ILO jack;
let the box be the firewall. Sure, it's still as breakable as the box
proper, but security-by-obscurity isn't *bad*, it's just *not good enough*.
It's another layer of tape.
Whether it's teflon or Gorilla is up to you.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274
