[172190] in North American Network Operators' Group
Re: ipmi access
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Mon Jun 2 19:43:05 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <CAH_OBieKsbZ73jruwL9f3THNH2KwU7L7p0tfvy6qfKdFkpg53Q@mail.gmail.com>
From: Jimmy Hess <mysidia@gmail.com>
Date: Mon, 2 Jun 2014 18:42:36 -0500
To: shawn wilson <ag4ve.us@gmail.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson <ag4ve.us@gmail.com> wrote: [snip]
> So, kinda the same idea - just put IPMI on another network and use ssh
> forwards to it. You can have multiple boxes connected in this fashion
> but the point is to keep it simple and as secure as possible (and IPMI
> security doesn't really count here :) ).
About that "as secure as possible" bit. If just one server gets
compromised that happens to have its IPMI port plugged into this
private network; the attacker may be able to pivot into the IPMI
network and start unloading IPMI exploits.
So caution is definitely advised, about security boundaries: in case
a shared IPMI network is used, and this is a case where a Private
VLAN (PVLAN-Isolated) could be considered, to ensure devices on
the IPMI LAN cannot communicate with one another --- and only
devices on a separate dedicated IPMI Management station subnet can
interact with the IPMI LAN.
--
-JH
